In the last eight years or so, I’ve probably been to more than 100 security conferences, workshops, trade shows and seminars, and I’m hard-pressed to come up with one that’s been more informative or entertaining than the Workshop on Economics in Information Security that’s taking place at Dartmouth College this week. As you might expect, the workshop is focused heavily on economic issues that influence information security and is light on technology talk. The thing that struck me most about the sessions today is the number of people who are doing serious work on this topic. Security has historically been one of the last refuges of the hard-core techie, but some of the brightest minds in the industry are now focusing their energies on thinking about the ways in which security, economics and other disciplines intersect. A quick look around the audience found Ross Anderson of the University of Cambridge, Bruce Schneier, Stuart Schechter of Harvard University and Phil Venables of Goldman Sachs.
I had the privilege this morning of speaking on a panel, with my friends Ryan Naraine and Scott Berinato, as well as Byron Acohido of USA Today and Brian Grow of BusinessWeek, about the media’s role in communicating security information to the public. The session produced a number of really interesting discussions. One attendee asked how difficult it is for journalists to get information about attacks and defenses from the government and enterprises who have been affected. The short answer is: virtually impossible. I’ve had some success with this over the years, as have the other panelists, but the truth is that the public at large, as well as security professionals, are being poorly served by the severe lack of objective data on attacks, breaches and cybercrime. (More on that later.)
Ross Anderson brought up another important topic, which many reporters struggle with on a daily basis: how to walk the line between responsible reporting of attacks and vulnerabilities, and pure fear-mongering. It’s not an easy task, I’ll say that, but if you go too far down the scare-tactic road, people tune out pretty quickly, and that’s counterproductive for everyone. The reality is that many of the things we write about and you deal with every day ARE scary, and people should be afraid of them. Some level of fear is healthy in this business, but we are all better off without the gratuitous bogeyman-in-the-server stories that serve no purpose other than to turn off smart readers.
Bruce Schneier also raised a good question regarding the value of stories about attack and defense tactics versus those about the reasons those attacks are successful and the societal and organizational failures that lead to them. A lot of the value depends on the audience. Byron and Brian both made the point that their audiences are less interested in the deep technical aspects of security than the SearchSecurity or ZDNet audiences are, which is an important point. But while the technical details will always have a place in the stories we write here, the psychological, organizational and economic aspects of why security succeeds or fails should have a seat at the table as well.