The wave of data breaches raises two pressing questions: Why don’t we defend our networks better? And, what practical incentives can we create to improve our defenses? Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy answers those questions. It distinguishes three technical sources of data breaches corresponding to three types of vulnerabilities: software, human, and network. It discusses two risk management goals: business and consumer. The authors propose mandatory anonymous reporting of information as an essential step toward better defense, as well as a general reporting requirement. They also provide a systematic overview of data breach defense, combining technological and public policy considerations.


  • Explains why data breach defense is currently often ineffective
  • Shows how to respond to the increasing frequency of data breaches
  • Combines the issues of technology, business and risk management, and legal liability
  • Discusses the different issues faced by large versus small and medium-sized businesses (SMBs)
  • Provides a practical framework in which public policy issues about data breaches can be effectively addressed

chapter Chapter 1|24 pages


chapter Chapter 2|18 pages

Software Vulnerabilities

chapter Chapter 3|15 pages


Failing to Defend against Technical Attacks

chapter Chapter 4|15 pages

A Mandatory Reporting Proposal

chapter Chapter 5|8 pages

Outsourcing Security

chapter Chapter 6|9 pages

The Internet of Things

chapter Chapter 7|10 pages

Human Vulnerabilities

chapter Chapter 8|6 pages

Seeing the Forest

An Overview of Policy Proposals