Liability and computer security: Nine principles

  • Ross J. Anderson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 875)


The conventional wisdom is that security priorities should be set by risk analysis. However, reality is subtly different: many computer security systems are at least as much about shedding liability as about minimising risk. Banks use computer security mechanisms to transfer liability to their customers; companies use them to transfer liability to their insurers, or (via the public prosecutor) to the taxpayer; and they are also used to shift the blame to other departments (“we did everything that GCHQ/the internal auditors told us to”). We derive nine principles which might help designers avoid the most common pitfalls.


Computer Security Threat Model Automatic Teller Machine Internal Auditor British Telecom 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [A1]
    RJ Anderson, “Why Cryptosystems Fail”, in Proceedings of the 1st ACM Conference on Computer and Communications Security (1993) pp 215–227Google Scholar
  2. [A2]
    RJ Anderson, “Why Cryptosystems Fail”, in Communications of the ACM, November 1994Google Scholar
  3. [A3]
    RJ Anderson, “Making Smartcard Systems Robust”, to appear in Cardis 94 Google Scholar
  4. [A4]
    RJ Anderson, “Liability, Trust and Security Standards”, in Proceedings of the 1994 Cambridge Workshop on Security Protocols (Springer, to appear)Google Scholar
  5. [A5]
    J Austen, “Computer Crime: ignorance or apathy?”, in The Computer Bulletin v 5 no 5 (Oct 93) pp 23–24Google Scholar
  6. [AN]
    M Abadi, RM Needham, ‘Prudent Engineering Practice for Cryptographic Protocols', DEC SRC Technical Report no 125 (1994).Google Scholar
  7. [AS]
    RJ Anderson, S Bezuidenhout, “On the Security of Prepayment Metering Systems” (to appear)Google Scholar
  8. [B1]
    KM Banks, Kluwer Security Bulletin, 4 Oct 93Google Scholar
  9. [B2]
    DJ Bidzos, Letter to Congress, September 20 1991; published in Usenet newsgroup comp.risks 12.37Google Scholar
  10. [BAN]
    M Burrows, M Abadi, RM Needham, “A Logic of Authentication”, in Proceedings of the Royal Society of London A v 426 (1989) pp 233–271Google Scholar
  11. [BN]
    Behne v Den Norske Bank, Bankklagenemnda, Sak nr: 92457/93111Google Scholar
  12. [C1]
    S Clark, “When justice lacks all conviction”, in The Sunday Times (31 July 1994) section 4 page 7Google Scholar
  13. [C2]
    T Corbitt, “The Computer Misuse Act”, in Computer Fraud and Security Bulletin (Feb 94) pp 13–17Google Scholar
  14. [C3]
    A Collins, “Court decides software time-locks are illegal”, in Computer Weekly (19 August 93) p 1Google Scholar
  15. [C4]
    S Chokhani, “Public Key Infrastructure Study (PKI)”, in Proceedings of the first ISOC Symposium on Network and Distributed System Security (1994) p 45Google Scholar
  16. [E]
    B Ellis, “Prosecuted for complaint over cash machine”, in The Sunday Times, 27th March 1994, section 5 page 1Google Scholar
  17. [HBP]
    M McConville, J Hodgson, A Pavlovic, ‘Standing Accused: The Organisation and Practices of Criminal Defence Lawyers in Britain', OUP (1994) reviewed by David Pannick QC in The Times, 16 August 1994, p 33Google Scholar
  18. [HMT]
    HM Treasury, ‘CREST — The Legal Issues', March 1994Google Scholar
  19. [ITSEC]
    'Information Technology Security Evaluation Criteria', June 1991, EC document COM(90) 314Google Scholar
  20. [J]
    RB Jack(chairman), ‘Banking services: law and practice report by the Review Committee', HMSO, London, 1989Google Scholar
  21. [JC]
    Dorothy Judd v Citibank, 435 NYS, 2d series, pp 210–212, 107 Misc.2d 526 Google Scholar
  22. [L]
    B Lewis, “How to rob a bank the cashcard way”, in Sunday Telegraph 25th April 1992 p 5Google Scholar
  23. [M]
    S McConnell, “Barclays defends its cash machines”, in The Times, 7 November 1992Google Scholar
  24. [MB]
    McConville & others v Barclays Bank & others, Queen's Bench Division 1992 ORB no. 812Google Scholar
  25. [MM]
    CH Meyer and SM Matyas, ‘Cryptography: A New Dimension in Computer Data Security', John Wiley and Sons 1982.Google Scholar
  26. [Nl]
    RM Needham, “Insurance and protection of data”, preprint Google Scholar
  27. [N2]
    RM Needham, comment at 1993 Cambridge formal methods workshopGoogle Scholar
  28. [R]
    RA Rueppel, “Criticism of ISO CD 11166 banking — key management by means of asymmetric algorithms”, in Proceedings of 3rd Symposium on State and Progress of Research in Cryptography, Fondazione Ugo Bordoni (1993) pp 191–198Google Scholar
  29. [RGS]
    R v Gold and Schifreen, Southwark Crown Court, 1986Google Scholar
  30. [RLN]
    R v Lock and North, Bristol Crown Court, 1993Google Scholar
  31. [RM]
    R v Munden, Mildenhall Magistrates' Court, 8–11 February 1994Google Scholar
  32. [RS]
    R v Small, Norwich Crown Court, 1994Google Scholar
  33. [S]
    A Stone, “ATM cards & fraud”, manuscript 1993 Google Scholar
  34. [TCSEC]
    «Trusted Computer System Evaluation Criteria', US Department of Defense, 5200.28-STD, December 1985Google Scholar
  35. [W1]
    MA Wright, “Security Controls in ATM Systems”, in Computer Fraud and Security Bulletin, November 1991, pp 11–14Google Scholar
  36. [W2]
    B Wright, ‘The Law of Electronic Commerce', Little, brown & Co, 1994Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1994

Authors and Affiliations

  • Ross J. Anderson
    • 1
  1. 1.Cambridge University Computer LaboratoryUK

Personalised recommendations