It’s always useful to ask provocative questions. Questions like “Do we really need X?” (or the equally provocative “Does Y matter?”) shouldn’t be dismissed with a simple Yes/No answer. Such questions call for an exploration of the true actual or potent…

Once people, especially customers, come to expect something, companies may do it without even being sued or having laws about it.
But people, for all their pride in individuality, are strongly influenced by what everybody else does.

Soylent Security

I find this post and your Computerworld completely disingenuous.

Much has been written about the economics of computer security and like many industries before it there has been resistance to change and accountability.

Once upon a time you couldn’t expect that your Doctor or your Engineer was accountable either until eventually people got regulations and such.

The history of new products and technologies is one of rapid new developments, snake-oil, eventual regulation as people come to expect a certain level of quality and accountability from the products and services they buy.

You attempt to make the point that software is somehow inherently different than other products without actually making a strong case that it is.

If I buy software that claims to provide certain features and benefits, and it doesn’t deliver, at what point can I expect that the developer/vendor had some fault? Should software vendors never be liable for faults in their software? Maybe just never liable for faults exploited by a third-party?

What about a lock vendor that says their lock is pick-proof and the it gets picked by the average joe. Should I be able to get restitution from them?

One of the best pieces I’ve read on the topic came from Cem Kaner – http://www.badsoftware.com/theories.htm.

I’ve tried to write about it a little on my blog as well but I think he does as good a job as any in explaining the multiple theories of liability that might apply to a given software security/quality situation.