Schneier On Infosec Economics

A while back I wrote a post about the economics of information security. Yesterday, security expert Bruce Schneier spoke in a similar vein about where liability and economic burden should fall in the product security lifecycle.

I like what he has to say, but Im not convinced that incentivizing developers to bear security costs upfront and, theoretically, to produce more secure products will shift enough economic burden onto attackers. As long as its cheaper to pay people to exploit software and more profitable to reap the benefits, the underground will deem law enforcement threats an acceptable risk and continue doing their worst, even in the face of (or in spite of) increased security spending.

Its also somewhat glib to suggest that ©omputer security isnt a technological problemits an economic problem. Really, its both, and a cultural problem to boot.