Complicated regulatory legislation discourages capital investment in new technologies, as investors fear subsequent government interventions may render their investments worthless.

Regulation also creates an expensive compliance component that typically does little in the way of solving security problems, as exemplified by the passage of Sarbanes-Oxley (SOX) after the Enron scandal, and the subsequent Bernie Madoff Ponzi-scheme revelations.

"The process of developing effective regulations is inherently time consuming there is virtually unanimous agreement that any regulations specific enough to assure improved cyber security would become outdated soon after their enactment. Even more troubling than the low prospect a regulatory mandate model has for success is the fact that such a model would generate seriously negative economic and security consequences."

The report proceeds to underscore the Global nature of the Internet and related threats to information security, emphasizing the economic disadvantage American companies would suffer if subject to a system of monolithic statutes, contrived through vague legislation, and applied across a broad spectrum of business sectors.

THE FINANCIAL NATURE OF CYBER SECURITY

One of the most difficult issues to relay effectively to the Boardroom is that of security, particularly because a great deal of the security battle is won preemptively, before the fight even begins.

And no one can say with any certainty whether or not that battle will ever be fought; nor can they guarantee a victory, regardless of the depth and breadth of their preparations.

While this uncertainty puts security professionals in a cold sweat as they contemplate the thought of unmitigated exposure, it also puts the bottom-line budget wranglers in the position of deciding how much security is enough security, seeing IT only as a cost center to be managed.

"Typically, the economics of cyber security are not readily transparent and they are poorly appreciated. When defensive investment is compromised by factors beyond an organization's control, the motivation for continued investment is reduced substantially. Effective and sustainable improvements in our collective cyber security posture will stem from a comprehensive understanding of how to effectively motivate all players across our economic landscape to actively engage in proven best-practices in both their business and individual cyber activities."

The report also notes the disconnect consumers suffer when presented with high interest rates and fees on their credit and debit cards, and news of major data breach incidents in the payment card industry.

Many do not realize those "hassle-free" dispute resolutions that absolve them of responsibility for fraudulent charges made on their accounts are actually hidden in the cost of the items they purchase, and can be as much as or even exceed the sales tax levied in many states.

"Consumers [have a] false sense of security due to the belief that personal losses will be fully covered by corporate entities (such as the banks), when, in fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees."

The report from the ISA also makes it clear that the path to better information security is at best uphill, and echos the sentiment common in national defense strategies: The bad guys only have to get it right once, while the good guys have to get it right every single time.

For the hackers and cyber spies it is literally a numbers game, with the bulk of their illicit scores coming from simple exploits applied among a large array of networks, just looking for that one weak spot - as opposed to more sophisticated attacks focused on any one particular target.