Great article. I wish you had covered the obvious alternative to a liability regime where government defines what "secure" means. You think about assigning liability when you view the situation in a Coase Theorem kind of way... externalities, least-cost avoider, etc.... And you end up with malpractice cases, insurance, tort reform, and endless "compliance" requirements that are not well suited to the product.
However if you view the problem in a "Market for Lemons" kind of way, the right intervention is to fix the asymmetric information problem. So you establish a mandatory transparency regime where government only says you must disclose your security story -- threat model -> defenses -> assurance -> monitoring. In this regime, the *market* effectively chooses the right level of security.
Great article. I wish you had covered the obvious alternative to a liability regime where government defines what "secure" means. You think about assigning liability when you view the situation in a Coase Theorem kind of way... externalities, least-cost avoider, etc.... And you end up with malpractice cases, insurance, tort reform, and endless "compliance" requirements that are not well suited to the product.
However if you view the problem in a "Market for Lemons" kind of way, the right intervention is to fix the asymmetric information problem. So you establish a mandatory transparency regime where government only says you must disclose your security story -- threat model -> defenses -> assurance -> monitoring. In this regime, the *market* effectively chooses the right level of security.