Managing Online Security Risks

New York Times; New York, N.Y.; Jun 1, 2000; Hal R. Varian

THE Internet has sometimes been described as a "lab experiment that got loose." It was developed in a sheltered environment of network researchers who knew and trusted each other. But after it escaped from the laboratory in 1995, it found itself in a hostile environment full of unsavory characters.

Recent security incidents like the "I love you" virus and the attacks on major Web sites a few months ago have shown how vulnerable the Internet really is.

Modern cryptography is often hailed as the magic elixir that will make cyberspace safe for commerce. But it will only work if people use cryptographic security features effectively.

Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast, the soft issues revolving around the use of computers by ordinary people and the creation of incentives to avoid fraud and abuse have been relatively neglected. That needs to be rectified.

Automated teller machines are a good example. A lot of thought went into the security design of these systems and relatively sophisticated encryption techniques were used to guard against attacks. How effective were these designs?

Several years ago, Ross Anderson, a security researcher at Cambridge University, examined a number of cases of fraud at automated teller machines in Britain and concluded that almost all of the incidents involved human error. The encryption technology was fine; the security problems occurred because the systems were misinstalled, misconfigured and mismanaged by the local banks. The paper, "Why Cryptosystems Fail" can be found at .

Why were the local banks so sloppy? The answer lies in the way liability is assigned in Britain. In the United States, if there is a dispute between a customer and a bank, the customer is right unless the bank can show that he is wrong. In Britain, the burden of proof is reversed; the bank is right unless the customer can show it is wrong. Since it is almost impossible for a customer to prove the bank made a mistake, British banks had little incentive to take care. The resulting sloppiness led to a rash of A.T.M. fraud.

In the United States, banks have an incentive to invest in risk management techniques. Banks in areas prone to A.T.M. fraud, for example, have installed cameras and trained their staff in security practices. So, even though American banks spend less on security than do British banks, Mr. Anderson concluded, they deal with it more effectively.

This example illustrates one of the fundamental principles of the economic analysis of liability: it should be assigned to the party that can do the best job of managing risk. For most risks associated with A.T.M.'s the banks are in better position to manage risks than are the users, so they should end up with most of the liability. But you wouldn't want the users to escape all liability for their actions, since they would then tend to be too sloppy. The right balance should depend on the influence that each party has over the possible risk factors.

Which brings us back to computer attacks. One reason that computer security is so poor in practice is that the liability is so diffuse. Consider the attacks that took place a few months ago, in which computer vandals took over computers on relatively unprotected university networks and used them to shut down Yahoo and other major Web sites. Although the universities found the takeover of their machines a nuisance, they didn't bear the bulk of the costs of the attack on Yahoo. But if universities bore some liability for the damages to third parties, they would have a stronger incentive to make their networks more secure.

The same problem arises with providing high-speed broadband service to the home. These networks are, by default, always connected to the Internet, leaving them susceptible to being used to mount an attack in cyberspace. If a particular user's computer is taken over, should he have liability for the cost of the attack on someone else? The average user is essentially clueless about how to prevent his computer from being taken over, so assigning liability to him would be pointless. Assigning liability to the network operator would make more sense.

A typical security analysis involves identifying weak points in a system and indicating who might be in a position to fix them. But security analysts should go one step further and examine the incentives of those responsible for the system. Such an analysis could be used to assign liability so that those who are best positioned to control the risks have appropriate incentives to do so.

Once the liability assignment is straightened out, the parties stuck with the liability will no doubt want to buy insurance. At first glance, it appears that this is counterproductive: if you are perfectly insured against liability, why should you invest in risk management? But this ignores the incentives of the insurers: they only want to insure clients who use good security practices, giving them every incentive to instruct their clients in how to improve their Internet security.

Just as an insurer of an office building will give you a reduced rate if you have sprinklers every 12 feet, an insurer against computer crime will give you a reduced rate if you install security patches within two weeks of their posting, provide continuing education for security staff and engage in other good risk management practices.

This is how it should work, but we are not there yet. Most insurance companies have very little experience with computer security, and being unable to judge the risks, they offer little in the way of protection. As their experience increases, they will be better placed to offer advice to their clients. And when insurance companies do start insuring against computer attacks, the companies will have a great incentive to do it right: if they give bad advice, they will have to pay the resulting insurance claims.

So, what should be done about computer crimes? The first step is to assign legal liability to the parties best able to manage the risk. Insurers can then develop expertise in risk management for computer security and provide such services to their clients. Unfortunately, this will be a long and slow process. In the meantime, we can expect to see many more disruptions on the Internet.