From this Microsoft blog.
This was an eye opener to me. I would have thought XP infection rates were in the ball park of Windows 7. And this is while XP is still supported!
While there is some obvious self-interest for Microsoft to promote migration from XP, my gut is that this is reasonable data.
What percentage of your computers are still running on XP?
“Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point where the economic losses generated by cybercrime are threatening to overwhelm the economic benefits created by information technology. Clearly, we need new thinking and approaches to reducing the damage that cybercrime inflicts on the well-being of the world.”
John N. Stewart, Senior Vice President and Chief
Security Officer at Cisco in Cisco 2013 Annual Security Report.
(via merchantwarehouse.com)
So maybe SMB Information Risk & Security doesn’t have to be a Tragedy of the Commons.
Admittedly, at initial glance it appears that it has to be. So many SMB’s have so few resources — they rarely have security expertise, typically have very little IT expertise, and probably zero information risk management expertise. Again, the reasons for this are not difficult to see. Their resources are limited and many of the traditional enterprise approaches to risk and security simply don’t scale down cost-effectively.
![What's one more fish? (Image by Earth'sbuddy [CC-BY-SA-3.0] via Wikimedia Commons](http://longtailrisk.com/wp-content/uploads/2013/07/Salmon.jpg)
What’s one more fish?
(Image by Earth’sbuddy [CC-BY-SA-3.0] via Wikimedia Commons)
Similarly, it was suggested in the post, that the Internet is a shared resource for SMB’s. When an individual business is attacked, 1) the business can suffer itself, and/or 2) the business is used as an attack platform on other businesses which diminishes, i.e. depletes, the utility of the resource. However, in the short-term, the SMB has a hard time justifying risk management and security investment on its own behalf because it requires internal resources bound for marketing, R&D, production and similar.
The Tragedy of the Commons idea introduced by Hardin is similar to the Prisoner’s Dilemma where it is assumed that there is no (or little) communication between actors – prisoners, in this case. While working independently and integrating previous and existing research, Elinor Ostrom , 2009 Nobel Prize Winner for Economic Sciences (shared with Oliver Williamson), showed that there were many examples of successful sharing of a common pool resource (CPR). She asked the question, “Are rational individuals helplessly trapped in dilemma’s?” To answer this, she studied irrigation systems in Nepal, forests around the world, fisheries, police and government systems, as well as studies in her own laboratory.
Among other things, she clearly pointed out that there was indeed communication between the actors that were successfully sharing a Common Pool Resource. Further, a key component amongst actors in successful common sharing was trust.
Follows are a number of her observations from her Prize Lecture entitled, “Beyond Markets and States: Polycentric Governance of Complex Economic Systems” . I am not suggesting that these observations directly map into the Common Pool Resource problem of SMB’s sharing the Internet. However, I do believe that they are worthy of reflection in this context and can serve as the basis for further discussion. (That said, I think the title itself may hold clues to the SMB Tragedy of the Commons problem.)
Successful shared resource scenarios tended to have these traits:
Other observations:
What are parallels between these observations and secure-SMBs-on-the-Internet-Tragedy-of-the-Commons issue? Should government intervene? (these observations don’t make a strong case for it) Should trade groups organize rules? Should small, geographically similar SMB’s develop their own working groups somehow? Should SMB’s across the globe of similar size organize and develop membership rules re Internet participation? Are there other natural alignments amongst SMBs?
How do we increase the safety and security and lower the risk profile of SMB’s on the Internet?
Do small and medium sized businesses (SMB’s) erode their common resource, the Internet, by not making an investment in managing information risk and security in their own operations?
Garrett Hardin — between a rock and a hardplace
Garrett Hardin (1915-2003) introduced the idea of individual actors depleting a common resource in his 1968 paper published in Science entitled The Tragedy of the Commons. The idea is that individuals, making use of a common resource, will make decisions in their own interest to the detriment of the the group as a whole — even knowing that they are a part of that same group that will suffer.
A classic example is overfishing an area. In theory, all of the individuals fishing know that if they catch more than X fish in a certain period of time that they are contributing to the permanent depletion of that resource — which ultimately affects them. However, when thinking for themselves, they think, ‘if I don’t get that extra fish, someone else will. So it might as well be me.’
Another example is multiple farmers with cows grazing on the same common pasture. Some number of total cows is sustainable and the grass will regrow in time to continue feeding all of the cows. Beyond that point, the pasture will degrade until it is eventually totally consumed. While overgrazing is detrimental to all, each individual farmer thinks, ‘if I don’t maximize this and put more cows on the field, I’ll suffer in the short term — I’m not even thinking about the long term. I’m just trying to keep up with or beat the farmer next to me this week.’ As a result, the resource becomes completely depleted.
Elinor Ostrom (1933-2012) received the Nobel Prize for her work showing that in many systems with a common resource, individuals communicate with each other and develop working relationships such that the resource is not depleted. More on her work in a subsequent post.
Elinor Ostrom — maybe we can figure it out
It’s not hard to draw the analogy of Internet as common resource for SMB’s (as well as large enterprises and consumers). When a company connects to the Internet, it is participating in that resource. It gets value from the resource. It also has the potential to harm the resource, and in effect, deplete the resource.
Large enterprises have more resources available for risk management and security activities and can be more motivated to protect their own investments. I would hazard a guess that, on average, SMB’s have more risk tolerance than most large established enterprises.
When an SMB is attacked or ‘compromised’, a couple of things can happen: 1) the SMB suffers financial or reputation loss or both, and/or 2) the SMB’s resources (computers) are used as assets to attack the computers of other businesses. This weakens, or depletes, the community resource.
SMB’s typically have less resources when compared to their large enterprise counterparts. It’s a hard decision to divert limited cash from marketing, production, and R&D to spend it on information risk management and security. However, not making an investment in security and risk management, significantly exposes themselves as well as the common pool resource of the Internet to harm.
So whose responsibility is it? SMB’s represent a large portion of the workforce, with each workforce member potentially with one or many computing devices. If SMB’s aren’t motivated to invest in risk management and security, this means that a substantial part of the economy is operating while poorly protected.
Should SMB’s be held accountable if their computers are hacked and then used to attack other computers? Should SMB’s have a minimum standard for computing devices, to include smartphones? Would this stifle innovation? Should trade organizations establish standards? The government?
Or, do SMB’s simply represent a tragedy of the commons?
From Tom Scholtz’s presentation at Gartner Security & Risk Summit 2013 on lessons learned in IT Risk Management:
Finally, while possibly an unpopular sentiment amongst some practitioners, risk should be treated more like an art than science, where the focus is on gaining and documenting experience* and continuous improvement. *(See my post Inverting Sun Tzu).
Fidelity National Information Services (FIS), a large banking services company, was hacked in 2011 and information from that breach was used in a $13 million ATM theft. Initial reports said damage was limited to a small portion of its organization. Subsequent audit reveals a much larger breach plus apparently poor management of its incident response.
More here
Coffee Shop Safety (via ThreatMetrix http://www.threatmetrix.com/resource-center/infographics/)