Security Investment: Pay It Forward

The Tipping Point by Malcolm Gladwell explored the theory that everything from shoe fads to the flu is governed by “tipping” behavior: If a few influential people catch the bug, adoption “tips” and an epidemic begins. According to a recent report from The Brookings Institution, security works the same way: If key players invest in security, others will have incentive to follow, and market forces will take over.

At least that’s what President Bush’s cybersecurity adviser Richard Clarke is expecting to happen with information security, and it’s the reason he’s not advocating government regulation or tax incentives. But the research from The Brookings Institution backs up the opinions of more cynical security experts.

“In lots of sectors, the market forces aren’t working,” says Howard Kunreuther, a Wharton School professor who coauthored the study, “Interdependent Security: Implications for Homeland Security Policy and Other Areas.” “When you see that other individuals, designers or users have not taken protective action, then the incentives to invest in security may be diminished” because the actions (or inactions) of others will still create weaknesses.

Kunreuther argues that tax incentives, or a law requiring cyberinsurance for critical infrastructure companies, could make all the difference. Then, he says, “you’re not hoping that some market player is the tipping point. You, the government, would be directly changing the incentive yourself.”

Howard Schmidt, Clarke’s second in command, respectfully disagrees. “Most of the major IT vendors have publicly come out and said that security is the foremost thing on their plate.” At non-IT companies, he says, “every indication we’ve gotten from the senior executives is that they do take security seriously. Obviously there’s cynicism that this is just talk, but I think that the government and the people that depend on the critical infrastructure won’t tolerate rhetoric.”