Managing Online Security Risks

The biggest pitfall of cyber security is not technical vulnerability but humans. Effective risk management is a question of practices, not technology. The focus of cyber security is too much on hard cryptography and not enough on user experience, economics, and incentives. Computer security is poor when the liability from an attack is diffuse. Banks can do a better job of managing risk than customers, so they should bare more of the liability, especially when it comes to A.T.M. banking. Assigning liability should include examining the incentives of everyone responsible for the system while simultaneously not making liability too diffuse. This study of incentives opens the door to cyber-insurance. However, insurance companies have little experience with cyber security and would not offer much protection. The next step to cyber security is to assign legal liability to those most able to reduce risk.