BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Lancaster University Faculty of Science and Technology//NONSGML v1.0//EN BEGIN:VTIMEZONE TZID:/Europe/London X-LIC-LOCATION:Europe/London BEGIN:DAYLIGHT TZOFFSETFROM:+0000 TZOFFSETTO:+0100 TZNAME:BST DTSTART:19700329T010000 RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3 END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:+0100 TZOFFSETTO:+0000 TZNAME:GMT DTSTART:19701025T020000 RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10 END:STANDARD END:VTIMEZONE BEGIN:VEVENT UID:114 SUMMARY:Information Security - Where Computer Science, Economics and Psychology Meet DESCRIPTION:For years, people thought that the insecurity of the Internet was due to a shortage of features, and so all through the 1990s we worked vigorously on developing better encryption, authentication and filtering mechanisms. But things didn't get any better. We began to realise that failures - of both security and dependability - are intricately tied up with incentives. Systems often fail because the people who guard and maintain them don't bear the full costs of failure. Microsoft doesn't accept liability for vulnerabilities that lead to millions of its customers being hacked; DVD region coding is easy to subvert because equipment vendors don't lose money when it fails; and ATMs suffer more fraud in countries that let banks dump the costs of fraud on customers.\n\nThis led to the emergence of a new field of study, information security economics, which Professor Ross Anderson helped to found. It provides valuable insights not just into `security' topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability and policy. This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology.\n\nThe most recent development is the interaction with psychology. As systems get harder to attack, the bad guys attack the users instead; phishing only got properly going in 2004, but by 2006 cost British banks £35m. We now know that most information security mechanisms are too hard to use, being designed by geeks for geeks. We urgently need to introduce bright ideas and best practice from psychology and human-computer interface design. And in addition to these 'micro' scale concerns, there are many 'macro' scale problems - why do people overreact to terrorism, yet underreact to everything from environmental degradation to road traffic accidents?\nThe challenge is to build a proper multi-disciplinary framework for analyzing security problems - one that is both principled and effective. Up till now, security economics has started to fuse the engineering and economic aspects, while behavioural economics, which studies the heuristics and biases that affect human judgment, has put psychology and economics together. The next big research task may well be security pscyhology.\n\nProfile - Ross Anderson\n\nRoss Anderson is Professor of Security Engineering at The University of Cambridge's Computer Laboratory.\n\nProfessor Anderson takes a multidisciplinary approach to building systems that remain dependable in the face of malice, error or mischance. He was one of the pioneers of peer-to-peer systems, of steganography, of hardware tamper-resistance, and of security usability.\n\nRecently he has been one of the founders of the study of information security economics. He wrote the standard textbook `Security Engineering - A Guide to Building Dependable Distributed Systems'. DTSTART:20080312T160000 DTEND:20080312T173000 LOCATION:Biology Large Lecture Theatre END:VEVENT END:VCALENDAR