Cyber attacks are becomming increasingly sophisticated and hard to detect. Large and well funded organizations are being breached with distressing frequency. We seem to be reacting by clamouring for heftier fines and stronger punitive action against what are perceived to be lax organizations.
If you think of it, this is the "she asked for it" argument in another form!
This completely ignores the sophistiction of current threats.
Good security requires that people be deterred from doing bad things - fines and punishment, but is also critically requires that people do the right things - not share passwords etc.
Maybe the time has come to focus more on providing incentives to do the right things. I do have one significant example here. The TCS policy is that if you lose a laptop that does have hard disk encryption enabled then you do not have to pay a significant fine.
While it is easier to think of user incentives for good behaviour, what kind of incentives might we think off for organizations to adopt secure practices or indeed for product developers to adopt "security first" thinking?
Views by - Dr. Sundeep Oberoi