The conventional wisdom is that security priorities should be set by risk analysis. However, reality is subtly different: many computer security systems are at least as much about shedding liability as about minimising risk. Banks use computer security mechanisms to transfer liability to their customers; companies use them to transfer liability to their insurers, or (via the public prosecutor) to the taxpayer; and they are also used to shift the blame to other departments (“we did everything that GCHQ/the internal auditors told us to”). We derive nine principles which might help designers avoid the most common pitfalls.
CITATION STYLE
Anderson, R. J. (1994). Liability and computer security: Nine principles (pp. 231–245). https://doi.org/10.1007/3-540-58618-0_67
Mendeley helps you to discover research relevant for your work.