Very clear illustration, thanks for sharing. It would seem solution would involve non market regulation (EPA for pollution), or aligning with market forces such as aligning impact to buyer of security with risk of public access to compromised information (like videos from IP cameras). Michael Yoon On Feb 8, 2017 9:36 AM, "Ed Lopez" <ed.lopez@corsa.com> wrote: In a recent article ( https://www.schneier.com/blog/archives/2017/02/security_and_th.html), Bruce Schneier sums up the IoT security mitigation issue quite nicely in this paragraph: "The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution." - Ed Lopez -- Ed Lopez | Security Architect | Corsa Technology Email: ed.lopez@corsa.com Mobile: +1.703.220.0988 www.corsa.com sent from my iPad ... I apologize for any auto-correct errors