This paper examines two categories of information security
regulation and presents the results of an empirical study comparing their
efficacy at addressing organizations’ failures to protect sensitive
consumer information. It uses quantitative data on security breach
incidence and qualitative data gathered from interviews with key Chief
Information Security Officers. The quantitative analysis reveals that
a combination of the two types of regulation is substantially more effective
than is either alone. The qualitative analysis describes the effects
of each type of regulation on the role of technical security
professionals. Additionally, the qualitative analysis suggests that a
lack of agreement and/or regulatory guidance as to what constitutes
“reasonable” security hampers security professionals’ ability to advise organizations properly on achieving regulatory
goals. Based on these analyses, the paper presents policy
recommendations designed to improve the efficacy of information security
David Thaw is a Visiting Assistant Professor at the University
of Connecticut School of Law. David's research and scholarship examines the
regulation of Internet and computing technologies, with specific focus on cybersecurity regulation and cybercrime.
Prior to joining UConn, David was a Research Associate at the
University of Maryland Department of Computer Science and the Maryland Cybersecurity Center. David also practiced cybersecurity and privacy regulatory law at Hogan Lovells (formerly Hogan & Hartson)
and was previously a Postdoctoral Fellow at Yale Law School.
David received his J.D. in from Berkeley Law. He holds a
Ph.D. in Information Management and Systems and a M.A. in Political Science
from UC Berkeley, as well as undergraduate degrees in Government and
Computer Science from the University of Maryland. David is also an
Affiliated Fellow of the Yale Law School Information Society Project.
Additional information is available at: http://www.davidthaw.com/
will be served.