Our current way of viewing information security is loss prevention. It is an insurance model. And, although insurance is useful and necessary, senior managers are not likely to spend one dollar more than necessary to obtain the needed protection. After all, information security doesn’t make money–it only spends.
Why is it so hard to convince management to spend on security?
This is not a new problem. In Woody Allen’s 1975 classic “Love and Death” , he writes: “There are some things worse than death. If you’ve ever spent an evening with an insurance salesman, I’m sure you know exactly what I mean!”
There is an alternative: Virtual Trust  as an information security model. According to the Virtual Trust model, security actually creates business and generates revenue.
The VT model can be expanded to describe the breakdown of all modern day computing (via worms, viruses, phishing) since these nefarious activities weaken trust. VT can also explain positive business changes such as the creation of digital assets via DRM (iTunes, Unbox) whereas the insurance model cannot.
If you were an executive and had the choice of spending $1 million dollars for a system that would generate $300,000 a year in profit or spend $1 million dollars to prevent $1 million worth of loss, which would you choose? (Perhaps it is a false distinction? Perhaps VT leads to a different answer…)
[Thanks to Sam Dekay for reviewing this entry before I posted it. Some of the text is his, but I still own the Allen quote! ;)]