What mind-set does security require?
So, I'm reading my copy of Information Security Magazine, when I read an article by Jay Heiser about "Military Madness". Go read it yourself - I'll wait.
The article amused me particularly because my boss and one or two of my co-workers came out of the military.
I don't think the business mind-set really always helps all that much, either, sadly.
The most glaring examples are the "your data is now ours, and we can sell it to whomever" issues that have been plaguing various credit card processing companies for some time.
Where I work, in health-insurance, I've found the safest position to occupy is to view the member's data as belonging to the member, and held
in trust by us solely for the purpose of doing business on behalf of that member.
I think that a lot can be achieved simply by re-coupling benefit and loss, or risk. Take credit cards, for instance, where the benefit accrues to the banks, and the loss accrues to the vendor and rarely to the customer.
Vendors can't tell credit card companies that they're going to go to an all-cash basis, and they won't get far by telling customers that their credit cards are too risky to take. So, the banks cleverly lump all of the risk with the group least able to manage it - while at the same time making commercials that imply that identity theft is all the fault of those nasty vendors.
There's no feedback within the credit card system that allows or encourages it to self-strengthen. Any strengthening measures are imposed from outside, such as the US law that limits a card-holder's liability to $50 - but even this is short-sighted, as it does not offer any protection to the merchant, who gets charged on the transaction coming in, the cost of any goods they send out as a result, a second charge on the refunding of the money to the card-holder, and often a $25 "chargeback fee" for having the temerity to accept the credit card in the first place, despite not having any reliable way to verify that the card is in the possession of the card-holder.