A while back I wrote a post about the economics of information security. Yesterday, security expert Bruce Schneier spoke in a similar vein about where liability and economic burden should fall in the product security lifecycle.
I like what he has to say, but I’m not convinced that incentivizing developers to bear security costs upfront and, theoretically, to produce more secure products will shift enough economic burden onto attackers. As long as it’s cheaper to pay people to exploit software and more profitable to reap the benefits, the underground will deem law enforcement threats an acceptable risk and continue doing their worst, even in the face of (or in spite of) increased security spending.
It’s also somewhat glib to suggest that “[c]omputer security isn’t a technological problem—it’s an economic problem.” Really, it’s both, and a cultural problem to boot.
0 comments:
Post a Comment