Why Information Security is Hard – An Economic Perspective Ross Anderson University of Cambridge Computer Laboratory Ross.Anderson@cl.cam.ac.uk 30th January 2001 1 Executive Summary According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of crypto- graphic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the prob- lems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many, if not most, of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons. 2 Introduction In a 1993 survey of fraud against automatic teller machines (ATMs) [2], it was found that patterns of fraud depended on who was liable for them. In the USA, if a customer disputed an ATM transaction, the onus was on the bank to prove that the customer was mistaken or lying; this gave US banks a motive to protect their systems properly. But in Britain, Norway and the Netherlands, the burden of proof lay on the customer: the bank was right unless the customer could prove it wrong. Since this was almost impossible, the banks in these countries became careless. Eventually, an epidemic of ATM fraud demolished their complacency. US banks, meanwhile, suffered much less fraud; although they actually spent less money on security than their European counterparts, they spent it more effectively. There are many other examples. Medical payment systems, that are paid for by insurers rather then by healthcare providers, fail to protect patient privacy whenever this conflicts with the insurer’s wish to collect information about its clients. Digital signature laws transfer the risk of forged signatures from the bank that relies on the signature (and that built the system) to the person alleged to have made the signature. Common Criteria evaluations are not made by the