Security liability: Who's to blame for a data security breach?

Who's responsible for security breaches? Short answer: everyone.

It's 4 a.m., and the last person you want to hear from is the security watch leader at your hosting firm. It seems that after last night's upgrades, one of your servers started sending unusual ICMP packets off to Korea. Protocol is: call you.

So now the baby is crying, your spouse is fuming, and you're stomping around looking to take a strip out of someone's hide.

But whose hide? Who's responsible for the breach? Liability for security vulnerabilities and exploits isn't easy to assign, according to the Information Security survey. We asked who should be held most responsible for security incidents, giving survey respondents six choices:

  • Hardware/Software Developers
  • Service Providers
  • Deploying Organization
  • Users
  • Perpetrators/Attackers
  • Other

Not surprisingly, respondents assigned the most responsibility to perpetrators of the incident (30 percent)--the hackers, crackers and script-kiddies who exploit an identified flaw (see Figure 4). But those surveyed weren't shy about spreading the blame around. Runners-up in the blame game were developers (25 percent) and users (22 percent). The deploying organization and service providers got off relatively lightly, with 14 percent and 8 percent of the responsibility, respectively.

The survey indicates that most security professionals appreciate the complexity of business and of system administrators' work environments. It's easy to blame the attacker and leave it at that. But that's not the whole story.

You might assume that security staffers would simply "kill the messenger"--blame those who report the incident or manage the systems. But service providers and deploying organizations get off the hook relatively easy. Sure, management undercommits to security, and sysadmins are quick to ignore it, but that doesn't mean they should be held most responsible for incidents.

On the other hand, users get more blame than you might assume. Rhetoric about "security is everyone's job" aside, laying responsibility with users implies a certain malice on the users' part. Is that true? Do user-related security breaches stem from ignorance or malice? We didn't ask that question specifically, but the assumption is that security practitioners assume their users are more mindless than mean.

Microsoft bashers have always longed for a way to sue the software giant over security flaws in its products. So it comes as no surprise that survey respondents place a lot of responsibility for incidents in the lap of system and application developers.

"The best thing we could do to improve IT security is to make vendors responsible for the quality of the product[s] they produce," says one survey respondent from a large energy company. "It might slow down [the product's] release to market, but the product would be more stable, less buggy [and] more secure as a result."

Overall, there's significant support for computer hardware and software product liability, at least in the area of security. But the reality is that organizations rarely take on liability unless forced into it.

"The customers are going to be the ultimate deciders in the marketplace as they are with any set of products," says Harris Miller, president of the Information Technology Association of America (ITAA).

"If companies who produce IT products and services cannot satisfy their customers by offering reliable products and services, they are going to go out of business, because the customers are going to stop buying the products and services."

Dig Deeper on Information security policies, procedures and guidelines