Skip to main content

Toward a Safer and More Secure Cyberspace (2007) / Chapter Skim
Currently Skimming:

6 Category 3 - Promoting Deployment
Pages 124-168

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 124...
... 6.1 USABLE SECURITY It is axiomatic that security functionality that is turned off or disabled or bypassed or not deployed by users serves no protective function. The same is true for security practices or procedures that are promulgated but not followed in practice.
Read the entire page →
From page 125...
... One element of usable security is better education. That is, administrators and developers -- and even end users -- would benefit from greater attention to security in their information technology (IT)
Read the entire page →
From page 126...
... ing and background in this subfield. For example, security understandings are often based on physical-world metaphors, such as locking doors and obscuring sensitive information.
Read the entire page →
From page 127...
... It would be much more preferable to have mechanisms in place that aggregate and automatically perform low-level security actions under an abstraction that allows each user to designate another person as a collaborator on a given project and have the system select the relevant files to make available to that person and to no others. Usable security would thus reduce the cognitive load needed by an authorized user to navigate security and the "hassle factor," thus increasing the likelihood that users would refrain from simply bypassing security measures or would never implement them in the first place.
Read the entire page →
From page 128...
... Many computer security problems result from a mismatch between a security policy and the way that the policy is or is not implemented, and system administrators would benefit greatly from automated tools that would indicate how their systems are actually configured and whether an actual configuration is consistent with their security policy. For example, administrators need to be able to set appropriate levels of privilege for different users, but they also need to be able to generate lists of all users with a given level of privilege.
Read the entire page →
From page 129...
... Researchers have found that the development of usable security requires deep insight into the human-interaction dimensions of the application for which security is being developed and of the alignment of technical protocols for security and of the social/organizational protocols that surround such security. Only with such insight is it possible to design and develop security functionality that does not interfere with what legitimate workers must do in the ordinary course of their regular work.
Read the entire page →
From page 130...
... In an organization, senior management determines security policy and establishes the nature and scope of its security concerns. But management also shapes a much larger social context that includes matters such as expectations for cooperative work, the nature of relationships between subordinates and superiors, and relationships between support and business units.
Read the entire page →
From page 131...
... Thus, because there is often conflict, or at least tension, between security and getting work done, workers must make judgments about what risks are worth taking in order to get their work done and how to bypass security measures if that is necessary in order to do so. It is against this backdrop that the technology infrastructure must be assessed.
Read the entire page →
From page 132...
... From a security perspective, the advantage of the large-process structure is that the security features of the system are easier to understand, analyze, and verify. Because hardware resources are increasingly inexpensive, efficient use of hardware is no longer as important as it once was.
Read the entire page →
From page 133...
... In the absence of good cybersecurity metrics, it is largely impossible to quantify cost-benefit trade-offs in implementing security features. Even worse, it is very difficult if not impossible to determine if System A is more secure than System B
Read the entire page →
From page 134...
... . Outside the absolutist model, security is inherently a synthetic property -- it no longer reflects some innate quality of the system, but rather how well a given system with a given set of security policies (Section 6.5)
Read the entire page →
From page 135...
... The first category is operational metrics. This approach, typified by the Security metrics Guide for Information Technology Systems from the National Institute of Standards and Technology,4 focuses on measurements of the behavior of an IT organization.
Read the entire page →
From page 136...
... . Operational metrics can be valuable for tracking overall compliance with a security policy and trends in well-established problem classes, but they seem unlikely to be useful in providing finergranularity insight about software security.
Read the entire page →
From page 137...
... .6 In this example, a larger fraction is better, subject to the same qualifiers. (Note that any metric involving the tracking of vulner abilities over time requires a list of standardized names for vul nerabilities and other information security exposures.
Read the entire page →
From page 138...
... This is a challenging task, but currently the only data available are anecdotal, making the decision to invest difficult to evaluate and compare with other security/nonsecurity invest ment options. Software vulnerabilities are widely reported on public mailing lists and archived in both public and private databases (the National Vulnerability Database is one such well-known collection)
