In the interview you say that regulation sells more security products and services, but you imply this is because fear and greed don't work as motivators for security. This seems like a non sequitur since complying with the law is a fear-based rationalization: the fear of prosecution or even the fear of an expensive lawsuit is the underlying motivation.
I agree with you that regulation sells more security products and services, but I think it has more to do with the fact that regulation ends up creating a (perhaps ad hoc) set of metrics that can be used to somewhat objectively measure the end result in a language that business people understand: the law.
Will liability ever settle upon operating systems with security failings that result in actual damages, I wonder, or will the conditions of customer agreements always preclude that possibility?
An interesting reading, Bruce, as ever.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.