When people try to prevent their homes from being broken into it, there is only so much they can do alone. A homeowner can buy better locks or install an alarm, but those measures only work to an extent.
Starting a neighborhood watch, on the other hand, may be more effective
Improving information security is similar. A company can only do so much itself to improve its own security, and there comes a point when enterprises and the government will be asked to share resources and information on vulnerabilities and security incidents.
In some cases, truly improving security will require companies to make investments in "internalized externalities," which are things that will help others in addition to themselves.
The situation is analogous to community members deciding they want a park in their neighborhood, said Adam Golodner, associate director for policy at the Institute for Security Technology Studies at Dartmouth College. "So we decide everyone should pay $5, but someone says they will only pay 50 cents. I wouldn't feel very good about it if others are not paying," he said during the recent e-ProtectIT conference at Norwich University, in Northfield, Vermont.
Yet Golodner is not calling for the government to step in and mandate security. Such a move would stifle innovation, which is just what is needed to improve security, he said.
Golodner envisions companies beginning to see security as strategic because it protects them from downstream liability (and hence reduces insurance costs) and gives customers a higher level of confidence.
Large companies need to realize that their businesses depend on the security of the Internet, said Ken Watson, manager of the critical infrastructure assurance group at Cisco Systems Inc. "The health of the Internet is the health of Cisco," he said.
Public confidence is an intangible factor but one that companies need to take seriously. A public compromise of a system that results in data theft can be disastrous to a company's reputation, as well as its bottom line. Companies that are banking on the promises of the Web need to be conscious of the public's perception of its safety. Recent studies have shown 60% of people won't buy over the Internet because of security concerns, said TruSecure Corp.'s William Hugh Murray, who also spoke at e-ProtectIT. "Security is not an enabler but a necessity, if we want to enjoy the promises of IT," he said.
Murray said companies must heed public perception. Nuclear power is an example of a technology that never got the public trust. "Fifteen hundred people die a year just extracting fossil fuels," he said. "Atomic power is magnitudes safer, but it doesn't have the public trust."