Great article. I wish you had covered the obvious alternative to a liability regime where government defines what "secure" means. You think about assigning liability when you view the situation in a Coase Theorem kind of way... externalities, least-cost avoider, etc.... And you end up with malpractice cases, insurance, tort reform, and endless "compliance" requirements that are not well suited to the product.
However if you view the problem in a "Market for Lemons" kind of way, the right intervention is to fix the asymmetric information problem. So you establish a mandatory transparency regime where government only says you must disclose your security story -- threat model -> defenses -> assurance -> monitoring. In this regime, the *market* effectively chooses the right level of security.
Yeah I definitely could of went further and more broadly. Perhaps I will edit and expand.
I love the idea of addressing information asymmetry via transparency (hell, I wrote a book titled "Software Transparency").
That said, one thing that immediately comes to mind is that, while folks like you and I, and large enterprises with sufficient security staff and expertise may be in a position to determine from a market perspective the right level of security, what about the large SMB market with little to no actual security talent and expertise in-house as well as the broader consumer market with no cyber literacy?
How do they drive market forces, with either no leverage, or no accompanying expertise to make informed choices.
Great article. I wish you had covered the obvious alternative to a liability regime where government defines what "secure" means. You think about assigning liability when you view the situation in a Coase Theorem kind of way... externalities, least-cost avoider, etc.... And you end up with malpractice cases, insurance, tort reform, and endless "compliance" requirements that are not well suited to the product.
However if you view the problem in a "Market for Lemons" kind of way, the right intervention is to fix the asymmetric information problem. So you establish a mandatory transparency regime where government only says you must disclose your security story -- threat model -> defenses -> assurance -> monitoring. In this regime, the *market* effectively chooses the right level of security.
Yeah I definitely could of went further and more broadly. Perhaps I will edit and expand.
I love the idea of addressing information asymmetry via transparency (hell, I wrote a book titled "Software Transparency").
That said, one thing that immediately comes to mind is that, while folks like you and I, and large enterprises with sufficient security staff and expertise may be in a position to determine from a market perspective the right level of security, what about the large SMB market with little to no actual security talent and expertise in-house as well as the broader consumer market with no cyber literacy?
How do they drive market forces, with either no leverage, or no accompanying expertise to make informed choices.