January 31, 2005

Security Breach Disclosure is required for the consumer to adjust risk assessment

I was knowingly guilty of asking an innocent question last week on economics of disclosure. My penance will be forthcoming, no doubt, but in the meantime the question rebounds in the RFID breach post of yesterday. Jim posted:

"If the owner of a car parks it with the idea that it is safe, leaving his Picasso etchings in the backseat only to return to find that the Picassos were picked, then the courts will come into play. They will ask TI and this wonderful team of developers what the risk scenario was on this damn thing that did not work."

"The team can say many things but what they cannot say is the risk is or was acceptable. So the classic issue of notification to all owners of the now cracked security system is in order so they might be made aware of the shortcoming. Also a prudent reserve should be placed aside by the TI team for claims against their flawed product."

(Read the post for the full context. Disclosure: My emphasis above, and I edited the original post for style!)

What Jim is challenging is the assumption in security thinking that the designer can predict the user's risk profile. When placed in terms like that, it sounds clearly bogus.

How is it possible for the designer to know what the user is up to? Is she trading oil futures, chatting about shopping lists or viewing porn? These activities have wildly different risk profiles and it is also evident that different products would be suited for different activities.

Classically, as Jim implies but does not state, a 'good' discloses its capabilities and its weaknesses in the sales event. Yet those capabilities and weaknesses - the product profile - change over time. So the crux of security breach disclosure is to permit the consumer to readjust their risk analysis. It is, and perhaps this is more important still, not directly purposed to the product manufacturer's needs.

So any economics of disclosure would be between the information holder and the end-user. That is, the seller of the good does not need to be in the loop, and only might be present if the seller has a convenient way to disclose (and/or a fiduciary duty to same, as is expressed in some laws).

And, another insight that I am having is that the essential economics of disclosure of a security breach are the same as the disclosure on the sales event. The purpose is the same: to give the consumer the ability to construct her risk analysis suited to her profile.

And thus, any attempt by the manufacturer (or the law or anyone else) to reduce disclosure is thereby reducing the ability of the end-user to readjust their risk profiles. Drawing from Hayek's information market, this is an a priori information 'bad.'

(Postscript: I wrote earlier on this flawed assumption in Who are you?)

Posted by iang at January 31, 2005 09:12 AM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.