Comment by Thorentis
5 years ago
I partially agree, but think it depends on the nature of the attack and the types of security procedures/protections that were already in place.
For example, consider seat-belts. If you don't wear one, and you are involved in a crash, there is a serious likelihood you will die or be seriously injured. Hence we make it the drivers responsibility to ensure passengers wear their seatbelts. Now, if everybody was wearing their seat belts, the car was serviced, there were airbags etc, but out of nowhere a tree hits the car, should we hold the driver accountable for not having installed a cutting edge anti-tree device to their vehicle? Of course not!
Unfortunately, defenders are always on the back foot. You can have the best security posture and still fall to a zero day. We need a nuanced policy in place which blames victims that have no security posture whatsoever, but properly assigns responsibility to the attacker when the victim did everything they reasonably could. Defining "reasonably could" is the very challenging part.
I think you are mistaking safety for security. The whole discussion is about security - preventing attacks from attackers on purpose. What you described here in the seat belt example is safety - preventing accidents that happen without intention/malice.