Team 1 Sec4.2

Santtu 00:27, 22 October 2005 (PDT)

Adequacy of existing incentives -- Financial (Very rough initial draft):

Although these incentives appear significant, in reality they may not be as significant as they appear. This is because the damages from minor attacks can easily be absorbed by the financial corporation and the likelihood of major, or large scale, attacks is viewed as low enough that extra defenses are not required.

The damages from minor attacks can easily be absorbed by the corporation by write-offs, as are for example credit card fraud. The damages to the corporation are also limited by the difficulty of assigning cause to the corporation since courts general do not allow Tort Law actions to be brought when the damages are purely economical and thus customer harmed economically can not take the corporation to court. Although contract law is one viable option, it does not apply to cases where no contract, for example if an attack on company A opens the avenue for an attack (such as DDOS) on company B, company A would be protected from Contract law liability, and thus may not consider it necessary to provide defenses, if it has no contract with company B.

The ability to absorb minor damages and the unlikely occurrence of major attacks results in more reactive than proactive protection upgrades. For the incentives to be adequate, they should result in corporations looking out to new threats and protections rather than reactively patching/upgrading the system since at that point their system could have been compromised.