It sounds like some Computer Scientists…
A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a ‘choke point’ [PDF] that could greatly reduce the flow of spam…If a handful of companies like these refused to authorize online credit card payments to the merchants, ‘you’d cut off the money that supports the entire spam enterprise,’ said one of the scientists. [Link]
…has caught up to my thinking…
Often much of the cost of an information security incident falls not onto the party that is responsible for providing the Security but onto third parties. While the enterprise/individual that has the incident may incur costs, much of the cost of this InfoSec externality is put onto others (organizations/individuals/taxpayers).
What is lacking is proper incentives. By incentives I do not mean government regulations or criminal statutes.
I mean money. Getting money is a good incentive. Avoiding loosing money is a good incentive. Not having your Balance Sheet, Income Statement, and Cash Flow Statement be effected by information security loss is a good incentive.
What is needed is Information Security Lawfare.
If an organization or individual deploys information technology in such a way that normal best practices are not followed (read: Duty of Care) and is subsequently used as part of an information security incident, those effected by that information Security incident should sue for a Tort Remedy.[link]
Why leave Lawfare just to the bad guys?