Security isn't like mugging. Unfortunately there are no police blotter entries on risks, so how's a telecom provider to know how to decide which security threats to protect itself from?
Service providers and enterprises might be inclined to ask a security vendor for a business case on the cost of various risks. Schneier calls it as he sees it: "a big waste of money."
"Take a potential terrorist event with close to zero probability of occurrence but with damage close to infinity. Multiply zero by infinity, and you can get any number you want. If you pay for a study of security risks and their costs, you're getting made up numbers, because the math doesn't work for those kinds of events," Schneier cautions.
Beyond the mathematical issues surrounding security risks, the intangible cost can include company reputation, customer loss, regulatory noncompliance, bad press and loss of information. Since Schneier contends that security risks are based on economics rather than technology, it's hard to assess security risks on stock prices or the cost of outages. It all depends on switching costs. If the costs of leaving a service provider with the problem are high, a company might not lose any customers following a security breach.
Who cares about security risks? Consider the externalities
Security is about economics, not technology, according to Schneier, who says "externalities" (the effects of a decision not borne by the decision maker) are all over the security market. "When you see weird security things, look at the externalities," he said. Cellphone privacy is a good example: Operators don't spend money on wireless voice privacy because it doesn't really affect them; it affects their customers. "They could do it; it's easy. It's just not done," Schneier said. "But companies spend a lot of money making sure you can't put a third-party battery in your phone. It's called accessory control."
Spam is affected by another externality. ISPs may be in the best position to deal with spam, "but it's not in their best interest to fix it unless the amount of spam overwhelms their networks," Schneier said. "If it doesn't, they won't get rid of it. Why should they?"
Dealing with externalities
To deal with the externalities that affect networks and IT, you have to modify the cost-benefit trail, Schneier said. Going through the court system is one solution; regulation is another. Then if providers don't fix a security problem, they could be fined or go to jail, which would raise the cost of not addressing it.
Schneier's solution? Make the entity in the best position to mitigate the risk responsible for it. Then the balance changes.