Loading ...
Computerworld blogger Jerri Ledford wrote an entry entitled, “If you can’t protect me, I’ll take my business elsewhere.” In it he explains that:
“But most of the other companies out there have a competitor that I can turn to if my first choice isn’t keeping my data safe, and you can bet your last chocolate chip cookie that I’ll pull my business away from a company in a half a heatbeat if they tell me they can’t keep my data safe because “they don’t have the tools or resources…”
“Security is non-negotiable. If a company doesn’t have the tools are resources needed to keep data safe, there either needs to be a way found to have them, or the company needs to stop collecting customer data. No negotiation. I am the customer (or your, or whoever) and without the customer the business doesn’t exist. Companies best realize this and start treating those customers as the valuable assets they are, or those companies will find themselves without the very factor that makes a business successful.”
Unfortunately, I think one’s exposure level remains relatively the same because there are too few alternatives in the marketplace for most major products such as credit cards, air transportation, hotel chains, clothing manufactures, etc.
What is a rational stance for an entity to take? It’s this: As far as we know, at this time, we are keeping your data secure. If we find a weakness through our compliance and security checks we correct it based on the risk and the cost. If there is a breach, we will close the hole, correct the issue and assess the potential damage.
It is due to this calculation between risk and cost that we find ourselves in a Nash Equilibrium: no one will change their strategy for guaranteeing that their data will not be breached because one cannot gain a long term advantage by doing so. If one does change their strategy, they have not truly gained an advantage over the other players because that advantage will most likely evaporate as soon as a breach is publicized.
It is similar to the airline industry. What company markets themselves as the company that will never crash? None. Because there is always the remote possibility — after all, flying is the safest means of transportation — that one of their planes will crash.
The reputational damage does not warrant the risk of marketing yourself based on the strength of your controls.
One Trackback
[...] It would also be helpful to think of information security breaches in terms of Nash Equilibriums. [...]