The Economics of Control System Security

Many of you will know Dr. Ross Anderson of the University of Cambridge from his book Security Engineering, first published in 2001 and with a 2nd edition this year.

What you may not know is Ross is one of the thought leaders around the economics of security and the psychology of security. He has been on the steering committee for the annual Workshop on the Economics of Information Security [WEIS], an event you may have read Bruce Schneier raving about this event. On his site, Ross has numerous papers on economics and security. Recently he has brought together psychologists and economists for a workshop on security and human behavior.

Economics and psychology are two critical areas for control system security that are rarely explored in depth or with rigor. Some S4 papers have explored security metrics, but they have not gone so far to estimate the economic impact on a company of a control system security incident. Or what about the impact to a community. In his keynote, Ross will talk about how to quantify economic impact of a control system security incident using some real events as examples. He will also touch on how the psychology of different classes of attackers can affect the threat component of risk.

In the S4 keynotes we try to bring in speakers and viewpoints that are rarely heard in the control system community. Like Dave Aitel talking about elite hackers methods and motivations; Whit Diffie discussing how cryptology went from an unknown to a community with rigor that allowed e-commerce; and Steve Lipner discussing the security development lifecycle. Ross Anderson bringing economic and psychological input to the control system risk equation should spark some new ideas and helpful research from the attendees.

S4 Links