Tech Dirt has a brief discussion on WiFi Access to the internet an Criminal/Civil charges which got me to thinking.
Most problems with Information Security are Economic in nature. Pundits and experts blah blah about the importance or Information Security, but generally firms and individuals will act on incentives and financial calculations.
The true costs of information security incidents are not well know. Government and organizations tend to be mum when incidents occur (I know this from first hand work as an information security specialist for both a large Enterprise and for a Service Provider). This prevents vital information information from dispersing to those to whom it would prove to be useful.
Information Security related specialists who have a technical backgrounds (or core education), tend to not take the incentives/finances into consideration and suggest things that don't make economic/financial sense (i.e. controls that cost more then the risks they mitigate). Information Security related specialist who do not have technical backgrounds tend to underestimate technical issues and thus underestimate/discount risk costs (and ignore certain risks altogether). Each side assumes their expertise is more important anyways.
At the seems between these two types of InfoSecDudes lie mistakes and miscalculation. There is a Moral Hazard effect here in these shortcomings. Both sides know that in an organization they won't really take the fall for these shortcomings. Executives higher up in the food chain are generally not aware of these issues – or they may be concentrating on more important things.
Often much of the cost of an information security incident falls not onto the party that is responsible for providing the Security but onto third parties. While the enterprise/individual that has the incident may incur costs, much of the cost of this InfoSec externality is put onto others (organizations/individuals/taxpayers).
What is lacking is proper incentives. By incentives I do not mean government regulations or criminal statutes.
I mean money. Getting money is a good incentive. Avoiding loosing money is a good incentive. Not having your Balance Sheet, Income Statement, and Cash Flow Statement be effected by information security loss is a good incentive.
What is needed is Information Security Lawfare.
If an organization or individual deploys information technology in such a way that normal best practices are not followed (read: Duty of Care) and is subsequently used as part of an information security incident, those effected by that information Security incident should sue for a Tort Remedy.
Big disclaimer: I am not a Lawyer, I do not have a law degree, and it has been several years since I have had a business law class.
Who gets the money?
- The victims (organizations, individuals, taxpayers, classes)
- The victims' lawyers
Who looses the money:
- The Enterprise/Individual with sloppy Information Security
What is likely to occur if InfoSec Lawfare becomes practiced:
- Litigation firms with InfoSec practices will grow somewhat
- InfoSec Liability Insurance will become more widespread
- InfoSec Insurance riders will require certain standards and processes to be followed if a policy is to pay out.
- The practice of Information Security will become more attuned to Economic costs
- Reduction in InfoSec externalities
Update: This Security Focus article talks about Economic Externalities and InfoSec also.
Filed under: Business, Economics, Information Security, Lawfare |
PurpleSlog - The Future Will Be Kludged 
Information Security Lawfare example: NY Attorney General Sues Over Spyware
Via digg:
Attorney General Eliot Spitzer on Tuesday accused a major Internet pop-up advertising company of secretly installing spyware and sending ads through spyware already installed on personal computers.
read more
I believe the changing econ…
[…] Industry as a whole and consumer protections groups should actively pursue InfoSec Lawfare against those perpetuating Malware […]
A valuable post!!
[…] Practice Information Security Lawfare […]
[…] Techdirt gives an example of InfoSec Lawfare in action in a post titled Spam King Rumored To Be In Jail As Spam Underworld Worries…. […]
[…] Companies that are victims of DNS-based DDOS, should pursue tort action (in a class with other victims) against those Enterprises/ISP that were not properly configured thus allowing the attack. When InfoSec Lawfare (reduction of InfoSec based economic externalities) begins in earnst, organizations and individuals will have the proper economic incentives for information security. […]
[…] Individuals and organizations should practice Information Security Lawfare against the sources. The Feds and the individual states should enact legislation to make this easier. After a few successful class-action lawsuits, I am pretty sue that the business liability insurance providers will require proper security programs of Service Providers and others as a condition of coverage. […]
[…] You know what I am going to say the answer is. […]
[…] I am not in the Email anti-spam biz like I have been in a past life, but it is worth the time to read. It covers many anti-spam techniques and more general issues elated to the email spam problem (but it does not bring in Economic Lawfare). […]
[…] get a civil judgement against the perpetrator and publicize it. Ruin their credit. Retaliate with InfoSec Lawfare against the direct perpitrator and those organizations and individuals who enabled the […]
[…] If an organization or individual deploys information technology in such a way that normal best practices are not followed (read: Duty of Care) and is subsequently used as part of an information security incident, those effected by that information Security incident should sue for a Tort Remedy.[link] […]