Friday, April 29, 2005

Dividing Risk

Responsibility for security of credit card transactions is divided between credit card companies and merchants. The credit card companies don't entirely trust the merchants, and want to ensure they take every possible precaution against fraud.

Credit card companies are larger and fewer, so they call the shots. Some elements of risk are unilaterally exported onto the merchant. In case of doubt, the merchant bears the financial burden. This is surely an example of asymmetric trust.

So who is responsible for specifying the security requirements, and designing the security mechanisms? Steven Hofmeyr argues that the credit card companies should leave this as a problem for the merchants to solve. "My suggestion to the credit card companies would be to impose heavy penalties on merchants that get compromised, but not to specify what exactly those merchants should do to make themselves secure." He favours incentives for companies to secure their systems, "without restricting or constraining the way in which they should do so, leaving companies to choose the most effective way", on the grounds that this will encourage innovation in defence, and notes how legislation or regulation often generates such incentives. Hofmeyr's suggestion is endorsed by Adam Shostack.

Given the asymmetry of power, any requirements imposed on merchants by credit card companies are effectively equivalent to regulations. Leaving merchants free to interpret these regulations (and suffer the consequences if their interpretations aren't good enough) may affect the security of the whole ecosystem in some interesting ways.

Firstly, each merchant is faced with fear, uncertainty and doubt. The big companies probably know much more about the possible security mechanisms, and their advantages and disadvantages, but the small companies have to decide for themselves - and woe betide them if they get it wrong. This anxiety effect tends to erode confidence and trust in the network, thus reducing economic efficiency and ethical balance.

Secondly, we may expect considerable diversity of security mechanisms. This diversity may be one of the factors leading to the innovation argued by Hofmeyr. But at the same time, diversity may impede the communication and adoption of innovation, so the effective innovation benefits are not clearcut. Very occasionally, a centrally coordinated development effort may be both more cost-effective and more innovative than a large number of independent parallel developments. So it remains an open question whether the credit card companies should provide more specific guidance, whether they should "own" the security requirements.

Thirdly, the greater the diversity of security mechanism, the smaller the proportion of merchants likely to be affected by any given attack. This appears to be beneficial for the population of merchants as a whole, since it reduces the risk for any individual merchant, and makes some form of mutual insurance viable. Above all, it is beneficial to the credit card companies, whose business would only be seriously threatened by the loss of a significant number of merchants in one incident. However, given the incessant search for new modes of attack, this benefit depends on the collective ability to develop new forms of defence.

In a complex collaboration, a careful division of risk requires detailed analysis, robust negotiation, and attentive governance. Redistribution of risk-responsibility can have a huge effect on the total shared risk within the system, generating both economic and ethical benefits.

Technorati Tags: