Global Security, Privacy, & Risk Management

Why Regulation Cannot Prevent CyberCrime (TransactionWorld) February 6, 2012

As the maritime industry is increasingly focused on protection of data assets, I thought it would be beneficial to include an article on the topic.  This article is one I wrote for TransactionWorld in July, 2011.  It is titled: “Why Regulation Cannot Prevent CyberCrime” and is a continuation on the discussion of the impact of deterrence on behavior.

“Data security and privacy regulation have increased significantly over the past 10 years. The U.S. now has 46 state breach notification laws and there have been numerous bills introduced in Congress that propose to regulate personally identifiable information and to dictate security of such data. In spite of this increasing regulation, data breaches continue to plague the industry. Some have proposed that more regulation is the answer. Unfortunately, regulation alone is inadequate to prevent data theft and protect data.

At its core, data theft and network intrusions are crimes. At the risk of oversimplifying the work of criminologists, crime prevention can be summarized as using deterrents to affect protection of assets and prevention of theft. Protection applies to the ‘hardening’ of targets by implementing controls that increase the level of difficulty of perpetrating a crime. A vault is a good example of a protective measure. While no vault is completely impenetrable, vaults do provide significant protective value. Data security controls are protective measures. They are designed solely to limit attempts to obtain the target of value. Without a deterrence effect, criminals are free to attack companies at will without fear of retribution. This article will explore the value of deterrence in the prevention of crime.” (read full article here)