Fundamentally, the issue is insecure software. It is a result of bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the myriad effects of insecure software. Unfortunately, the money spent does not improve the security of that software. We are paying to mitigate the risk rather than fix the problem.Turn an externality into a liability, and software vendors will do something about it. The usual objection is that this would do in free software. I don’t see why, since it should be easy enough to craft liability laws that factored in profit, chronic nature of bugs, etc. so as to distinguish between big commercial vendors and free software volunteers. Meanwhile, many users and even governments are applying their own kind of software liability by moving away from the biggest commercial vendor to smaller ones or to free software.The only way to fix the problem is for vendors to improve their software. They need to design security in their products from the start and not as an add-on feature. Software vendors need also to institute good security practices and improve the overall quality of their products. But they will not do this until it is in their financial best interests to do so. And so far, it is not.
Information Security and Externalities, Bruce Schneier, Schneier on Security, 18 Jan 2007
-jsq