One of the things that would most benefit the information security field is for more people in it to understand economics. Specifically, the art and science of incentive management.
So much of InfoSec is about turning knobs and believing that outcomes will improve But too few understand the interconnected mesh of behaviors that’s linked to that variable, or the 37 different reasons that the knob was at the exact position it was before the security person showed up.
- Why doesn’t the CEO want to spend more money on security?
- Why aren’t security awareness programs overwhelmingly successful?
- Why do developers continue to produce such insecure code after a decade of secure code training?
- How do software vendors continue to put out products that have hundreds of severe vulnerabilities in them?
To the average infosec person—especially one early in their career—these are rant-fodder. They cuss and they swear and blame the stupidity of the world, and that’s a problem.
When something keeps happening the same way in a complex system, you should map the inputs and outputs. And in such a system with humans in it those inputs and outputs are often in the form of incentives.
If it costs a CEO less to not do security, she won’t do it. If developers ship less code when they try to code securely, they’ll soon be coding insecurely because their manager will make sure they get in line. And software vendors will continue to produce bad products as long as there isn’t some pressure to do otherwise.
Smart people who’ve been in the field for a while know all this stuff, but it’s remarkably opaque to so many in security. They shake their fists at the sky, at management, at the users—all because they don’t understand why things work the way they are.
We as an industry need to understand the complexities of the systems we’re trying to secure. We need to understand the incentives of the attacker, of the defender, and have a grasp of the various externalities involved.
Failing to do this will keep us very confused about the big, complex world, and it’ll also keep us out of the room where big decisions are being made because we’ll be the ones yelling about this or that thing that is the most important thing of the week.
Understanding economic incentives is another example of where cross-discipline knowledge is massively beneficial in infosec, and I’d love to see some sort of focus on the topic in university and industry education programs.