Tuesday, March 27, 2007

Minimum standards vs. Best-in-Class Safety/Security Features

Read Jim Allchin's piece the other day on Security Features vs. Convenience.

Warning: I'm going to play the analogy game again (apologies to Mike Howard). Well, maybe its just the comparison game. It will be interesting to see how companies with large installed bases react to new threats and/or regulatory models for safety and/or security.

Though they aren't identical, cars and computers do live in a complicated ecosytem of other machines, users, etc. They also have safety/security features that vary greatly among different product offering. Equally - these safety offerings differ over time as a result of new engineering, safety studies, consumer perception, and regulation.

Certain car makers have traditionally focused more on security, in some cases despite direct explicit calls for these features from the car buyer. Companies like Volvo and Mercedes. They do a lot of research on new safety features and incorporate them into their products with the implicit consent of the car buyer. Well, explicit in that people keep buying the cars, and they probably do surveys of what people want. But people weren't directly saying they wanted airbags, abs, traction control, adaptive cruise control, etc. Mercedes assumed that its customers would pay a premium for these features. Part of their brand image is safety, and they can add a safety feature of almost any price to a car knowing full well that their luxury audience will pay the extra cost to have the safety feature.

Often, after Mercedes, Volvo, etc. have produced working safety technology we begin to see costs reduce, and the feature move down-market to lower-end cars, lower end from a branding and pricing perspective.

In many cases eventually governments step in and decide that a given safety feature has proven itself to reduce accidents, increase survivability, and they start mandating these features in all cars. Things like airbags, etc.

What is interesting about Allchin's article is how different computers and the computing economy currently is. Companies do invest in safety/security features, but because these safety/security features are so much more a part of the user experience, it isn't simply a question of whether users are willing to pay for the feature - its a question of what their interaction with the feature will be. Seatbelts excluded, most auto safety features don't require much user interaction to be useful. They are passive with respect to user participation.

Disregarding features that directly impact backwards compatibility, its interesting to study users reactions to features such as UAC that do improve security, but can be configured in such a way that they impact user productivity and/or perception.

How many people didn't wear seatbelts in early cars? Similar sort of thing.

Equally interesting is that, at least so far, there isn't a lot of computer regulation around end-user systems and their safety/security posture or profile. Whereas governments regulate lots of devices to try and specify minimum safety requirements, we don't do that with computers. Thus there isn't the same sort of feedback loop of people getting used to a security feature, it becoming mandatory, all vendors including it, and things proceeding in a somewhat safer fashion.

I had a good discussion with a friend last night about how you'd go about crafting basic software liability regulations and I'm sure there are some decent proposals out there. Its a pretty tough nut to crack though. How do you specify minimum standards for functionality of a truly multipurpose machine. Fitness for what purpose?

Perhaps more on that later after I do a little more research.

No comments: