Report: Market forces not enough to improve security

Computerworld - Market forces alone are unlikely to create the necessary incentives for businesses to make significant improvements in security, according to a study published this month by the Brookings Institution.
The study, "Interdependent Security: Implications for Homeland Security Policy and Other Areas," released Oct. 17 by the Washington-based public policy think tank, argues that the shared-risk nature of today's security environment actually discourages companies from making the sometimes costly investments in security.
In addition, the report states that when industry-leading companies fail to invest in certain security precautions -- because of cost or other reasons -- the knowledge that those companies aren't making such investments can help "clinch a decision not to proceed" at other firms.
"In these circumstances, an entire industry may be unwilling to take reasonable precautions against catastrophe," according to the report. Therefore, "a combination of regulations, insurance and third-party inspections offers the most auspicious approach to improving security at reasonable economic cost."
The Brookings study comes at a time when many in the private sector, including experts from various software developers and security service providers, have been quietly expressing dissatisfaction with the White House's recently released National Strategy to Secure Cyberspace (see story). According to some industry and Wall Street observers, the plan's reliance on market forces to drive security investments in the private sector is its Achilles' heel. When asked recently if they thought the plan's market-focused approach would work, a group of Wall Street venture capital experts and CEOs simply shook their heads and laughed.
Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board, said in a telephone interview from Pittsburgh, where he was attending the latest of the White House's Town Hall Meetings on the national strategy plan, that the Brookings study is but one perspective on the role and definition of market forces.
"I've seen a tremendous shift in awareness and the way people look at what they expect from the market," said Schmidt. "We don't think the answer is going to be as Draconian as [the Brookings study] indicates. Market forces does not only apply to the development of software and hardware. It also applies to the need for individual organizations to secure their environment."
In an interview last month on the topic, Richard Clarke, chairman of the President's Critical Infrastructure Protection Board, acknowledged the existence of a "middle ground" between government regulation and industry self-regulation.
"There are laws already on the books that generally require IT security measures," he said at the time. While those regulations may be tweaked,