I was heartened to find out that someone was given grant money for a study that demonstrates that the fresh brains market in a zombie apocalypse would peter out after six months. Afterwards, the earth would be either empty (most likely) or a wasteland with few zombies.
So that gave me an idea. Gresham’s Law, crudely stated, says that bad money drives out good money. My thesis is that the market for high quality security assessments (=”good money” e.g. skilled manual review) is being driven out by the prevalence of low / unknown quality security assessments (=”bad money”) in a rush to the bottom in terms of fees. This correlates with an increase in business loss as attackers stop putting up alert boxes and start stealing (brains) from the population.
So is there any hope? Do we need hope? Could we have a market in the post-trust Internet?
Let’s have a thought experiment – what would the Internet look like post zombie apocalypse (or if you’re Paul Fenwick, a post singularity AI overlord who turns out not to be our friend). Could commerce exist and in what form if we totally (and I mean totally debased) the security market to the point that there is no trust on the Internet?
What would that look like for traders in an all lolcats world?
In my view, the signs of a post-zombie apocalypse are:
- The market would mainly consist of small unregulated trades, much like drug deals today you see on TV crime shows;
- There will be a limited market for large trades, and large trades would be highly regulated in a walled garden;
- There is very limited to no trust;
- Trades would be done in places that are not particularly consumer friendly (ether “friendly” to mall owners like Amazon or Etsy, or dark places like the Silk Road);
- There would likely be an arms race of sorts between the main actors in the market, such as targeted phishes of oppressed ethnic minorities or other outgroups;
- There would be little to no enforcement as there’s basically no detection;
- There would be minimal to no proactive security measures being undertaken, where this “technology” is essentially unknown the market or deeply hoarded by those who actually know.
In my view, much of the signs are starting to crop up now, with the dark net market of malware, infected machines, and illicit substances traded for virtual currencies.
We are at a turning point for trust. Either we must support the market in a way that punishes weak security or bad money, and rewards leading security practices, or we give up and embrace the smaller and more diverse dark market. There’s still money to be made – for some – in the dark market.
What do you think the future of the security market looks like?