Why This Blog, and Why Me

Security isn’t just a technical problem. It’s not even primarily a technical problem. It’s an economic one. And we won’t fix it until we start treating it that way.

That’s why I decided to start this blog.

If you work in security, you’ve probably seen many things that don’t make sense on the surface: decisions that ignore obvious risks, budgets that arrive only after the breach, users who click past every warning, and executives who treat security like a compliance checkbox—until it’s not.

But if you look closer, you can see that the chaos has a pattern.

People respond to incentives. Organizations offload risk because it’s cheaper than prevention. Users prioritize convenience because the cost of caution is always theirs to carry...and the benefits are often unclear. Attackers innovate because crime pays—and their margins are excellent. Even the failure to patch or the choice to reuse passwords makes economic sense when you factor in time, friction, and cognitive load.

We talk about breaches as if they’re accidents. But more often, they’re signals. Market signals. And they’re telling us something important: the incentives in security are profoundly misaligned.

This blog is about unpacking that system. And maybe even finding ways to succeed within that system.

Why Me?

It's a question many security professionals ask themselves, but in this case I mean it differently: why am I qualified to stand on my soapbox, describing information security through an economic lens?

I’ve spent over two decades in security. At Microsoft, I reshaped incident response practices and designed what may well be the first production use of certificate pinning anywhere...then helped lead the Security Assurance Program for Windows 7. From there, I applied my security skills to several startups in different industries, some of which are regulated. I’ve spent a decade as CISO at two fintech startups. I’ve hired and mentored people who went on to shape the security field, and along the way collaborated with some of the most respected names in security. I’ve seen, up close, how smart teams struggle in broken systems.

But I don’t approach this as merely a practitioner. I approach it also as an economist.

I earned my master’s degree from Carnegie Mellon’s Tepper School of Business in 2004 — at a time when security economics was still a fringe topic. And even before that, I was thinking of the world at large in terms of incentives, asymmetric information, and externalities. That lens has shaped how I view the world of security: not as a series of technical gaps, but as a series of predictable outcomes from badly structured systems.

And the problem is bigger than just companies. This blog explores the economic foundations behind every actor in the system:

• Why organizations keep underinvesting in prevention
• Why users behave “insecurely” (and why that word often misses the point)
• Why attackers continue to succeed with low-cost, high-leverage operations
• Why extortion economies thrive, even when the “ransomware” isn’t software
• Why defenders burn out in a system designed to fail

We’ll talk about policy, yes. And regulation, liability, insurance, incentives. But also friction, attention, usability, and human cost.

This isn’t just a corporate story. It’s a systems story.

If any of that resonates with you, welcome. You’re in the right place.