Ross Anderson has posted an excellent summary of the recent Berlin workshop on the economics of security…
Among other things:
It turns out that Nigerian scammers still say they’re from Nigeria because it filters out people who’ve heard of the scam.
If you want real security, relying on regulations is the wrong way to go. In fact, the more thorough your audits (to see if everything complies with regulations), the worse your security tends to be. (Presumably because people turn their brains off as soon as “everything complies with the security rules” evaluates to TRUE.* Better to make people accountable (so they care) then give them guidelines and red-team excercises to educate them, I think.)
* The whole problem of forged credentials is a classic example: “does it look legit? ok great!” instead of “if it was forged, what flaws might I see?”
Paper PDFs for all the talks are at the first of the two links.
Both breaches and noncompliance are risks, and more elastic to reputation than price. She found strong correlations between functional capabilities (prevention and audit) and compliance, but not with security: the better the audit, the worst the security! Similarly, when she looked at cultural aspects she found that collaboration was correlated positively with compliance but not with security. She concluded that compliance was largely driven by internal factors but security depends on external factors too.[…]
Nigerian scams: repelling false positives is more important than finding true ones, and the initial email costs almost nothing. So the function of the word “Nigeria” is to find people who’ve not been sensitised to the scam.”