Another good one from Wired, this time on holding executives liable for lax security. Reminded me of the open access-point post from a few months back.

From Wired:
WASHINGTON -- Hackers, viruses, and other online threats don't just create headaches for Internet users -- they could also create prison sentences for corporate executives, experts say.

Though business groups have lobbied successfully against laws focused on cybersecurity, companies that don't make efforts to secure their networks could face civil and criminal penalties under an array of existing laws and court decisions, according to security and legal experts.

Full text at http://www.wired.com/news/privacy/0,1848,62843,00.html?tw=wn_tophead_9

So my question is - should executives be held liable for security holes in their networks?

I voted yes, but I feel companies should only be liable to a certain extent. Some viruses like SoBig attacked computers differently than any other email virus had in the past. Companies should not be liable for these unknown novel attacks, but there should be a set of standards that they must follow to keep their networks secure.

However, I don't know who would create such a policy. That I'm unsure of. Also, I believe the companies that make the software should also be liable. This includes Microsoft......

I don't think that executives can be held fully responsible. Most execs don't know much about technology, so how should they know if their system is secure. If the management is keeping the IT department hog-tied and not letting them do neccessary patches and updates becuase of many layers of beauracracy, then I think it is the exec's fault. However, if the IT guys are telling the management that things are secure, when in reality they are slacking off and not being vigilant, then it is the IT's fault. So basically, I don't think the blame should always fall on one person. It all depends on the situation.

P.S. Ohh, and I didn't vote because I think there should be an option of "It depends on the situation."

So my question is - should executives be held liable for security holes in their networks?
Depends. If the company sets policies on security, and a worker violates them and causes a security hole? Probably not. If they just say "Our policy is that everything should always be completely secure" and then don't hire anyone to actually make it secure? That's when it's getting closer to "yes". I'm not sure that holding the *executives* responsible is the best idea... But perhaps fining the company instead?