Monday, September 29, 2008

Externalities in IT Security

One of the whims that I've been on lately is trying to apply economic concepts to the practice of Information Security. I'd like to share with you a problem that has been plaguing me for the last few months and an economic approach that might help to fix that problem.

Near the end of every semester, and often around midterm time, professors are asked to provide their students with their grades. Most professors don't want to make their students wait until the official grade shows up on their transcripts and so they post them. Everyone seems to know and agree that grade data should be anonymous, so the grades are not posted by student name. However, there is less understanding that student IDs are also considered non-public information and so posting grades by Student ID is also not acceptable. So every semester, I end up finding grade data posted by Student ID, and in some cases that grade data is put on a web server and the data is then indexed by Google. Hijinks ensue.

So far the approach to combating this problem is to send out messages to all the faculty around the end of the semester reminding them not to post grade by Student ID. However, based on the fact that I keep on having to clean up these messes, I can conclude that the emails are not being read, are being ignored, or the message is being forgotten. Another possibility is that the message is being read and understood, but each professor perceives that the benefit of posting the grades by Student ID outweighs the penalty and thus make a conscious choice to break the rules.

Regardless of what is happening, we can be certain that the way we're dealing with the problem right now is not effective. So I started thinking about the problem like a junior economist, and I decided that this is an example of a negative externality. An externality is an impact (either good or bad) felt by someone that is not involved in the event that caused the impact. A classic example is air pollution. When you buy a product from a factory the factory gets money and you get a product. The factory may also produce smog as part of the production process. I however, got nothing but extra smog. The factory has imparted a negative externality upon me. In the case of posting grades, the professor enjoys a convenient way of posting grades, and the student get their grades faster. However, the university could find itself in violation of federal law (FERPA) and the IT department may have to spend time cleaning up the mess. Posting grades by Student ID imparts a negative externality on the rest of the University.

So how do we deal with externalities in the real world? Well in the case of negative externalities, we can impose government regulation or we can apply taxes. In the case of improperly posting grades online, there is already government regulation in place, but the regulation is against the school, not the individual professor. I believe that we should move the cost closer to the professor. It is well understood in the insurance industry that risk should be assigned to the party that is most able to mitigate it. In this case, the cost of posting grades improperly should be assigned to the group that is most able to prevent it from happening, which is the professors themselves.

So my proposed solution is that we should work out an estimate for the cost of cleaning this up per record and then start billing departments when we have to clean up these messes. In fact, I believe that we could even make this a largely symbolic fine of $1 per record. In most cases a department will be charged less than $50. However, when a dean or department head has to open up their budget and fork over money for something then they might put more pressure on their professors to follow the rules. If the expense went north of $100 then it is almost certain that professors would be pressured to create unique identifiers for their students rather than post grades by Student ID. I'd like to know if anyone else out there has an opinion about this scheme and if other people have had to solve similar problems.

No comments: