The obvious answer is that people require a negative selection pressure to force them to adapt to the new reality of the internet.

History has shown time and again that the most effective way to force both individuals and companies to adhere to new policies and rules (and thereby implement the selection pressure) would be to hit them with direct financial penalties.

There are two approaches; the first is to monitor for infringment and issue fines. This method encourages people to push their luck and find loopholes, and only affects people who are caught. Generally this view encourages people to identify measures to shift blame rather than to protect themselves. Issuing fines should be a measure associated with being found guilty of a violation. Failing to protect yourself should result in strictly a full assumption of any responsibility for financial or personal loss.

The second approach is to require "insurance policies". By having insurance financial liability is mitigated based on the level of insurance aquired, and the cost of said insurance is scaled based on the risk associated with insured. This approach encourages responsibility on the part of the user, ensures that industry finds a balance between cost and risk.

Charging insurance would be an ideal solution, and appealing to most goverments and business. Insurance mitigates risk, provides additional revenue, and with a little time to learn the market becomes very profitable. Insurance rates would be linked to the perceived security and risk associated with different software and equipment. The constant discussions and heckling over relative security of Windows/*NIX variants/Mac/Internet Toasters would become moot as insurance companies developed their own notions of risk based on costs of incidences. Like so many other areas which have mandatory insurance the market usage will shift from high-risk systems to low-risk systems as businesses and users chase the discounted insurance policies. People who want to retain low insurance premiums will learn how to maintain their systems so they can avoid earning costly "demerits" which would skew the cost of their insurance.

Regardless of how each country chose to implement this type of policy the benefits would be undeniable, and by implementing policies and regulations which hold companies and individuals directly responsible for costs associated with their own failure to maintain security, it would encourage companies to take the same stance for information security as they do to safety, physical security, and general risk (fire, flood, act of god, etc.).


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/231/25652#25652