Adoption and Risk

Pat Patterson works for Sun Microsystems, and is a champion of the Liberty Alliance. He is therefore highly interested in the adoption of federated identity and related technologies.

Clearly there is a relationship between the adoption of these technologies and the adoption of the underlying transactions that these technologies are supposed to protect, such as online bill payments. In a blog posting entitled Emergent Effects in Identity Federation, Pat suggests that online bill payments follows a classic technology adoption curve.

But there are some complications with this. Firstly, we might reasonably suppose that the decision to adopt online bill payments (or even to revert to offline payments) is influenced by a person's sense of how risky this is, and this in turn depends on the perceived security. So the adoption of online bill payments depends partly on the maturity and adoption of the security mechanisms. (Assuming the mechanisms work.)

But the risk also depends on the sophistication and organization of the attackers. Whereas in many classic technology adoption situations, the actual risk and the perceived risk are both on a downward curve (although not necessarily in synch), this case is different because the widespread adoption of online bill payments can be assumed to trigger innovation by criminals. Phishing only becomes economically viable for the criminals when there are enough idiots doing online bill payments. Therefore there is an adoption curve for the attack as well as for the defence.

Important Clarification Update: It might sound like I'm saying that it's idiotic to do online bill payments, but what I'm really saying here is that it's a bit idiotic to fall for phishing. So when there were only a few smart people doing online bill payments, there wasn't much point trying to phish.

So we have three different adoption processes (underlying transaction, attack mechanisms, defence mechanisms) that interact in complex ways. Surely the aggregate effect of this interaction is unlikely to be a classic curve.

Technorati Tags: identity risk security technology adoption