It makes no sense to spend more on security than the original cost of the problem, just as it makes no sense to pay liability compensation for damage done when spending money on security is cheaper.Businesses look for financial sweet spots -- -adequate security for a reasonable cost, for example -- and if a security solution doesn't make business sense, a company won't do it.Liability forces software companies to think twice before changing something.Tags: Christy Brown With Cerebral Palsy As An EssayCreative Writing Courses In MumbaiEssay Christian ReligionHarriet Tubman Essay OutlineWell Written College EssaysGsa Small Business Subcontracting PlanEssay Expectation Father Great In Jaggers PipsCiting A Dissertation Apa
Today there are no real consequences for having bad security, or having low-quality software of any kind.
Even worse, the marketplace often rewards low quality.
The costs of adding good security to software products are essentially the same ones incurred in increasing network security -- large expenses, reduced functionality, delayed product releases, annoyed users -- while the costs of ignoring security are minor: occasional bad press, and maybe some users switching to competitors' products.
Any smart software vendor will talk big about security, but do as little as possible, because that's what makes the most economic sense.
This way of thinking about security explains some otherwise puzzling security realities.
For example, historically most organizations haven't spent a lot of money on network security. Because the costs have been significant: time, expense, reduced functionality, frustrated end-users.Even without this, courts could start imposing liability-like penalties on software manufacturers and users. And judges have issued restraining orders against companies with insecure networks that are used as conduits for attacks against others.Alternatively, the industry could get together and define its own liability standards. There are many parties involved in a typical software attack.We need to make the organizations in the best position to fix the problem want to fix the problem. Remember that I said the costs of bad security are not borne by the software vendors that produce the bad security.In economics this is known as an externality: a cost of a decision that is borne by people other than those making the decision.(Increasing security regularly frustrates end-users.) On the other hand, the costs of ignoring security and getting hacked have been, in the scheme of things, relatively small.We in the computer security field like to think they're enormous, but they haven't really affected a company's bottom line.And putting pressure on his balance sheet is the best way to do that. Legislatures could impose liability on the computer industry by forcing software manufacturers to live with the same product liability laws that affect other industries. judge forced the Department of Interior to take its network offline, because it couldn't guarantee the safety of American Indian data it was entrusted with.If software manufacturers produced a defective product, they would be liable for damages. Several cases have resulted in penalties against companies that used customer data in violation of their privacy promises, or collected that data using misrepresentation or fraud.Businesses approach security as they do any other business uncertainty: in terms of risk management.Organizations optimize their activities to minimize their cost-risk product, and understanding those motivations is key to understanding computer security today.