The free market system has failed to address computer security problems, and incentives are needed to encourage businesses to invest in protection technologies, a panel at the 2011 RSA Conference has concluded.
Bruce Schneier, security expert and chief security officer at BT, said during a keynote session that the free market model has not created sufficient investment in security technology because companies are not going to protect themselves against a risk that is worth more than the company itself.
"There's a delta where a market economy won't get to. There is more security needed than the market will provide. If the risk is more than the value of your company, there's no incentive to fix the problem," he said.
James Lewis, fellow at the Center for Strategic and International Studies, agreed, saying that, while phrases like 'free market failure' are not popular, the message is starting to get through.
Lewis said that the US Senate is already examining this, but that the message is not welcome in other areas of government, which is holding back security.
"I would agree. I think it's a market failure," said Michael Chertoff, former US secretary for the Department of Homeland Security.
"Resiliency is inefficient. It's building in an extra layer of fat to the business. That is very much counter to people in business, who want to strip out excess spending."
Schneier concluded that governments will have to step in with what tools they have to promote security. This could involve financial incentives for companies to improve security, or fines for poor practice.
Microsoft claims Check Point's methodology is all wrong - figure more like five million, not 250 million
Microsoft's explanation still raises as many questions as it answers
Wikileaks dumps info on 'Brutal Kangeroo', the CIA's malware toolkit for hacking 'air-gapped' networks
CIA's Brutal Kangeroo malware suite likened to Stuxnet
Commuters less than chuffed - many fined for not having a ticket