Security, insurance, and hard realities

Here are some notes from Bruce Schneier's talk. Hard, cold realities. Microsoft and its peers don't care about security, he argues, because it's not rational for them to do so. As businesses, they shouldn't, because they're not liable for their practices. Schneier is running out of options, he says, and what he's left with is a two-pronged strategy. One, require businesses to use insurance to manage risk, just like businesses use it to manage all other risks. Two, beef up prosecution of computer crime.

I'm sure he is right. If we change the economic incentives governing security practices, like we've done in the case of environmental protection, then there will be change. Otherwise not.

Suddenly a company choosing an operating system gets handed two insurance policies -- here's what it costs if you use Linux, here's the policy for Microsoft. The math gets much more interesting now. Security will improve because the CEO will now care.

This has disturbing implications for small software companies. Is there another way? He doesn't see one.

Former URL: