Occasionally one reads a paper or a book that makes one sit up and take notice.

Older readers may remember the excitement in 1991 when the System Security Study Committee of the National Research Council issued Computers at Risk: Safe Computing in the Information Age, which was published by the National Academy Press. The text is still available for sale and can also be purchased as a PDF download or read for free (chapter by chapter and page by page) at the National Academies Press Web site.

Computers at Risk was exciting because it provided a wealth of information in its 320 pages and included stimulating, practicable recommendations for realistic discussions of public policy. It influenced the development of public policy for more than a decade after its publication and is still worth reading today. It can be an excellent primer for non-technical executives we are just now convincing to think about security.

Readers may come to agree with me that we have another exciting policy-related report to read this year.

At the 2008 Workshop on the Economics of Information Security (WEIS 2008) at Dartmouth College last month (see also my overview), Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore presented a valuable paper entitled, “Security Economics and European Policy.” The paper is a summary of a longer report commissioned by the European Network and Information Security Agency, which, by the way, has a wealth of groundbreaking and highly stimulating papers available in English. 

The original report, “Security Economics and the Internal Market,” was covered in part by John Leyden in The Register in March. The 114-page report was a study of “Barriers and Incentives for network and information security (NIS) in the Internal Market for e-Communication.” The Executive Summary begins as follows:

"Network and information security are of significant and growing economic importance. The direct cost to Europe of protective measures and electronic fraud is measured in billions of [Euros;] and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs….

"Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists. Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong. An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.