Attending a breakout session at last week’s CSIT conference, the subject of liability cyber education came up.
Hosting the session were Dr Ulf Lindqvist from SRI International and Raj Samani from McAfee. The subject of liability was an interesting one among the dozen-strong roundtable, especially as it touched the case of whether banks should reimburse those users who show a blatant disregard for security.
Samani asked that if people don’t care about security, why should banks repay lost savings if this is the third time a user has been phished in a month. “There is no way to prove a user did their due diligence to do a claim, as if they didn’t have the latest version of software, banks can refuse to pay outright,” he said.
The conversation between the group asked if we as a society should have to pay for others’ lack of due diligence, particularly if banks will not bail out users forever. If a user is not security savvy, clicks on links indiscriminately and as a result suffers financial loss, the first question to ask the bank is: will they cover the user forever if they show no effort or intent to improve their ways?
It is the equivalent of walking down a dark alley and someone steals your wallet, would you take that route again knowing that there is a chance that you will lose money once again and suffer the same personal attack? Online it seems, it is a different game.
In a keynote at the conference, Douglas Maughan from the US Department of Homeland Security asked why home users or small businesses feel the need to buy security technologies when they don’t understand the benefit of it.
The discussion moved on to one of recording online behaviours, and whether a user would allow their bank to put a form of black box recorder in to cover their losses and ensure that the due diligence was being done elsewhere.
Samani said that a black box recorder can show liability to a bank, as it will put a wrapper around user activity and act accordingly from it, as this can prove negligence. “The ability to automatically sense and to detect clicks is too difficult, but it can record the trust element and risk. But if the machine learns, when does this become creepy? Are you happy with analytics if improves your life?”
Some eyebrows may be raised at this concept considering the headlines of the last ten months, but if this is a case of a bank trying to prove a level of negligence and to cover itself so it is not forced to use funds to repay negligent users, then this may be a way forward for them. As for the users, well if they keep making the mistakes then perhaps this can be a form of online electronic tag.
Samani later asked how much personal data is worth to you, stating that the personal data economy will be worth 1 trillion euro by 2020. He said: “Who cares about cyber security? Why don’t people seem to care? If you lose money the bank pays it back so why take it seriously? Is it fair to pay for others negligence when costs from credit card and overdraft interest goes to pay where people are negligent.” He argued that there needs to be an adoption of technologies in order to be fair on those who take it seriously and not paying for the failure of others.
This is an interesting discussion and one that I have not come across in some time in the public awareness debate, and one I am sure that the financial services community will welcome.