Abstract: Access Control Software, Corporate Responsibility, and the Origin and Early History of the Computer Security Industry

Jeffrey R. Yost


Through a case study of the hitherto unexplored origins and first decade (mid-1970s to mid-1980s) of the computer security industry, this paper investigates the role of established and start-up firms interpreting and acting on market demand in a new field, as well as the virtue of secure corporate computer systems versus the vice of inadequate protection of (internal, customer, and supplier) data. In doing so it analyzes the nature of new IT industry segment formation, cultural and corporate values for security and privacy, the economics of computer security, and evolving notions of acceptable risk. Corporate customers and potential corporate customers of the first computer security software products, IBM's RACF and startup SKK, Inc.'s ACF2 helped shape these products, and for many, fostered momentum for enacting meaningful security only as a responsive last resort—the legacy of which is evident in today's common ''penetrate and patch'' practices. The study draws extensively on recently conducted oral histories and archives from the Charles Babbage Institute's current three-year NSF-sponsored project ''Building an Infrastructure for Computer Security History.''