Read the entire page →
From page 139...
... first used attack data to infer the rate at R which administrators patched systems that were vulnerable to the Code Red v2 worm.13 Rescorla used a more sophisticated version 10 E.Rescorla, "Is Finding Security Holes a Good Idea? ," presentation at the Workshop on Economics and Information Security 2004, May 2004; available at http://www.dtc.umn.
Read the entire page →
From page 140...
... ," presentation at the Workshop on Economics and Information Security 2004, May 2004; available at http://www.dtc.umn. edu/weis2004/rescorla.pdf.
Read the entire page →
From page 141...
... Attack surface measures potential rather than actual aggregate vulnerability. The presumption, supported in part with post hoc data, is that smaller attack surfaces are likely to host fewer exploitable vulnerabilities and will be easier to secure.
Read the entire page →
From page 142...
... 23 Ross Anderson, "Why Information Security Is Hard -- An Economic Perspective," Pro ceedings of the th Annual Computer Security Applications Conference, IEEE Computer Society, New Orleans, La., 2001, pp.
Read the entire page →
From page 143...
... 27 24 Ross Anderson, "Why Information Security Is Hard -- An Economic Perspective," Pro ceedings of the th Annual Computer Security Applications Conference, IEEE Computer Society, New Orleans, La., 2001, pp.
Read the entire page →
From page 144...
... In other words, in practice, 28 See, for instance, Hal Varian, "Managing Online Security Risks," Economic Science Col umn, new york Times, June 1, 2000; Alfredo Garcia and Barry Horowitz, "The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy," Journal of Regulatory economics, 31(1) : 37-55, February 2007, available at http://ssrn.com/abstract=889071; Tyler Moore, "The Economics of Digital Forensics," presented at the Fifth Annual Workshop on the Economics and Information Security, June 26-28, 2006, Cambridge, England; Ross Anderson and Tyler Moore, "The Economics of Information Security," Science, 314(5799)
Read the entire page →
From page 145...
... They are driven by important features of the information technology market: the number of other people using a product, the high fixed costs and low marginal costs, and the cost to customers of switching to another product (i.e., lock-in) .31 30 Tyler Moore, "The Economics of Digital Forensics," Fifth Annual Workshop on the Economics of Information Security, University of Cambridge, England, June 26-28, 2006.
Read the entire page →
From page 146...
... Akerlof, "The Market for ‘Lemons': Quality, Uncertainty and the Market Mechanism," Quarterly Journal of economics, 84: 488-500, 1970. 35 Ross Anderson, "Why Information Security Is Hard -- An Economic Perspective," Pro ceedings of the th Annual Computer Security Applications Conference, IEEE Computer Society, 2001, pp.
Read the entire page →
From page 147...
... 39 Ross Anderson, "Why Information Security Is Hard -- An Economic Perspective," Pro ceedings of the th Annual Computer Security Applications Conference, IEEE Computer Society, 2001, pp.
Read the entire page →
From page 148...
... Gordon and Martin P Loeb, "Budgeting Process for Information Security Expenditures," Communications of the ACm, 49(1, January)
Read the entire page →
From page 149...
... argue that, absent appropriate economic incentives, it is in a firm's self-interest to renege on previously agreed-on arrangements to share cybersecurityrelated information, even though information sharing among a group of firms lowers the cost of each firm's attaining any given level of information security and thus yields potential benefits both for individual firms and for society at large.46 Thus, one research question suggested by the above discussion is the development of incentives that would promote greater information sharing. Possible incentives that warrant research include providing public subsidies to information-sharing firms that vary according to the level of information sharing that takes place; government-subsidized insurance; and other forms of government regulation.
Read the entire page →
From page 150...
... Thus, an important research area is to find an approach 47 Huaqiang Wei, Deb Frinke, Olivia Carter, and Chris Ritter, "Cost-Benefit Analysis for Network Intrusion Detection Systems," CSI 28th Annual Computer Security Conference, October 29-31, 2001, Washington, D.C.; available at www.csds.uidaho.edu/deb/costbenefit.
Read the entire page →
From page 151...
... Applying the availability heuristic to cybersecurity would suggest that if users cannot see a direct and significant impact on themselves from a cybersecurity problem, their awareness and concern about cybersecurity will be relatively low. The converse would also be true: in the aftermath of a "digital Pearl Harbor," public attention to cybersecurity would rise dramatically.
Read the entire page →
From page 152...
... Loeb, and W Lucyshyn, "Information Security Expenditures and Real Options: A Wait-and-See Approach," Computer Security Journal, 19(2)
Read the entire page →
From page 153...
... In the cybersecurity domain, for example, efforts to develop and promote usable security (Section 6.1) can be fairly regarded as efforts both to avoid lower costs (with security measures many of the benefts will come in the form of cost avoidance)
Read the entire page →
From page 154...
