Certification and evaluation: A security economics perspective

Ross Anderson; Shailendra Fuloria

doi:10.1109/ETFA.2009.5347129

Certification and evaluation: A security economics perspective

Ross Anderson, Shailendra Fuloria

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated common criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as `security theatre' designed to reassure customers or regulators rather than a genuine risk-reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.

Original language	English
Title of host publication	2009 IEEE Conference on Emerging Technologies Factory Automation
Publisher	Institute of Electrical and Electronics Engineers
Number of pages	7
ISBN (Electronic)	978-1-4244-2728-4
ISBN (Print)	978-1-4244-2727-7
DOIs	https://doi.org/10.1109/ETFA.2009.5347129
Publication status	Published - 4 Dec 2009
Event	2009 IEEE Conference on Emerging Technologies & Factory Automation (ETFA) - Mallorca, Spain Duration: 22 Sept 2009 → 26 Sept 2009

Publication series

Name	IEEE Conference on Emerging Technologies & Factory Automation
Publisher	IEEE
ISSN (Print)	1946-0740
ISSN (Electronic)	1946-0759

Conference

Conference	2009 IEEE Conference on Emerging Technologies & Factory Automation (ETFA)
Abbreviated title	ETFA 2009
Country/Territory	Spain
City	Mallorca
Period	22/09/09 → 26/09/09

Access to Document

10.1109/ETFA.2009.5347129Licence: All Rights Reserved

https://ieeexplore.ieee.org/abstract/document/5347129Licence: All Rights Reserved

Cite this

@inproceedings{2db4bb41cba74425b257b409022554c4,

title = "Certification and evaluation: A security economics perspective",

abstract = "There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated common criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as `security theatre' designed to reassure customers or regulators rather than a genuine risk-reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.",

author = "Ross Anderson and Shailendra Fuloria",

year = "2009",

month = dec,

day = "4",

doi = "10.1109/ETFA.2009.5347129",

language = "English",

isbn = "978-1-4244-2727-7",

series = "IEEE Conference on Emerging Technologies \& Factory Automation",

publisher = "Institute of Electrical and Electronics Engineers",

booktitle = "2009 IEEE Conference on Emerging Technologies Factory Automation",

address = "United States",

note = "2009 IEEE Conference on Emerging Technologies \& Factory Automation (ETFA), ETFA 2009 ; Conference date: 22-09-2009 Through 26-09-2009",

}

Anderson, R & Fuloria, S 2009, Certification and evaluation: A security economics perspective. in 2009 IEEE Conference on Emerging Technologies Factory Automation. IEEE Conference on Emerging Technologies & Factory Automation, Institute of Electrical and Electronics Engineers, 2009 IEEE Conference on Emerging Technologies & Factory Automation (ETFA), Mallorca, Spain, 22/09/09. https://doi.org/10.1109/ETFA.2009.5347129

Certification and evaluation: A security economics perspective. / Anderson, Ross; Fuloria, Shailendra.
2009 IEEE Conference on Emerging Technologies Factory Automation. Institute of Electrical and Electronics Engineers, 2009. (IEEE Conference on Emerging Technologies & Factory Automation).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Certification and evaluation: A security economics perspective

AU - Anderson, Ross

AU - Fuloria, Shailendra

PY - 2009/12/4

Y1 - 2009/12/4

N2 - There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated common criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as `security theatre' designed to reassure customers or regulators rather than a genuine risk-reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.

AB - There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated common criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as `security theatre' designed to reassure customers or regulators rather than a genuine risk-reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.

U2 - 10.1109/ETFA.2009.5347129

DO - 10.1109/ETFA.2009.5347129

M3 - Conference contribution

SN - 978-1-4244-2727-7

T3 - IEEE Conference on Emerging Technologies & Factory Automation

BT - 2009 IEEE Conference on Emerging Technologies Factory Automation

PB - Institute of Electrical and Electronics Engineers

T2 - 2009 IEEE Conference on Emerging Technologies & Factory Automation (ETFA)

Y2 - 22 September 2009 through 26 September 2009

ER -

Certification and evaluation: A security economics perspective

Abstract

Publication series

Conference

Access to Document

Fingerprint

Cite this