This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
Point Regulation is about economics. Here's the theory: In a capitalist system, companies make decisions based on self-interest. This is good; we don't want companies acting as public charities, we want them acting as for-profit entities. But, there are effects of company decisions not borne by companies—these are "externalities."
Companies don't always take externalities into account because, well, they're someone else's problem. If we want externalities to factor into company decisions, we have to make externalities internal. Then, the natural engine of capitalism will take over.
An easy example: A company pollutes a river, and people downstream die. No one in the company lives downstream, no customer lives downstream, so the company doesn't care. It's a classic externality. If society wants the company not to pollute the river, it has to remove the externality. Liabilities (allowing the people who live downstream to sue) and regulations (making it illegal to pollute the river) do that. A rational company will spend more money so as not to pollute the river.
What does this have to do with computer security? Everything.
If ChoicePoint has lousy security and someone steals our identity information, we are harmed. But to ChoicePoint, it's an externality. ChoicePoint isn't a charity, and it's not going to improve security out of the goodness of its heart. If we want ChoicePoint to protect
At least that's the idea behind regulation. Unfortunately, the devil is in the details.
Take disclosure laws: On the face of them, they're smart. By forcing data breaches public, we're raising the cost of breaches. Unfortunately, that cost was in public shaming, especially in the press. But as more companies lose data, the press becomes less interested and public shaming diminishes. Good idea, but temporary.
Or, take Sarbanes-Oxley: I'm not sure how it pertains to computer security. But, everyone seems to think it does, and companies have poured money into computer security—the cost is still cheaper than the potential liability. Some money has gone into computer security, but most has gone to large auditing firms that produce reports that are only useful to defend against liability claims. Good idea, but expensive for what you get.
A much better example is the credit card law that limits personal liability for fraud to $50. Before the law, credit card losses were an externality to credit card companies, so they didn't do all that much to improve security. After the law, we got online verification terminals, systems for card activation and data-mining systems to detect fraudulent spending patterns.
So what are the characteristics of good regulations?
- They're targeted at a specific externality.
- The penalties are large enough to make the alternative more attractive.
- They put the entity able to fix a security problem in charge of the problem.
This was first published in November 2006