That's part of the definition of good security engineering. Protect stuff up to its value, and never spend more money than what is needed to rebuild it from scratch.
Yep. This. Couldn't agree more. I went to a BSides talk years ago titled "Does DoD Level Security Apply to the Real World?" ~ In summary, Yes.
The premise of the talk, as I understood it, was that too many small operations or "mom and pop" shops think that they do not need "Department of Defense" level security, because they're a small general store, not Fort Knox. That's a misconception. "DoD Level Security" doesn't mean that you protect your place like the NOC list in Mission Impossible; it means that you are proactive in thinking about your thread model and assessing the value of your assets. If, after proactively thinking it through, you're still comfortable with just a cheap pad lock and no alarm system, then you've applied "DoD Level Security" (or something like it).
Capping spending on security to the cost of rebuilding from scratch implies that total loss is the worse thing that can happen from a security breach. That isn’t true. A security breach could be more costly than a total loss.
I think that for-profit organizations actually mesh quite perfectly with the "security economics" perspective. Ie, they care about security to the extent that they see it affecting their own utility function. In ideal circumstances, negative externalities like the impact on the breached users flow back into the company's incentives via bad PR. The problem is that there's a shortcut: it's inherently easy to hide security breaches, given that the security domain already involves a baseline level of opacity (as opposed to, say, product or pricing decisions).
As it often is, the approach here should be to reconnect this feedback loop, by regulating and vigorously enforcing penalties for failing to disclose breaches. Suddenly, the "value" of security from the perspective of the organization drops precipitously. To make matters worse, hiding security breaches causes collateral damage by making mitigation by its victims harder (if no one tells me my SSN was leaked, I won't (eg) freeze my credit report).
The answer, as it often is, is for regulatory pressure and robust enforcement to connect the externality's consequences back to the agent. The easiest step is by requiring disclosure of breaches. As such, the news in this article seems like it should be unequivocally celebrated.
Protect stuff up to its value, and never spend more money than what is needed to rebuild it from scratch.
Oh, but the problem appears when you'll holding other people's information. "Your SSN ain't worth much to me, sorry, keeping that pipeline open only matter X much to our bottom line," etc. .
Thanks, yes. Like I said in my other comment: if you keep other people's money there are laws and rules that apply to you. You may not be negligent with it. The phrase "fiduciary duty" comes to mind.
Yet somehow, keeping their PII imposes almost no obligations on you at all.
Indeed, liability for insecure and careless software proven to allow cyberattacks is what is missing, only then will managements start to care about which programming languages and development processes they take into use.
Security is profitable. Very profitable. It's likely one of the reasons a lot of companies avoid it....it's very expensive and most don't see it as adding to the bottom line because it's largely invisible, but taking from it, until something major happens.
And business cannot operate at a loss, so increased expenses will be passed on to customers. Yay.... right?
If we can make security lapse expenses higher and higher we can all pay more and more until all products are completely secure but no products remain....
Good cost you in ways other than their price - unsafe electrical goods can burn down your house, leaking your personal data can cause you to be robbed or defrauded, food can cause poisoning, etc.
So you might save $5 on the price of the "smart doorbell" and then loose $50,000. Obviously there is some kind of balance that needs to be struck, but the amount of data leaks and fraud is plain out of control at the moment,
