Blogger Ed Felten has written recently that Eric Rescorla reports that in a talk at WEIS, “Dan Geer predicted (or possibly advocated) that end-users will be held liable for security breaches in their machines that cause harm to others.”And if that’s not an issue to make enterprise password management pros sit up and take notice, well, we don’t know what would be.

So why are we considering this? What problem are we solving by holding end users’ feet to the fire if something goes wrong on the machines?

As Geer says, there are two kinds of costs to not securing your computer, the internal costs of having your own machine broken into and the external costs to others, “primarily your machine being used as a platform for other attacks.”

Geer maintains that currently, internal costs are the only incentive people have to be careful. He notes that if we make end users bear the external costs that would “give the right incentive to secure systems.”

Not that there’s a lack of attacks. As TMCnet’s Lance Whitney wrote recently, a full 90 percent of companies surveyed by the Ponemon Institute (News - Alert) admitted that they were hit by a cyber attack over the past 12 months.

Sponsored by Juniper Networks, the survey of IT and security professionals in the U.S. found that the threat of cyber attacks today is approaching “statistical certainty” and that businesses of all shapes and sizes are vulnerable.

There's a serious difficulty with end-user liability, one enterprise password management pros can probably spot. Felten says, noting that today, “many intrusions into end-user machines lead to the installation of bots that the intruder uses later to send spam, launch denial of service attacks, or make other mischief. The harm caused by these bots is often diffuse.”

In other words, how can you assign culpability accurately in such a case? As he says, if “Alice's machine is compromised and the intruder uses it to send 100,000 spam emails, each of which costs its recipient five cents to delete,” then okay, Alice's insecurity has led to $5,000 of total harm. But nobody’s out more than a few cents, and who would Alice pay off?

If any enterprise password management pros have a better idea, let’s hear it.