Rational Protocols

Security research continues to provide a plethora of new protocols and mechanisms; these solutions patch either existing vulnerabilities found in practical systems or solve hypothetical security problems in the sense that the problem is often conceived at the same time when the first solution is proposed. Yet only a very small fraction of this research is relevant to ordinary users in the sense that they are willing to actually deploy the technology. Users choose their security technology according to their incentives: if there is no loss or no threat, be it real or perceived, then they don’t care about investing in new protection methods (users may be individuals or corporations, they behave similarly in this respect). Hence, the adoption of information security technology has largely been driven by the real and perceived threats. One can observe this behavior in many cases [1, 5]. The deployment of data encryption for storage solutions in the recent years is a good example. Transparent encryption for a file system has first been demonstrated almost 20 years ago. The required methods have been around for much longer, it only takes standard block ciphers or stream ciphers and simple public-key methods for key management (that are not even used often). But it was new regulations (for example, the Sarbanes-Oxley Act or California SB 1386) and some highly visible security breaches starting in 2002 that triggered their widespread deployment. Nowadays every vendor in the storage market offers encryption for its products and many file systems come with integrated encryption.