In Memoria
Ross J. Anderson
1956-2024
The Workshop on the Economics of Information Security (WEIS) mourns the recent loss of founding member Ross Anderson. Ross’s seminal paper, “Why is Information Security Hard – An Economic Perspective” (ACSAC 2001) essentially founded the fields of studying cybersecurity from a wider context involving economic, behavioral, political, and social dimensions. His book, Security Engineering, is part of the cybersecurity canon.
The “Why Information Security is Hard” paper was published in December 2001, and the first WEIS was held the following summer in Berkeley in 2002. But Ross’s ability to apply insights from a wide range of disciplines to information security problems had already been demonstrated years before. It may come as a surprise that such an accomplished scholar didn’t take the traditional academic route. Following his undergraduate degree in Cambridge, Ross spent more than a decade working in industry, primarily in avionics and banking. He then returned to Cambridge in 1992 to study under Roger Needham for a PhD. Ross’ commitment to research could already be seen in his decision to self-fund his studies. This also provided academic freedom, something he always fought to maintain and wield as part of his political activism.
Through time in industry, Ross learned much about how the world works (and doesn’t). This experience shaped his academic career, and helps explain why, more than just about any other academic in security, Ross focused on solving practical problems. And when that focus led him beyond traditional computer science approaches and into social and behavioral ones, Ross didn’t hesitate. He immersed himself in the scholarly writings of other disciplines and invited collaboration. So it was with Hal Varian, when Ross visited him in Berkeley on sabbatical, which led to the founding of WEIS.
In many ways, Ross’s first seminal security economics paper was published seven years earlier, during his PhD. “Why Cryptosystems Fail” (CACM, 1994) excoriated the traditional computer science approach to threat modeling. He noted that in reviewing the public record on banking security, “most frauds were not caused by cryptanalysis or other technical attacks, but by implementation errors and management failures”. The article explains in plain language how ATM fraud actually takes place, demystifying the supposed technical sophistication of attackers and defenders. It criticizes the secrecy often present in the cryptography community, which limits the ability to learn from mistakes. Ross would return to both of these issues in “Why Information Security is Hard”, this time with explicit connections to economics. He showed that high rates of ATM fraud in the UK can be explained by misaligned incentives, where UK banks had been successfully shifting liability onto consumers in contrast to US banks who had to foot the bill and therefore spent more to reduce fraud. He explained how information asymmetries make it hard to distinguish secure products from insecure, and how secrecy makes the problem worse.
With the founding of WEIS, Ross actively participated and regularly published papers. One stream of work appearing in WEIS particularly intrigued him: behavioral economics. Ross began to see psychology playing at least as big of a role as microeconomics in security. So, seven years after founding WEIS, in 2008, he co-founded another workshop, the Workshop on Security and Human Behavior (SHB). Behavioral economists, psychologists, criminologists, and even magicians (James Randi) were invited to collaborate with like-minded computer scientists to study open research questions involving security and privacy.
After another seven years, in 2015 Ross co-founded the Cambridge Cybercrime Centre, which in many ways represents a fusion of the WEIS and SHB communities centered around understanding and combating cybercrime. He helped recruit a criminologist, Alice Hutchings, to the faculty of the Cambridge Computer Lab. The Cambridge Cybercrime Centre constructed a wide range of datasets with the express purpose of sharing them with other academics to investigate relevant research questions. The Centre helped reduce barriers to entry for non-computer scientists by providing relevant datasets for analysis free of charge.
Ross had an unparalleled sense of emerging topics and getting the right people in the same room. In 1996, Ross brought together researchers from five different subfields of engineering – including those working on digital watermarking in signal processing, covert channels in systems, anonymous communication in networks, and steganography in cryptography – to found the Workshop on Information Hiding. His early survey of the field “On the Limits of Information Hiding”, co-authored with his students Fabien A. Petitcolas and Markus Kuhn, is among his most cited works to date. As the community grew in the early 2000s, the Privacy Enhancing Technologies Workshop evolved out of Information Hiding, and Ross became one of the founders of the renowned Privacy Enhancing Technologies Symposium and its open-access journal.
These are but examples of the breadth of Ross’s intellectual curiosity. Many like to talk about the importance of interdisciplinary research, but few truly embrace it. Ross was one of those few who enthusiastically embraced interdisciplinary research.
In all these endeavors, Ross sought to build communities of scholars, empowering junior researchers and those from different disciplinary backgrounds. This included acts of service and outreach like live-blogging every talk at WEIS and SHB, when many other faculty members would choose to check emails. In so doing, he substantially broadened its impact. The WEIS community, as well as the fields of information security economics and behavioral security and privacy, owe a huge debt of gratitude to Ross, whose contributions will always be remembered.
Ross is survived by his wife, Shireen, daughter Bavani and three grandchildren.
He will be missed!
Testimonials to Ross can be made at: https://anderson.love/