Let's Fine The Victims

Cyber attacks are becomming increasingly sophisticated and hard to detect. Large and well funded organizations are being breached with distressing frequency. We seem to be reacting by clamouring for heftier fines and stronger punitive action against what are perceived to be lax organizations.

If you think of it, this is the "she asked for it" argument in another form!

This completely ignores the sophistiction of current threats.

Good security requires that people be deterred from doing bad things - fines and punishment, but is also critically requires that people do the right things - not share passwords etc.

Maybe the time has come to focus more on providing incentives to do the right things. I do have one significant example here. The TCS policy is that if you lose a laptop that does have hard disk encryption enabled then you do not have to pay a significant fine.

While it is easier to think of user incentives for good behaviour, what kind of incentives might we think off for organizations to adopt secure practices or indeed for product developers to adopt "security first" thinking?

Views by - Dr. Sundeep Oberoi

Rate this article: 
Average: 1.8 (4 votes)
Article category: 

There is 1 Comment

Wondering how such a world would look like..  :) additional line item on the payslip for being secure.. then what will stop organizations from blaming everything on to an individual and washing their hands clean?
"Due diligence and Due care" is something that gets drilled into responsible security professionals hired by responsible organizations. If this is found wanting then punitive damages are levied.. either at an individual level or at organization level.
The incentive, even though intangible, is realized by businesses when they have a disruption free business environment.. there by meeting their revenue targets as well as paying performance linked pay to employees in full. incentive for all.. :)