Economics of Information Security

Given the way in which new viruses spread and easily infect PCs, it is clear that the security industry is forever chasing a moving target. The reason for this being that certain programmers are dedicated to producing and circulating worms quite regularly. in spite of all this, the ease with which PC systems are regularly infected and the failure to regularly update anti-virus programmes ensures that viruses remain in circulation and on occasion explode as epidemics infecting networks throughout the world.

Many blame the ubiquity on the Windows operating system since this enables the creators of these viruses to identify points of weakness in the unduly large operating system. However, the more persuasive assessment of the lack of security in IT systems is because the costs of security failure are largely borne by the users and not by the creators of products. Naturally therefore, there is insufficient incentive to ensure that the most dominant operating system is as secure as possible. As one sees therefore, it would not constitute good expenditure for Microsoft corporation to spend its money in ensuring security because it can easily externalize the cost of the failures. A complete argument is made by security academic and consultant Bruce Schneier here.

Taking the ubiquity of the operating system on the one side and the ability to externalize the costs of its security flaws on the other, I venture that the last factor of the human element is considerable too because it allows for the circulation of viruses. This article from Reuters describes how a computer expert placed a very clear advert on the internet offering downloads of free viruses and had 409 people click on it. In my view, even a small fraction of this number would suffice in sending the virus through networks and systems and thereby generate an an information security systems epidemic.