# Policy Intervention ## Three interventions - Certification schemes - Information disclosure - Intermediary liability ## Traditional regulatory intervention - Ex ante safety regulation - for cases that are potentialy catastrophic - prevent harm - One way of dealing with difficulty of measuring outcomes - Ex post liability - Assign responsibility when something goes wrong ## Certification Schemes - A government-led approach: Common Criteria certification - Sometimes userful, but may be gamed - Evaluation is paid for by vendor seeking approval, leading to test-shopping ## Information disclosure - Cybersecurity incidents are often hidden from public view - Many breaches came to light to prevent future failures - **Most cybersecurity risk can be managed if** - it can be measured - reponsibility for failures clearly assigned - Also need tranparency in - Financial fraud figures - Cyber espoinage incidents - Control systems incidents - Consistent collection of cybercrime losses ## Indirect intermediary liability - Liability isn't always placed on the party responsible for harm - Also for the parties that could've detected/prevented them - If bad actors beyond reach of law, and a 3rd party is in good position to detect/prevent bad acts, then indirect intermediary liability attractive ## Summary - Policies that make measurement easier (e.g., data breach legislation laws) and clarify responsibility for failures (e.g., intermediary liability assignment) could substantially improve security