... The reason is that current cybersecurity efforts respond to the current perception of risk, which is driven by the most visible threats of today. History and intelligence information suggest that vastly more sophisticated threats against a wider variety of targets are likely to be in the offing, but that these threats will present little overt evidence to motivate further defensive action on the part of most private organizations and individuals.
Read the entire page →
From page 155...
... : 726-740, 2005; Ross Anderson and Tyler Moore, "The Economics of Information Security," Science 314(5799)
Read the entire page →
From page 156...
...  TowARd A SAFeR And moRe SeCuRe CyBeRSPACe BOX 6.2 Bug Bounties and Whistle-Blowers The bug bounty -- paying for information about systems problems -- stands in marked contrast to the more common practice of discouraging or dissuading whistle-blowers (defined in this context as one who launches an attack without malicious intent) , especially those from outside the organization that would be responsible for fixing those problems.
Read the entire page →
From page 157...
...  CATeGoRy  -- PRomoTInG dePLoymenT ing court, but Morris's sentence did not reflect the maximum penalty that he could have received. Those who put on public demonstrations of system vulnerabilities have often said that they did so only after they informed responsible management of their findings and management failed to take remedial action on a sufficiently rapid timescale.
Read the entire page →
From page 158...
... Majuca, and William J Yurcik, "The Economic Case for Cyberinsurance," workshop on the economics of Information Security, Cambridge, Mass., 2005;
Read the entire page →
From page 159...
... William Yurcik and David Doss, "Cyberinsurance: A Market Solution to the Internet Security Market Failure," workshop on economics and Information Security, Berkeley, Calif., 2002. 62 Kenneth Cukier, "Ensuring (and Insuring?
Read the entire page →
From page 160...
... ISO/IEC 17799:2005 contains best practices of control objectives and controls in certain areas of information security management, including security policy; organization of information security; information systems acquisition, development, and maintenance; and information security incident management. Although ISO/IEC
Read the entire page →
From page 161...
... Thus, the federal government itself might seek to improve its own cybersecurity practices and offer itself as an example for the rest of the nation. • ax policy.
Read the entire page →
From page 162...
... For example, in an attempt to increase security for customers, the Federal Financial Institutions Examination Council (FFIEC) has directed covered financial institutions to implement two-factor authentication for customers using online banking.67 Another 67 Two-factor authentication refers to the use of two independent factors to authenticate one's identity.
Read the entire page →
From page 163...
... There is wide variation in the technical and financial ability of firms to support security measures. In addition, certain regulatory mechanisms have been used for publicly traded companies to ensure that important information is flowing to investors and that these companies follow certain accounting practices in their finances.
Read the entire page →
From page 164...
... 745) had a positive impact on the voluntary disclosure of information security activities by corporations, a finding providing strong indirect evidence that the passage of this act has led to an increase in the focus of corporations on information security activities.69 But such regulatory-driven focus is not without cost and may have unintended consequences, including decreased competition, distortions in cybersecurity investments and internal controls, and lost productivity from increased risk aversion.70 Thus, research is needed to better understand the trade-offs involved in implementing informationdisclosure regulations.
Read the entire page →
From page 165...
... Updating the Common Criteria or the Federal Information Security Management Act (FISMA) to include these mandated elements would enable the injection of the new ideas into the marketplace, and their demonstrated value and utility may persuade others not subject to regulation or liability to adopt them anyway.
Read the entire page →
From page 166...
... Guel, "A Short Primer for Developing Security Policies," SANS Institute, 2002; available at http://www.sans.org/resources/policies/Policy_Primer.pdf. 72 More perspective on developing security policies can be found in Matt Bishop, "What Is Computer Security?
Read the entire page →
From page 167...
... Spafford, "PFIRES: A Policy Framework for Information Security," Communications of the ACm, 46(7)
Read the entire page →
From page 168...
... Other major open issues and research areas include the enforcement of security policies (as discussed in Section 6.1) and the determination of how effective a given security policy is in regulating desirable and undesirable behavior.
Read the entire page →

Key Terms

  • information security
  • computer security
  • ross anderson
  • usable security
  • annual computer

  • security applications
  • security policies
  • ieee computer
  • computer society
  • technology vendors

  • applications conference
  • tyler moore
  • security policy
  • information sharing
  • intrusion detection

  • law enforcement
  • york times
  • false positives
  • security requires
  • online security

  • security measures
  • security features
  • security technologies
  • critical information
  • cybersecurity metrics

  • economic science
  • economic incentives
  • cybersecurity measures
  • attack surface
  • attack surfaces


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.