Customer Demand

[andrews at rbacomm.com (Brad Andrews)]

Regulation will never be as effective as we need and I believe will  
ultimately be counterproductive as many companies use "compliant" as  
an excuse to stop.  (It may get them to start, but once started, we  
need them to go farther.)

In regards to cigarettes, they are still a huge problem in many  
places.  Many become hooked all the time, in spite of all the  
education and efforts.  It has been far from effective.  Sure it isn't  
hip to smoke in some circles, but not all circles feel that way.

The analogy would be interesting to explore.

- Writing insecure code does give an addictive rush - you can do it  
faster!  (Smoking produces a positive experience, at least at some  
point.)

- Peer support is there - since most of a developer's peers are  
unlikely to develop securely.  (Peers push smoking, regardless of the  
messages "society" sends.)

- Taxing it won't eliminate it - both will become a "cost of doing  
business" for some.

As to seatbelts - the same problem persists.  We wouldn't need  
programs like "click-it or ticket" if past communications were  
successful.  I could go into details, but I don't want to argue the  
seatbelt issue.

The main factor is that I don't trust government to push much of  
anything successfully.  It may do some things, but it is incredibly  
inefficient most of the time.  :)

Your point about insurance is reasonable, though insurance companies  
will have to decide they are going to do that for their own  
self-interest before it is effective.  Even then, we may end up with  
something like the modern health care system (including lots of  
unnecessary tests) rather than security nirvana.

I agree that changing consumer behavior is not sufficient, but it is  
necessary.  The other stuff will not work without it.  Look at our  
modern "war on drugs" (including tobacco).  Changing demand is key,  
not supply.  People will write secure code when those who drive them  
(ultimately the customer) demand it.

Even if I am an enlightened CEO, I am not going to survive and thrive  
writing secure code if doing so makes me cost more than a competitor  
without giving me a clear, fairly immediate business advantage - that  
same demand.

-- 

Brad Andrews
RBA Communications
CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting "Goertzel, Karen [USA]" <goertzel_karen at bah.com>:

> I think we need a multifaceted approach that includes supply side,   
> demand side, insurance companies, consumer protection organisations,  
>  etc. etc.
>
> We need regulation with legal penalties - as exist for airlines, for  
>  example - for software firms that fail to meet minimal standards  
> for  quality - which must be defined to include security (using   
> demonstrated linkages to existing legislation as a catalyst - i.e.,   
> non-secure software makes it impossible to be HIPPA, FISMA, SOX,   
> PCI, etc. compliant).
>
> We need a system of evaluation (like Good Housekeeping seal of   
> approval, but NOT like Common Criteria) for consumers to be able to   
> easily determine which software meets the minimum standards for   
> "goodness".
>
> We need the insurance firms that are now offering security and CIP   
> related products to add software security criteria to their   
> definitions, so that their customers who buy demonstrably secure   
> software get breaks on their premiums, and those that willfully   
> engage in risky behaviours - i.e., persisting in use of bad software  
>  - are penalised by higher premiums or, ultimately, having their   
> coverage dropped.
>
> We need to educate end users as we did with seatbelts and cigarettes  
>  - a series of really good public service advertisements that  
> clearly  and engagingly depict what happens as a result of AVOIDABLE  
> (by  developers) security-related failings in software. With outlets  
> like  YouTube, the budget to broadcast such advertisements would be   
> significantly smaller than it would have been when only the media   
> outlets were big commercial networks.
>
> Just some ideas - no doubt some better than others. The real message  
>  is "Yes, we need to change consumer behaviour" - but that alone   
> won't get us where we need to go.