Difference between revisions of "Team 1 Sec4.5"
| Line 3: | Line 3: | ||
List and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance). | List and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance). | ||
| − | + | 1) Give tax breaks to companies that develop security technologies. To be useful, it would have to lead to lower prices for the right kinds of security products, or better performance at the same price. | |
| − | + | 2) Give tax breaks to people and organizations that use networked computers in a properly secure way or to obtain cyber-security insurance. In practice, of course, we can’t afford to do a security evaluation on each taxpayer to see whether he deserves a tax break, so we would instead give the break to those who meet some formalized criteria that serve as a proxy for good security. Designing these criteria so that they correlate well with the right kind of security, and so that they can’t be gamed, is the toughest part of designing the program. | |
[[User:Santtu|Santtu]] 08:00, 21 October 2005 (PDT) Insurance however would be a much more feasible alternative for companies, such as the financial sector, where the risk of exposure to the insurance company is high enough that they would audit and monitor these systems. Insurance premiums could also be driving force to do more than the "standard" level of protection. | [[User:Santtu|Santtu]] 08:00, 21 October 2005 (PDT) Insurance however would be a much more feasible alternative for companies, such as the financial sector, where the risk of exposure to the insurance company is high enough that they would audit and monitor these systems. Insurance premiums could also be driving force to do more than the "standard" level of protection. | ||
| − | + | 3) Government could invest in basic research in cybersecurity. This would result in more capable security products in the long run. | |
| − | + | 4) Increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions. This might indirectly lead to more cyber crimes with perpetrators targeting companies for easy money. | |
| − | + | 5) Shifting liability to another party that has the capability to prevent computer security breaches or mitigate the harm caused. this strategies places liability on actors with indirect control over Internet security; computer owners can secure their computers. But then the strategy would assign liability to computer owners whose negligently insecure property serves as an attractive intermediary for computer criminals. | |
| − | + | 6) Another proposal is to place liability on Internet service providers that permit their users to attack computer security elsewhere. The efficiency of forcing Internet service providers to exercise control over their users is questionable it would likely be extremely costly and intrude on the privacy of the internet users. | |
| − | + | 7) Mandatory disclosure law requiring companies holding computerized personal information of users to take steps either to encrypt this personal information. Non compliant companies should be subject to civil suits, including class actions, for damages. | |
| − | + | 8) Stricter punishment for perpetrators of computer crime. Unfortunately they are not only difficult to identify; they are difficult to apprehend and prosecute or sue. | |
| − | + | 9) Requiring distribution of computer software and hardware with the most secure default settings activated. Several companies already do that. But for non-savvy users it will be difficult to customize their machines according to their requirements. | |
[[User:Santtu|Santtu]] 08:00, 21 October 2005 (PDT) | [[User:Santtu|Santtu]] 08:00, 21 October 2005 (PDT) | ||
| − | + | 10) Tort law reform so that it can be applied to negligent computer security by making computer security a legal obligation for companies. Explanation: There are four requirements for Tort law to apply, one of which is that the defendant had a legal obligation to do what they are accused of not doing. Tort law has also in the past generally only applied to non-economic damages resulting from the defendants lack of action, since most computer crime results in economic damages, this aspect would also need to be addressed by legislation. | |
| − | + | 11) Related to #10. Require establishment of industry wide standards on computer security. These standards would increase the exposure of companies that do not fulfill these standards to lawsuits under negligence provisions -- for example civil liability. | |
| − | + | 12) Mandatory reporting of computer security actions, plans, and expenditures in company annual reports. The SEC has already set a precedent on this type of reporting with Y2K when it required companies to report their on their Y2K preventative measures in their annual reports. This type of disclosure would allow investors to take cyber security into account in stock prices. | |
| − | + | 13) For financial industry systems, the legal changes need not come directly from government, since certain changes can be mandated by entities such as the stock exchanges. | |
Overview for financial industry: The target of new incentives would be to expose the companies to the same level for risk/damages as their customers since currently in many case the companies can absorb certain losses due to computer crime and therefore do not consider it cost effective to defend against these classes of losses. I.e. shift burden for customers to companies -- the differences between ATM fraud liability in the US and UK is an example of the effects of this: in the US the burden is on the bank to show that the loss was the customers fault while in the UK it is the customer's burden to show that the loss was not their fault but rather a problem outside their control. | Overview for financial industry: The target of new incentives would be to expose the companies to the same level for risk/damages as their customers since currently in many case the companies can absorb certain losses due to computer crime and therefore do not consider it cost effective to defend against these classes of losses. I.e. shift burden for customers to companies -- the differences between ATM fraud liability in the US and UK is an example of the effects of this: in the US the burden is on the bank to show that the loss was the customers fault while in the UK it is the customer's burden to show that the loss was not their fault but rather a problem outside their control. | ||
Revision as of 15:21, 21 October 2005
--Hema 23:45, 20 October 2005 (PDT)
List and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance).
