Penalty phase
After reading your piece on the six people charged in the U.S. for phishing and spamming AOL users ["Six charged for phishing, spamming AOL users," Sept. 28], I wonder if they will be let off light, the same as Christopher Maxwell did.

If convicted, the defendants face up to 15 years in prison for fraud in connection with access devices and aiding and abetting fraud in connection with access devices, seven and a half years in prison for charges of conspiracy to commit fraud in connection with access devices, and up to five years in prison for fraud in connection with electronic mail.

Aggravated identity theft carries a mandatory two-year prison sentence. I somehow doubt they will get much more than the mandatory.

David Inquieti,
technical consultant,
Zafire Limited,
Banbury, Oxon, U.K.

A debatable expense
While I agree with the premise of ["Working for Gold," July 2006] regarding the author's discussion around ROSI [return on security investment], I totally disagree with this age-old discussion about insurance and the lack of ROI around it. Without insurance (and the basic notion it is based on: spreading risk), business would not even be able to function, secure financing, or offer services of any kind. But, without these "financers" or other government influence, insurance wouldn't be used either.

There is a growing IT security market, but if you looked closely at it and at those who are succeeding, you'll find most of it is rooted in the regulations that are forcing companies to do what is right — not because they want to, but because they have to in order to stay in business and satisfy regulations.

I'm not a supporter of government regulations by any stretch, but commercial enterprises only do what they are forced to do — either by government or customers. Therein lies the ROSI. Just as banks and financial institutions have been hiding identity theft for years, only now has it gotten to the point where the consumer is aware and concerned. This is what is driving the market for security, not the businesses.

As the consumer becomes more aware of internet threats, then the need for effective security measures will become as fundamental as insurance. Without it, the customer will go elsewhere and the business will not survive.

As an industry, the security world must do its part to expose the dangers (real, not imagined) of unsecured internet practices.

I hate to say it, but "homeland security" did not get taken care of until there was a direct attack that the population was directly affected by. Until then, it was buried. What's it going to take to make people aware of the fundamental threats of the internet? Anyone in the business could provide lots of examples, but then we'd be accused of fear-mongering. Still, do you buy business insurance because you know your office builiding will burn down? It's all about risk.

Currently, business has been able to absorb the cost of circumstances where poor security has affected it. But, as we can see with the ever-escalating threats, this is very quickly going to be more and more difficult. Then and only then, will proper internet security be easily justifiable.

We are now starting to see that those companies which take a proactive stance are starting to earn more and more online business. The business case for effective IT security is building quickly. Those companies which get it will win, respond correctly, and let people know they have. Those who don't will not survive.

Steve Dodd,
enterprise accounts,