Information Society Commissioner Viviane Reding said, addressing a conference in Helsinki on 28 September 2006: "On security, in particular, we need to move from talk to action. The Commission is not asleep on the job, but we cannot win the war alone. We need a culture of security in which everybody plays their part. That means national governments have not only to identify but also to implement best practice in policymaking. But, security threats are inherently cross-border. The international coordination of risk monitoring and reaction is a major role of ENISA (European and Network Information and Security Agency).
A second area of need is for authoritative and independent information on security incidents and consumer confidence. That is why we have also asked ENISA to move ahead urgently on developing with member states and stakeholders a data collection framework to collect and analyse EU-wide data. Industry also has a role to play: software producers and Internet service providers must provide adequate and auditable levels of security. I believe I see some signs of movement in the software sector, in this respect. I am watching with interest."
The mission statement of ENISA, the European Network and Information Security Agency, says, under the header "Europe’s Information Society – the future at risk?": "The growing number of security breaches has already generated substantial financial damage and has undermined user confidence. At the same time, the Information Society is becoming indispensable in all areas of life. Individuals, EU institutions, public administrations in the member states and businesses have deployed security technologies, security management procedures and information campaigns and research projects to enhance network and information security. The technical complexity of networks and information systems, the variety of interconnected products and services, and the huge number of private and public players that bear their own responsibility, is risking undermining the smooth functioning of the internal market. The modernised information society of Europe and its business, based upon a digital economy is thus, potentially, jeopardised."
Jean-Philippe Courtois, Microsoft CEO for the Europe, Middle East and Africa Region, said: "As an industry leader, we have a responsibility to ensure that our users benefit from a safe service. And if the real potential of online technology is to be realised, we all have an interest in ensuring that the Internet continues to be a viable tool for consumers, governments and businesses alike."
In an essay entitled "The psychology of security", internet security expert Bruce Schneier says: "Security is both a feeling and a reality. And they're not the same." Schneier goes on to explain: "The feeling and reality of security are different, but they're closely related. We make the best security trade-offs - and by that I mean trade-offs that give us genuine security for a reasonable cost - when our feeling of security matches the reality of security. It's when the two are out of alignment that we get security wrong.
In the past, I've criticised palliative security measures that only make people feel more secure as 'security theatre'. But used correctly, they can be a way of raising our feeling of security to more closely match the reality of security. Of course, security theatre has a cost, just like real security. It can cost money, time, capabilities, freedoms, and so on, and most of the time the costs far outweigh the benefits. And security theatre is no substitute for real security. Furthermore, too much security theatre will raise people's feeling of security to a level greater than the reality, which is also bad. But used in conjunction with real security, a bit of well-placed security theatre might be exactly what we need to both be and feel more secure."
Distinguished information technology economist Hal Varian wrote in an essay for the New York Times: "One reason that computer security is so poor in practice is that the liability is so diffuse. Consider the attacks that took place a few months ago, in which computer vandals took over computers on relatively unprotected university networks and used them to shut down Yahoo and other major Web sites. Although the universities found the takeover of their machines a nuisance, they didn't bear the bulk of the costs of the attack on Yahoo. But if universities bore some liability for the damages to third parties, they would have a stronger incentive to make their networks more secure.
The same problem arises with providing high-speed broadband service to the home. These networks are, by default, always connected to the Internet, leaving them susceptible to being used to mount an attack in cyberspace. If a particular user's computer is taken over, should he have liability for the cost of the attack on someone else? The average user is essentially clueless about how to prevent his computer from being taken over, so assigning liability to him would be pointless. Assigning liability to the network operator would make more sense."