Table Of ContentWhy Don’t We
Defend Better?
Data Breaches, Risk
Management, and Public Policy
Why Don’t We
Defend Better?
Data Breaches, Risk
Management, and Public Policy
Robert H. Sloan
Richard Warner
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2020 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paper
International Standard Book Number-13: 978-0-8153-5662-2 (Hardback)
This book contains information obtained from authentic and highly regarded sources. Rea-
sonable efforts have been made to publish reliable data and information, but the author and
publisher cannot assume responsibility for the validity of all materials or the consequences
of their use. The authors and publishers have attempted to trace the copyright holders of all
material reproduced in this publication and apologize to copyright holders if permission to
publish in this form has not been obtained. If any copyright material has not been acknowl-
edged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted,
reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other
means, now known or hereafter invented, including photocopying, microfilming, and
recording, or in any information storage or retrieval system, without written permission
from the publishers.
For permission to photocopy or use material electronically from this work, please access
www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance
Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-
for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of
payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trade-
marks, and are used only for identification and explanation without intent to infringe.
Library of Congress Cataloging-in-Publication Data
Names: Sloan, Robert H., author. | Warner, Richard, 1946- author.
Title: Why don’t we defend better? : data breaches, risk management,
and public policy / Robert H. Sloan, Richard Warner.
Description: First edition. | Boca Raton, FL : CRC Press/Taylor & Francis
Group, [2019]
Identifiers: LCCN 2019010377| ISBN 9780815356622 (hardback : acid-
free paper) | ISBN 9781351127301 (ebook)
Subjects: LCSH: Computer networks--Security measures--Government
policy. | Computer security--Government policy. | Business--Data
processing--Security measures. | Computer crimes--Risk assessment.
Classification: LCC TK5105.59 .S585 2019 | DDC 005.8--dc23
LC record available at https://lccn.loc.gov/2019010377
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Contents
Authors, ix
Chapter 1 ◾ I ntroduction 1
WHAT IS A DATA BREACH? 2
FOUR EXAMPLES 4
WHY DON’T WE DEFEND BETTER? 13
THE LACK OF INFORMATION PROBLEM 14
LEGAL REGULATION 19
ENDNOTES 19
Chapter 2 ◾ S oftware Vulnerabilities 25
DISTRIBUTION OF VULNERABILITIES OVER
TYPES OF SOFTWARE 26
SOURCES OF SOFTWARE DEFECTS 27
THE “MAKE THEM LIABLE” REMEDY FOR
SOFTWARE VULNERABILITIES AND ITS LIMITS 31
LACK OF INFORMATION ABOUT COSTS AND
PROBABILITIES 34
CHANGING CONSUMER DEMAND 36
A LEMONS MARKET FOR SOFTWARE? 36
ARTIFICIAL INTELLIGENCE: A FUTURE SOLUTION? 39
v
vi ◾ Contents
CONCLUSION 39
ENDNOTES 39
Chapter 3 ◾ ( Mis)Management: Failing to Defend
against Technical Attacks 43
(MIS)MANAGING SOFTWARE VULNERABILITIES 45
KEEPING SOFTWARE UPDATED AND ACCOUNTED
FOR: PATCHING AND INVENTORYING 46
DATA DEFENSE: ENCRYPTION 49
(MIS)MANAGING NETWORK DEFENSES 50
SO HOW HARD IS IT FOR A LARGE
ORGANIZATION TO MOUNT A GOOD
TECHNICAL DEFENSE? 53
CREATING AN INCENTIVE TO MANAGE BETTER 54
ENDNOTES 56
Chapter 4 ◾ A Mandatory Reporting Proposal 59
THE BUSINESS RISK MANAGEMENT GOAL 59
MANDATORY REPORTING 60
THE CONSUMER RISK MANAGEMENT GOAL 63
DATA BREACH NOTIFICATION LAWS 68
CONCLUSION 70
ENDNOTES 70
Chapter 5 ◾ O utsourcing Security 75
THE RISE OF MANAGED SECURITY SERVICE
PROVIDERS (MSSPs) 76
ARGUMENTS FOR OUTSOURCING 77
MONITORING, MONETIZING, AND PRIVACY 79
A CHANGING LANDSCAPE 80
ENDNOTES 81
Contents ◾ vii
Chapter 6 ◾ T he Internet of Things 83
WHAT IS THE IoT? 84
THREE IoT SECURITY ISSUES 84
RECENT ATTACKS 86
AN EVEN STRONGER CASE FOR OUTSOURCING 88
THE MOTIVE TO MONETIZE INFORMATION 88
ENDNOTES 90
Chapter 7 ◾ H uman Vulnerabilities 93
PHISHING 93
EDUCATION AND TRAINING 96
TECHNICAL DEFENSES TO PHISHING 99
SECURITY MIND-SET MORE GENERALLY 100
ENDNOTES 102
Chapter 8 ◾ S eeing the Forest: An Overview
of Policy Proposals 103
THE PROBLEM 103
SUGGESTED SOLUTIONS 104
A CHANGING LANDSCAPE 107
ENDNOTES 108
Authors
Robert H. Sloan is a Professor and Head of the Department of
Computer Science at the University of Illinois at Chicago (UIC).
He has a BS in mathematics from Yale, and an SM and PhD in
computer science from the Massachusetts Institute of Technology
(MIT). He is a member of the U.S. Department of Homeland
Security Privacy and Integrity Advisory Committee. In the early
2000s, he served as a Program Director at the National Science
Foundation. In recent years, he has overseen the growth of the
UIC Computer Science Department from 28 to 55 faculty (and
growing). Dr. Sloan’s current scholarly work includes public policy
issues in computer security and privacy as well as computer science
education. In the past, he also worked in theoretical computer
science and artificial intelligence. He has published over 100
articles, as well as a book he coauthored with Richard Warner,
Unauthorized Access: The Crisis in Online Privacy and Information
Security (Chapman & Hall/CRC Press, 2013).
Richard Warner is a Professor Norman and Edna Freehling
Scholar, Chicago–Kent College of Law. He has a BA in English
literature, Stanford University; PhD (philosophy), University of
California, Berkeley; JD, University of Southern California, Los
Angeles. He is the Faculty Director of Chicago–Kent’s Center for
Law and Computers, the Cofounder and Director of the School of
American Law, the Codirector of the Center for National Security
and Human Rights, and the Head of the School of American Law,
ix
