ABSTRACT
Data breaches impose significant costs on society. Security experts have long known how to improve defenses, so why does society tolerate an avoidable loss? There are a variety of reasons, but this book argues that the most fundamental one is a lack of knowledge about the costs of data breaches and their probabilities. The central solution the book proposes is mandatory anonymous business reporting of relevant facts about breaches. This solution does not stand alone, however. The book sets in a context provided by an examination of three types of vulnerabilities: software, mismanagement of defense, and human (e.g., the human propensity to trust involved, for example in phishing). For software, the book proposes changing the current consumer demand for insecure software into a demand for secure software. For mismanagement, the proposal consists of Federal Trade Commission actions supplemented by negligence actions by consumers. The book proposes education and training for human vulnerabilities but emphasizes the need to combine that with adequate technical defenses.
