QOTD - Spafford on the security conundrum

No individual business is facing huge losses necessarily, but collectively we are facing just unimaginable losses, but nobody is willing to pay the cost up front for what is necessary to solve the problem in the longer term.

The problem is that we generally only respond to crisis. And the kinds of problems that we are seeing in the whole information security arena is not a spot crisis; it is a growing community problem. So when we are talking tens of billions of dollars of loss every year in intellectual property theft, fraud, unnecessary or over-expenditure on security goods and services, and various other kinds of problems, that cost is not borne by any single entity, but it is borne by everyone. This results in a huge friction on the economy. It is definitely a loss to society. But no one feels it enough that they are willing to make the investment and the sacrifices to move forward. The government might play a role in this, and one way would be to phase in some liability on operators and vendors for obviously making poor choices. -- Prof. Eugene Spafford, Purdue University
Src: The State of Information Assurance Education 2009: Prof. Eugene Spafford, Pursue University

No comments: