News Flash: Phishing is performed by Bad People who hurt those they trick.

But you knew that. That’s why you take it upon yourself to protect your networks and users from phishing attacks, virus writers, spam artists, and other ne’er-do-wells. Along with software and hardware barriers, you educate your users, so when (not if) an occasional Bad Person gets through, your users will recognize and properly dispose of said annoyance.

Same goes for credit cards, bank accounts, wire transfers, and web surfing. While security systems and protective laws surround you, the bill for most stupid mistakes will be paid by you. This Cost of Ignorance makes you smarter and more cautious, one way or another. Like your mama taught you,”Stove hot. Don’t touch.”

Noted security guru Bruce Schneier apparently wants to do away with all this personal responsibility garbage. He writes in Wired:

Push the responsibility — all of it — for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won’t be enough for him to commit fraud — because the companies won’t stand for all those losses.

If there’s one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses — they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won’t work.

We might add that if there’s one general precept of human nature that is universally true, it is that, if you’re responsible for me, I won’t be. Bad idea.

Related articles >>