undefined | Better HN

0 pointsvec9y ago0 comments

This solves one incentive problem, but not (in my opinion) the main one. The people responsible for security (i.e. corporate IT departments) are quite often not the same people who would suffer in the event of one (i.e. customers). Therefore, security professionals are mainly incentivized to appear trustworthy.

Actually being trustworthy is certainly the easiest way to do this, at least up to a point. But it tends to push people toward public, visible security measures over private, invisible ones, regardless of their relative effectiveness.

It cuts both ways, too. Even if you do everything right, if you do get hacked that trust is gone and no insurance payout can buy it back. And I'm not sure any customer is going to react well to "Yeah we lost your data, but Goldman Sachs claims it's not our fault".

0 comments

1 comments · 1 top-level

smallnamespace9y ago

The incentive problem goes even deeper than that, because customers themselves also don't have a good way to measure the costs of breaches.

If someone company gets hacked, a consumer's gets leaked, and 3 years later that info is used to steal that person's ID, how is that consumer supposed to determine the root cause?

The real problem is that the effects of bad security are very far downstream from the initial problems in space, time, and individuals affected, so proper feedback to those responsible happens very slowly or not at all.

j / k navigate · click thread line to collapse