The Inquirer has some commentary which includes a nice rant about the economics of the security industry today.

Whose interests are really threatened by cybercrime? Well, certainly not the software makers, the chip makers, the hard disk makers, the mouse makers, and least of all the virus busters and security firms which daily release news of the latest “vulnerabilities” plaguing the web.

No, the victims are the poor users. Not that they’re likely to have their identity stolen or their bank account plundered or their data erased by some malicious bot or other. The chances of that happening are millions to one.

No, what they are forced to do is continually fork out for spam-busting protection, for “secure” operating systems, for funky firewalls, malware detectors or phish-sniffing software. All this junk clogs up their spanking new PC so that they continually have to upgrade to newer chippery clever enough to have a processing core dedicated to each of the bloatsome security routines keeping them safe while they surf.

It’s a con, gentlemen. A big fat con.

No one has a business interest in catching identity thieves or malware writers. There’s no money in it, so no-one’s bothered.

There’s too much money to be made in solving the problems to actually eliminate them. No amount of software security liability is going to change that fact. The Legal OODA Loop is orders of magnitude too slow to keep up with the situation on the ground, the concepts are still too esoteric to lawyers and judges, and the entrenched interests are too well-funded.

You manage the risks this world brings and you go on. That’s all there is to it.

You said it, Chandler.

And when you realise that the cost of a dubious ‘cure’ is more than the ‘disease’ - you do what makes sense. Except that many get swayed with a big “what if” and forget that even the biggest “what if” won’t cost nearly as much as accumulated cost has been over the past year.

*Sigh* Sometimes the business needs to be taught basic principles of good investment.

One clarification I want to add is that I don’t think that eliminating the need for an Information Security industry is ever going to happen at any level.

Software, both Operating Systems and all the myriad applications that run on them will continue to have vulnerabilities. We will continue to improve our ability to limit the impact of them, but they will continue to exist.

Fraud isn’t going away any time soon, and the need to effectively identify what needs protection and how much isn’t going away either. In that regard, end users will continue to be the real victims.

What I would realistically like to see is a reduction in the requisite knowledge that end users must possess in order to achieve their desired level of risk.

What we as risk & security professionals should be doing is working to make that possible, not justifying techno-lust with FUD and theater, which is what this whole industry often seems founded on.