1) Give tax breaks to companies that develop security technologies. To be useful, it would have to lead to lower prices for the right kinds of security products, or better performance at the same price.
2) Give tax breaks to people and organizations that use networked computers in a properly secure way or to obtain cyber-security insurance. In practice, of course, we can’t afford to do a security evaluation on each taxpayer to see whether he deserves a tax break, so we would instead give the break to those who meet some formalized criteria that serve as a proxy for good security. Designing these criteria so that they correlate well with the right kind of security, and so that they can’t be gamed, is the toughest part of designing the program.
Santtu 08:00, 21 October 2005 (PDT) Insurance however would be a much more feasible alternative for companies, such as the financial sector, where the risk of exposure to the insurance company is high enough that they would audit and monitor these systems. Insurance premiums could also be driving force to do more than the "standard" level of protection.
3) Government could invest in basic research in cybersecurity. This would result in more capable security products in the long run.
4) Increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions. This might indirectly lead to more cyber crimes with perpetrators targeting companies for easy money.
5) Shifting liability to another party that has the capability to prevent computer security breaches or mitigate the harm caused. this strategies places liability on actors with indirect control over Internet security; computer owners can secure their computers. But then the strategy would assign liability to computer owners whose negligently insecure property serves as an attractive intermediary for computer criminals.
6) Another proposal is to place liability on Internet service providers that permit their users to attack computer security elsewhere. The efficiency of forcing Internet service providers to exercise control over their users is questionable it would likely be extremely costly and intrude on the privacy of the internet users.
7) Mandatory disclosure law requiring companies holding computerized personal information of users to take steps either to encrypt this personal information. Non compliant companies should be subject to civil suits, including class actions, for damages.
8) Stricter punishment for perpetrators of computer crime. Unfortunately they are not only difficult to identify; they are difficult to apprehend and prosecute or sue.
9) Requiring distribution of computer software and hardware with the most secure default settings activated. Several companies already do that. But for non-savvy users it will be difficult to customize their machines according to their requirements.
Santtu 08:00, 21 October 2005 (PDT)
10) Tort law reform so that it can be applied to negligent computer security by making computer security a legal obligation for companies. Explanation: There are four requirements for Tort law to apply, one of which is that the defendant had a legal obligation to do what they are accused of not doing. Tort law has also in the past generally only applied to non-economic damages resulting from the defendants lack of action, since most computer crime results in economic damages, this aspect would also need to be addressed by legislation.
11) Related to #10. Require establishment of industry wide standards on computer security. These standards would increase the exposure of companies that do not fulfill these standards to lawsuits under negligence provisions -- for example civil liability.
12) Mandatory reporting of computer security actions, plans, and expenditures in company annual reports. The SEC has already set a precedent on this type of reporting with Y2K when it required companies to report their on their Y2K preventative measures in their annual reports. This type of disclosure would allow investors to take cyber security into account in stock prices.
13) For financial industry systems, the legal changes need not come directly from government, since certain changes can be mandated by entities such as the stock exchanges.
Overview for financial industry: The target of new incentives would be to expose the companies to the same level for risk/damages as their customers since currently in many case the companies can absorb certain losses due to computer crime and therefore do not consider it cost effective to defend against these classes of losses. I.e. shift burden for customers to companies -- the differences between ATM fraud liability in the US and UK is an example of the effects of this: in the US the burden is on the bank to show that the loss was the customers fault while in the UK it is the customer's burden to show that the loss was not their fault but rather a problem outside their control.
