Information Technology Reference
In-Depth Information
Rationally Opting for the Insecure Alternative: Negative
Externalities and the Selection of Security Controls
Craig S. Wright and Tanveer A. Zia
School of Computing and Mathematics
Charles Sturt University, NSW 2678
cwrigh20@postoffice.csu.edu.au, tzia@csu.edu.au
Abstract.
As with all aspects of business and the economy, information secu-
rity is an economic function. Security can be modeled as a maintenance or in-
surance cost as a relative function but never in absolute terms. As such, security
can be seen as a cost function that leads to the prevention of loss, but not one
that can create gains (or profit). With the role of a capital investment to provide
a return on investment, security is a defense against unforeseen losses that cost
capital and reduce profitability. In this paper we assess the individual security
cost and model our assessment in economic terms. This assessment is vital in
determining the cost benefit in applying costly security controls in our systems
in general and software in particular.
Keywords:
Software Development Life Cycle, Model Checking, Software
Verification, Empirical studies.
1 Introduction
Absolute security does not exist and nor can it be achieved. The statement that a com-
puter is either secure or not is logically falsifiable [6], all systems exhibit a level of
insecurity. An attacker with sufficient resources can always bypass controls. The goal
is to ensure that the economic constraints placed upon the attacker exceed the per-
ceived benefits to the attacker [15]. This generates a measure of relative system secu-
rity in place of the unachievable absolute security paradigm that necessarily results in
a misallocation of resources.
The result is that security is a relative risk measure that is related to organisational
economics at the micro level and the economics of national security toward the macro
level. This consequentially leads to a measure of security in terms of one's neighbour.
The question is not, “
am I secure
”, but rather, “am
I more secure than my neighbour
?”
This can be assessed in many ways as any other system is your neighbour on the
Internet when viewed from the perspective of a Worm. Conversely, targeted attacks
have a purpose. Neighbours may be other government systems, critical infrastructure,
and a class of companies or an industry sector. In each instance, security is achieved
in relative terms.
The rest of the paper is organised as follows: In section 2 we assess individual se-
curity costs. We then provide analysis and discussion on security assessment in terms
of its economic value in Section 3. Finally, the paper is concluded in Section 4.
Search WWH ::
Custom Search