This same kind of economic reasoning explains why software vendors spend so little effort securing their own products.
We in computer security think the vendors are all a bunch of idiots, but they're behaving completely rationally from their own point of view.
If we expect CEOs to spend significant resources on their own network security -- especially the security of their customers -- they must be liable for mishandling their customers' data.
Basically, we have to tweak the risk equation so the CEO cares about actually fixing the problem.
From the CEO's perspective, the risks include the possibility of bad press and angry customers and network downtime -- none of which is permanent.
The result: a smart organization does what everyone else does, and no more. The risks are increasing, and as a result spending is increasing.This way of thinking about security explains some otherwise puzzling security realities.For example, historically most organizations haven't spent a lot of money on network security. Because the costs have been significant: time, expense, reduced functionality, frustrated end-users.The only way to fix it is to concentrate on the business motivations.We need to change the economic costs and benefits of security.The costs of adding good security to software products are essentially the same ones incurred in increasing network security -- large expenses, reduced functionality, delayed product releases, annoyed users -- while the costs of ignoring security are minor: occasional bad press, and maybe some users switching to competitors' products.Any smart software vendor will talk big about security, but do as little as possible, because that's what makes the most economic sense.As scientists, we are awash in security technologies.We know how to build much more secure operating systems.We need to make the organizations in the best position to fix the problem want to fix the problem. Remember that I said the costs of bad security are not borne by the software vendors that produce the bad security.In economics this is known as an externality: a cost of a decision that is borne by people other than those making the decision.