Comment Market-based way: Maximum profit, minimum cost (Score 1) 157
A market-based approach cannot work for cyber-security any more than a Government-led approach can, when the Government feels it has a vested interest in being able to monitor its own or other countries' citizens.
The market-based approach fails because the market-based philosophy is to maximize profit while minimizing cost, so the end result is a risk analysis of:
1. The odds of being hacked.
2. The odds of that hack being detected by someone outside the company, and that being published.
3. The odds of that hack being detected by someone inside the company who cannot be kept from releasing that information to the press.
4. The financial damage associated with the occurrence of 1 and either 2 or 3.
5. The potential damage to the company's reputation from being hacked and found out - this is the most valuable resource most companies have, but in the modern world the average person in the street has the attention span of a lobotomized goldfish, and Marketing/PR firms have had a LOT of practice at managing scandals in the political and corporate world, so while the damage to a company's reputation should be massive, in reality it will be relatively minor and very short-lived.
If the odds of being hacked and found out are 10%, and the financial damage is rated at $100 million, then the typical baseline risk analysis suggests that spending on cybersecurity should be around $10 million. Bean-counters and professional buyers will then swoop in and hire a consulting company to implement something that costs $1 million with $9 million in consulting fees, which then balloons to $29 million in fees due to project over-runs... but fundamentally you still end up with a $1 million solution to a $100 million problem, and the computer users will spend a lot of effort getting around that solution so that they can see their Facebook and lolcat websites.