Wake-up call to business: Tighten up on information security

June 30, 2008

According to the Department of Trade and Industry there are 4.5 million businesses in the UK of which 99.3% are small to medium sized enterprises (SMEs), employing 0-49 employees. These comprise 58.9% of the total workforce of 24.4 million and account for 51.9% of the £2,600 billion UK turnover. Bruce Hallas, a specialist in information security, said "SMEs are particularly prone to poor or even non-existent information security. As awareness of the importance of information security increases, the SMEs stand to lose competitiveness, potentially losing contracts with existing clients and suffering the financial consequences that are increasingly arising from information security incidents."

An over reliance on Information Technology (IT) has developed over recent years. According to Hallas, this is the result of confusing Information Technology with Information Security (IS). With 'insufficient' money to invest in expensive information security expertise, many SME's are investing heavily in IT in the mistaken belief that IT will ensure IS. "Yet the largest business drivers for security investment are contractual, regulatory, market pressures from consumers, corporate clients and the public sector. Not the typical domain of IT. The biggest security vulnerability lies with people," Hallas says. "Security is about managing the risk from people, both known and unknown, interacting with your information and information systems. It is more about people management than technology."

Tyler Moore of the Computer Laboratories, University of Cambridge expanded, "Information security is now a mainstream political issue, and no longer the province of technologists alone," he said. "People used to think that the internet was not secure because there was not enough of the right technology, not enough sophisticated cryptographic mechanisms, authentication or filtering etc. so advanced encryption, public key infrastructure and firewalls were added. The internet did not get any safer," he added. "In 1999 it became clear that even the latest and greatest technology will not solve all our problems if those who protect and maintain them are not sufficiently movitated. The issue is one of incentives."

The impact of an under-incentivised workforce can have devastating consequences in business such as denial of service attacks allowing viruses to infect the IT system, hospitals putting access to data above patient privacy, bank customers suffering phishing attacks by poorly designed banking systems.

"Economics can explain many of the failures and challenges in a new way" Tyler Moore said. "As companies are beginning to realise the value of good information security practice so security measures are being used not only to manage the evils of the attackers but also to support the business models of companies."

Now that the Achilles heel of the information security problem has been identified, companies, especially banks, often fight shy of divulging information about attacks, whether they have been successfully repelled or not because the information concerned may be sensitive.

Help is at hand in the form of a new report "Security Economics and the Internal Market" which outlines police options regarding the economic problems in providing IS.

The report's first recommendation is for the EU to issue a comprehensive breach notification law to notify consumers when their details have been compromised so they can protect themselves.
-end-
NOTES OF EDITORS

1. 'Economics of Information Security' is published by the ESRC to accompany a seminar on April 9, 2008 in Bristol. Speakers are Tyler Moore, Doctoral Researcher, in collaboration with Professor Ross Anderson, Professor of Security Engineering at the Computer Lab, University of Cambridge. Professor Christos Ioannidis, Professor of Finance, University of Bath, Professor David Pym, Principal Scientist, HP Labs and Bruce Hallas, Information Security Consultant, Marmalade Box.

2. This emerges from a seminar on the Economics of Information Security staged by the Economic and Social Research Council (ESRC), the Cyber Security Knowledge Transfer Network (KTN) and Hewlett Packard Laboratories. A brochure covering the seminar is available as a PDF document or hard copy from the ESRC Knowledge Transfer Team.

3. Examples of potential damage by inappropriate IS systems: 4. The new EU level government agency European Network and Information Security Agency (ENISA) has commissioned a report "Security Economics and the Internal Market" on the policy options regarding the economic problems in providing information security. The authors are: Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore.

5. The event is part of the Public Policy Seminar series, which directly addresses key issues faced by ESRC's key stakeholders in government, politics, the media, and the private and voluntary sectors.

6. The Cyber Security Knowledge Transfer Network (KTN) is the focal point for UK expertise in cyber security issues and technologies. The KTN is an independent, business-focused network, funded by government as an advisory body for issues related to e-crime and information security. The KTN is tasked with connecting cyber security experts in government, industry and academia to encourage collaboration as a way to solve problems, develop innovative ideas and support the growth of UK expertise and leadership in the cyber security market. The Cyber Security KTN is run by Qinetiq on behalf of the government's Technology Strategy Board.

7. HP is a technology solutions provider to consumers, businesses and institutions globally. The company's offerings span IT infrastructure, global services, business and home computing, and imaging & printing. HP Labs is Hewlett-Packard's corporate long-term research organization. Its European facility, based in Bristol, represents about 25% of HP's research activity, and conducts basic and applied research in wide range of areas, including many aspects of information security.

8. The ESRC is the UK's largest funding agency for research and postgraduate training relating to social and economic issues. It provides independent, high quality, relevant research to business, the public sector and Government. The ESRC total expenditure in 2005/6 is £135million. At any time, the ESRC supports more than 4,000 researchers and postgraduate students in academic institutions and research policy institutes. More at http://www.esrcsocietytoday.ac.uk

9. ESRC Society Today offers free access to a broad range of social science research and presents it in a way that makes it easy to navigate and saves users valuable time. As well as bringing together all ESRC-funded research (formerly accessible via the Regard website) and key online resources such as the Social Science Information Gateway and the UK Data Archive, non-ESRC resources are included, for example the Office for National Statistics. The portal provides access to early findings and research summaries, as well as full texts and original datasets through integrated search facilities. More at http://www.esrcsocietytoday.ac.uk

Economic & Social Research Council

Related Consumers Articles from Brightsurf:

When consumers trust AI recommendations--or resist them
The key factor in deciding how to incorporate AI recommenders is whether consumers are focused on the functional and practical aspects of a product (its utilitarian value) or on the experiential and sensory aspects of a product (its hedonic value).

Do consumers enjoy events more when commenting on them?
Generating content increases people's enjoyment of positive experiences.

Why consumers think pretty food is healthier
People tend to think that pretty-looking food is healthier (e.g., more nutrients, less fat) and more natural (e.g., purer, less processed) than ugly-looking versions of the same food.

How consumers responded to COVID-19
The coronavirus pandemic has been a catalyst for laying out the different threats that consumers face, and that consumers must prepare themselves for a constantly shifting landscape moving forward.

Is less more? How consumers view sustainability claims
Communicating a product's reduced negative attribute might have unintended consequences if consumers approach it with the wrong mindset.

In the sharing economy, consumers see themselves as helpers
Whether you use a taxi or a rideshare app like Uber, you're still going to get a driver who will take you to your destination.

Helping consumers in a crisis
A new study shows that the central bank tool known as quantitative easing helped consumers substantially during the last big economic downturn -- a finding with clear relevance for today's pandemic-hit economy.

'Locally grown' broccoli looks, tastes better to consumers
In tests, consumers in upstate New York were willing to pay more for broccoli grown in New York when they knew where it came from, Cornell University researchers found.

Should patients be considered consumers?
No, and doing so can undermine efforts to promote patient-centered health care, write three Hastings Center scholars in the March issue of Health Affairs.

Consumers choose smartphones mostly because of their appearance
The more attractive the image and design of the telephone, the stronger the emotional relationship that consumers are going to have with the product, which is a clear influence on their purchasing decision.

Read More: Consumers News and Consumers Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.