Keynote: Ross Anderson
You have stated that economics and psychology matter in information security today, as much as or maybe even more than technology. Can you tell us about the work that led you to this conclusion?
The ”spark” moment for security economics was in May 2001 when I was attending the Oakland conference – IEEE Security and Privacy – near San Francisco. I’d visited Hal Varian, an economics professor at Berkeley, and he drove me back to the conference hotel. En route it became more and more clear that economists and security engineers should be talking to each other. As I recall, he was worrying about why one of his clients, an anti-virus company, wasn’t selling as much software as it should, while I was worrying about why US banks spent less on security and fraud than UK banks despite having an easier ride on liability.
Things just clicked and we spent half an hour or so sitting in his car at the hotel parking lot, swapping ideas. I put a number of those ideas into the first edition of my book ”Security Engineering” which came out later that year, and collected them into the paper ”Why Information Security is Hard – An Economic Perspective” which got the field going. I also decided to spend a chunk of sabbatical time in 2002 at Berkeley, when we held the first WEIS (workshop on the economics of information security). The emergence of security psychology as another big research field has been more diffuse and drawn-out. The seminal paper was another Berkeley spark: Alma Whitten and Doug Tygar’s ”Why Johnny Can’t Encrypt”, which alerted us to the fact that most security mechanisms are unusable.
My own early contribution was ”The Memorability and Security of Passwords”, which I wrote with Jeff Yan, Alan Blackwell and Alan Grant, and which tried to introduce proper applied-psychology methodology. Recently we’ve realised that it’s a lot broader than just usability: security and psychology touch in many areas from deception (which accounts for an ever-growing proportion of online fraud) to the misperception of risk (which underlies the problem of terrorism). I do believe that, just as economics has been an extremely fruitful area of research over the last eight years, so security psychology will pay big dividends over the next research cycle.
Mention some example of a security breach that is NOT about technology.
There is the case with one ”Officer Scott” that I describe in my book. During the period 1995ñ2005, a hoaxer calling himself ”Officer Scott” ordered managers of several US stores and restaurants (including at least 17 McDonalds’ stores) to detain some young employee on suspicion of theft and strip-search her or him. A former prison guard was tried for impersonating a police officer but acquitted. At least 13 managers who obeyed the caller and did searches were charged with crimes, and seven were convicted. McDonaldís got sued for not training its store managers properly, even years after the pattern of hoax calls was established.
Name the biggest challenges that security practitioners face today.
The big problem for practitioners is keeping up with research, and the big problem for researchers is communicating with the 100,000 or so people who actually do information security in firms of all sizes round the world
From most computer users’ perspective, the top security issue would probably be picking and remembering passwords. What would you say is a sound password policy for an individual?
See our paper ”The Memorability and Security of Passwords”. Mnemonics are best, and they’re what I use.
What are your opinions on tools like OAuth and Open ID?
Look at the incentives. OpenID may have the technology right, but the incentives are wrong and so it doesn’t get used. At the other end of the scale, Verified by VISA has the technology completely wrong – but the incentives favour adoption, as banks and merchants that adopt it can push some of the liability for fraud off on to its’ customers. As a result, Verified by Visa has 250 million accounts.
As a researcher, are you focused on finding new weaknesses or strengthening defenses?
No, on understanding what’s wrong. Often what’s wrong is not just a technical matter of attack or defence – it’s some key factor that stops stuff being done. This can be about technology – but at least as often it’s about economics, psychology or even politics. Once we know what’s wrong with the world, we can take a view of what failures we might sensibly try to fix, and where we’re likely to be wasting our time.