putting a price on lax security...
Posted Jul 19, 2007 12:34 UTC (Thu) by jabby
In reply to: Security research: buy low, sell high?
Parent article: Security research: buy low, sell high?
Actually, I was just thinking that this is a good way to get development companies who undervalue security auditing to put a realistic value on it. When they see what it will cost to buy themselves out of trouble ("Buy exclusively!"), perhaps they will see the relative cost-effectiveness of dedicating resources to security in their development processes. If not, at least it forces them to pay for their lax approach to security.
Re: punishment... I don't believe in punishment. In the first part of the theory, people learn to avoid the negative consequence and adjust their behavior in the future. That part might have some bearing on reality, but it certainly hasn't solved the problems of society (think "recidivism", "repeat offenders"). The other part of the theory is that the knowledge of the punishment will cause people to avoid the behavior in the first place. This just hasn't been shown to work (think "partial reinforcement"). In general, I find that understanding the source/motive of the bad behavior and addressing it at that level is far more effective.
to post comments)