The Copenhagen Concensus on Climate and information security
Free WiFi access in shopping malls is a great thing – it lets you watch TED talks as an easy way to kill time. I recently did this and watched Bjorn Lomborg's talk about the Copenhagen Concensus on Climate. The application of this idea to information security seemed too obvious to not comment on.
The Copenhagen Concensus on Cllimate applies the principles of economics to climate change. It assumes that climate change is real and that it's going to cause lots of problems. And because there simply aren't enough resources to address all of the problems, it tries to prioritize how resources should be allocated.
And from there, the application to information security should be obvious.
Information security also deals with a serious problem. If you believe the numbers that are often mentioned, hacking costs the world a trillion dollars or so every year. That number is clearly very wrong, but even if it's not a trillion-dollar problem, it's definitely a big one.
And it's one for which there are lots of possible solutions, some of which make sense from an economic point of view and some don't. Kevin Soo Hoo looked at this problem in his dissertation (PDF) back in 2000, and had some interesting conclusions, but I don't recall seeing anyone else taking this idea seriously.
If you're a fan of TV shows like Rubicon, you might be inclined to suspect a vast globe-spanning conspiracy to keep Soo Hoo's work obscure. There's almost certainly no such conspiracy in this case. But it's also true that Soo Hoo's analysis suggested that some wildly-popular security technologies don't pass a careful cost-benefit analysis test, so there's definitely lots of money at stake when we start looking at things from this point of view.
Soo Hoo's work is now over a decade old. Things have changed quite a bit since he did his research, but it's probably still true that some security technologies are worth their cost and some aren't.
Soo Hoo's original work suggested that the business case for encryption was strong and I'd guess that it's still strong. Perhaps even stronger than it was back in 2000. That's when the big three drivers toward data-centric security architectures (mobile devices, cloud computing and offshoring) weren't as important as they are today.
There are also probably technologies that aren't worth what they cost, but to minimize the chances of an unfortunate CalTrain accident the next time I have to go to San Francisco (a feeble attempt to make a reference to the story arc of Rubicon), I won't say what I expect them to be.
And just like I found the recommendations of the Expert Panel of the Copenhagen Concensus on Climate to be interesting, I'd find a similar set of expert-concensus-based recommendations on information security to be interesting. Or if that's not likely to happen, the next best thing would be to update Soo Hoo's model to reflect contemporary realities. Either one would probably provide some very useful insights into how to best deal with the challenging information security environment in which today's businesses have to operate.