

Why society should pay the true costs of security - bootload
http://www.guardian.co.uk/technology/2008/oct/02/chemicals.terrorism

======
dejb
Part of the true cost of these products is their security risk. That cost
should ultimately be paid by those who use the product. Otherwise there is no
incentive for people to find better, safer chemicals/means to achieve their
goals.

Passing the cost on to 'society' provides no incentive and so leads to a
continued inefficient overuse of these resources.

As usual Bruce Schneier demonstrates no understanding of market economics when
he says

> There's no free lunch, of course. "We", as in society, still pay for it in
> increased prices

It's not 'we as a society' who would pay for it but those people who chose to
use those products or their derivatives. The crucial difference is that one
option provide incentive to change and the other doesn't.

------
aneesh
It's a simple argument, but it's interesting if you extend it to securing
personal information in the cloud. The amount you pay a company to store your
data (incl per-capita ad revenue they make from you) is effectively a cap on
the amount they'll spend to secure it.

~~~
jodrellblank
The chemical company's situation is different - the people who care about an
attack (nearby people) and the people acting on the reputation (customers) are
different, so there is incentive for the nearby people to pay towards their
own protection. The attack is rare and unlikely so sympathy is high as long as
the company is putting "reasonable" measures in place.

Cloud data theft - the people who care about the attack (customers) are the
same people acting on the reputation, so the reputation hit matters more. Such
attacks are common and predictable, so sympathy will be lower. People nearby
aren't involved so there is no incentive for anyone else to pay to protect
your data. Knock on economic effect is spread much more widely over more
systems and so is less intense and more difficult to gague, and you'd be
taking time off work and using your weekends to sort it out so it would have
less impact.

So the cloud company has incentive to spend more on security than you might
think, if they judge the reputation boost will help future earnings enough. It
may do so where it may not for the chemical company.

------
nazgulnarsil
since when is "there might be a terrorist attack" a legitimate argument for
more government regulati....oh, right. I forgot that after being attacked once
we all turned into whiny babies. mission accomplished hijackers.

------
mtw
i don't get why this is on hn.

and to take the article example, if there is a chemical plant producing
critical / dangerous products, it should be taxed by the government
accordingly; with the taxes spent on security

~~~
bootload
_"... i don't get why this is on hn. ..."_

Situation awareness.

Vigilance is required in an era of
<http://en.wikipedia.org/wiki/Asymmetric_warfare> Schneier is simply
highlighting that what appear to be safe, reliable everyday industrial
chemicals can in fact be used against civilians. For example check the
disruptions of unintentional chemical spills in my own home town, Melbourne ~
<http://www.google.com.au/search?q=melbourne+toxic+chemicals> then consider
the effects of intentional use in a large city. With a bit of forethought this
can be minimised. While the obvious chemicals like fertilisers (Ammonium
Nitrate) are now controlled (you need to apply to purchase large quantities)
chemicals manufactured or stored in large concentration are a potential weak
spot and should be systematically plugged with minimum security guidelines.

