@ Alex Bond,
Sorry for the delay in the reply but my answer is going to be both long and somewhat off topic of the thread.
With regards to your comment,
"America will not change in the near future. With that in mind, how can you incentivise security?"
That as they say is the rub...
Security comes in a number of flavours so I'm going to be general not specific.
Firstly the view from a senior managers position,
A "tangable" infrestructure investment is an outright loss in the initial stages of the investment. At some point it reaches a break even point after which it shows a profit for the rest of it's use.
However as a general rule of thumb newer technology becomes more "efficient" with time and older technology requires increasing maintanence so combined it's running cost goes up.
Thus the two curves when combined give you a "bath tub" curve which defines the profit life of the investment.
It is however not clear if an "intangible" infrastructure investment (such as ICT security) follows the same curve or infact if it will ever present a return which presents a significant dilemma.
Which coincidently is effectivly the same as the R&D dilemma giving rise to intellectual property such as trade secrets and pattents. And can be expressed as,
"what is the probability of a return -v- sunk costs".
This boils down to a time related gamble...
The longer the problem is left the higher the probability is it will go wrong. In the case of R&D somebody else gets their patent in first, in the case of security the probability that your ICT will be attacked in a particular way if you don't mitigate against it.
However all spending initialy reduces profit or short term shareholder value. So in the short term all investment in security or R&d is a compleate loss.
Even in the longterm some investment is so risky that it's like betting on a three legged horse and hoping the other horses get eliminated...
Thus with security and R&D there is little certainty the investment will pay of in the medium or even longterm.
Then there is also the issue that security spending is like defense spending you cannot show that you've spent to much only to little...
And then there is the difference between physical security and ICT security which boils down to a question of locality risk probability.
With tangable assets the risk goes up the more people there are local to it. Thus a gold brick in the middle of dense jungle is probably more secure than in a vault in a Bangladeshi bank (Bangladesh supposadly has the highest population density per SqKm).
Further with a tangable asset there is only one place a person can be at any one time and only so much unaided effort they are capable of. Which means they have to have physical force multipliers to do more than a very small minimum damage at any one time. Physical force multipliers tend to be expensive and thus act as a second constraint on tangible assets.
With intangable security there is no distance everything is local, and force multipliers are at near zero cost. Thus one attacker can effectivly attack in all places at the same time.
Which means there are few if any models to use to define the return on ICT security investment...
The only one being that risk goes up with time and thus you would be entering a "Red Queens Race".
However the way a manager will see this is at zero time there must be zero risk, and thus minimal risk short term (which is just not true).
All of which says to a manager it's "all sunk costs" within a short time frame, but importantly it comes out of his apparent performance not the companies bottom line...
Which is going to make it a virtual impossible sale to "short term" managment.
Therefore I would say you need to mitigate or get rid of the short term viewpoint, or as engineers would say "dampen the response".
Short term profit is mainly made in a rapidly changing or chaotic market. Thus it's in the interests of traders to keep the market rapidly changing,
But for most people that is not true they want moderate change that alows average growth over a reasonable time frame.
Which gives rise to the question,
"how do we achive this?"
There are easy but flawed answers such as "legislation" but sticks only work so far befor the beast turns around and bites or runs off somewhere it does not get beaten (which is one major reason for foreign outsourcing). Likewise carrots are just another reward system that pales after a few bites, and becomes exponentialy expensive for the reward giver.
Also we have tried legalistive sticks (SarbOx) and membership rules (PCI), and we already know they do not work.
All they do is set up a "faux audit market" place. Where the "security policy" from above is not "to be secure as best we can" but to "meet audit".
Then there is the question of the "how of an audit", the company being audited "selects and pays the auditor" thus an auditors income is based on what companies are going to select them by...
Which is the classic "conflicts of interest" issue that dogs "free markets" and economists by and large ignore.
Thus we have seen auditors turn blind eyes in finance for many years so much so that company audit reports are virtualy worthless to anybody seaking information on if they should invest or stear well clear (Enron for instance, or toxic mortgage contracts). And it was this that gave rise to SarbOx which was virtually a blank invitation for the audit industry to fill in as they wished that would be passed into law without question.
The fact that even the audit industry says it does not pass first base on it's stated aims and objectives says a lot about where the audit industry sees it's responsabilities at the senior levels.
One argument that has been sugested is to use the tax system to make short term systems unatractive to investors. In the UK we have "Capital Gains Tax" which basicaly assesses the tax owed on a sale based on the difference between the buy and sell price. However it is to simplistic in it's approach due to other tax law alowing loop holes.
One nice thing about CGT was the "tapper" that was the tax due on a sale went down on a year by year basis and after a period of years there was no tax to pay.
Another more recent idea is to pay executives a small basic pay and then lock the majority of their renumeration in to the long term performance of the company.
I'm not suggesting that this is a solution because I can see many issues and problems with the ideas.
But I do know one thing we need to discuss options no matter how odd whilst there is still time to do so, otherwise we will end up in a position we most definatly not want to be in where only criminals thrive.