Abstract
The conventional wisdom is that security priorities should be set by risk analysis. However, reality is subtly different: many computer security systems are at least as much about shedding liability as about minimising risk. Banks use computer security mechanisms to transfer liability to their customers; companies use them to transfer liability to their insurers, or (via the public prosecutor) to the taxpayer; and they are also used to shift the blame to other departments (“we did everything that GCHQ/the internal auditors told us to”). We derive nine principles which might help designers avoid the most common pitfalls.
Chapter PDF
References
RJ Anderson, “Why Cryptosystems Fail”, in Proceedings of the 1st ACM Conference on Computer and Communications Security (1993) pp 215–227
RJ Anderson, “Why Cryptosystems Fail”, in Communications of the ACM, November 1994
RJ Anderson, “Making Smartcard Systems Robust”, to appear in Cardis 94
RJ Anderson, “Liability, Trust and Security Standards”, in Proceedings of the 1994 Cambridge Workshop on Security Protocols (Springer, to appear)
J Austen, “Computer Crime: ignorance or apathy?”, in The Computer Bulletin v 5 no 5 (Oct 93) pp 23–24
M Abadi, RM Needham, ‘Prudent Engineering Practice for Cryptographic Protocols', DEC SRC Technical Report no 125 (1994).
RJ Anderson, S Bezuidenhout, “On the Security of Prepayment Metering Systems” (to appear)
KM Banks, Kluwer Security Bulletin, 4 Oct 93
DJ Bidzos, Letter to Congress, September 20 1991; published in Usenet newsgroup comp.risks 12.37
M Burrows, M Abadi, RM Needham, “A Logic of Authentication”, in Proceedings of the Royal Society of London A v 426 (1989) pp 233–271
Behne v Den Norske Bank, Bankklagenemnda, Sak nr: 92457/93111
S Clark, “When justice lacks all conviction”, in The Sunday Times (31 July 1994) section 4 page 7
T Corbitt, “The Computer Misuse Act”, in Computer Fraud and Security Bulletin (Feb 94) pp 13–17
A Collins, “Court decides software time-locks are illegal”, in Computer Weekly (19 August 93) p 1
S Chokhani, “Public Key Infrastructure Study (PKI)”, in Proceedings of the first ISOC Symposium on Network and Distributed System Security (1994) p 45
B Ellis, “Prosecuted for complaint over cash machine”, in The Sunday Times, 27th March 1994, section 5 page 1
M McConville, J Hodgson, A Pavlovic, ‘Standing Accused: The Organisation and Practices of Criminal Defence Lawyers in Britain', OUP (1994) reviewed by David Pannick QC in The Times, 16 August 1994, p 33
HM Treasury, ‘CREST — The Legal Issues', March 1994
'Information Technology Security Evaluation Criteria', June 1991, EC document COM(90) 314
RB Jack(chairman), ‘Banking services: law and practice report by the Review Committee', HMSO, London, 1989
Dorothy Judd v Citibank, 435 NYS, 2d series, pp 210–212, 107 Misc.2d 526
B Lewis, “How to rob a bank the cashcard way”, in Sunday Telegraph 25th April 1992 p 5
S McConnell, “Barclays defends its cash machines”, in The Times, 7 November 1992
McConville & others v Barclays Bank & others, Queen's Bench Division 1992 ORB no. 812
CH Meyer and SM Matyas, ‘Cryptography: A New Dimension in Computer Data Security', John Wiley and Sons 1982.
RM Needham, “Insurance and protection of data”, preprint
RM Needham, comment at 1993 Cambridge formal methods workshop
RA Rueppel, “Criticism of ISO CD 11166 banking — key management by means of asymmetric algorithms”, in Proceedings of 3rd Symposium on State and Progress of Research in Cryptography, Fondazione Ugo Bordoni (1993) pp 191–198
R v Gold and Schifreen, Southwark Crown Court, 1986
R v Lock and North, Bristol Crown Court, 1993
R v Munden, Mildenhall Magistrates' Court, 8–11 February 1994
R v Small, Norwich Crown Court, 1994
A Stone, “ATM cards & fraud”, manuscript 1993
«Trusted Computer System Evaluation Criteria', US Department of Defense, 5200.28-STD, December 1985
MA Wright, “Security Controls in ATM Systems”, in Computer Fraud and Security Bulletin, November 1991, pp 11–14
B Wright, ‘The Law of Electronic Commerce', Little, brown & Co, 1994
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1994 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Anderson, R.J. (1994). Liability and computer security: Nine principles. In: Gollmann, D. (eds) Computer Security — ESORICS 94. ESORICS 1994. Lecture Notes in Computer Science, vol 875. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-58618-0_67
Download citation
DOI: https://doi.org/10.1007/3-540-58618-0_67
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-58618-0
Online ISBN: 978-3-540-49034-0
eBook Packages: Springer Book Archive