"Is it really the theft that cost the person the valuables stored at home, or the fact that they didn't have live armed guards or didn't store it in a vault? While the thief is obviously in the wrong here, you doubt it makes sense to pin the whole sum on him."
"Is it really the rapist that cost the person's life, or the fact that they weren't fully armed and were not at home after sunset? While the rapist/murderer is obviously in the wrong here, you doubt it makes sense to pin the whole sum on him."
These are not accidents like parking a car at the edge of a cliff and forgetting to put it in gear and set the parking brake.
These are deliberate premeditated actions by another party exploiting some weakness or error. Of course it helps to avoid weakness or errors, but the point of a civilized society is to not have to live like we're constantly under assault in an armed camp.
The criminal is a criminal, and the entire amount rests on his/her head.
That said, it is also appropriate for those who lost to analyze the losses and improve their situation. If there was already a spec or procedure to handle this, and it was not followed, then it would not be surprising to see some workers and managers retrained or sacked. But zero of this reduces the criminal's responsibility or liability.
I suppose that if there is anyone to blame for shortcomings incurring costs, it is the criminal herself. Aside from deciding to do the crime in the first place, she also had bad enough opsec to get caught, and that will come with a price.
I'm confused... do your totured analogies identify Capital One as the victim?
>> These are not accidents like parking a car at the edge of a cliff and forgetting to put it in gear and set the parking brake.
They left S3 buckets parked on the edge of a cliff with (the personal information of) customers sitting in the passenger seat, and failed to stop them (from being publicly visible) with security.
All of your analogies forget one important thing. Capital One was storing other people's data and acting in the role of the bank or vault. They have a duty to store those things securely.
Or to put it another way, if someone breaks into the bank and steals your valuables from your deposit box, are you going to blame the thief, the bank, or both?
Assigning responsibility is always a moral judgement and different people will come up with different answers based on their own morality.
If someone walks into the bank and the doors are wide open, no one is there, and the vault is just open, so they decide to grab some visible valuables, how much responsibility is actually on the thief?
I mean obviously there is some responsibility, but how much is more of a moral judgement than anything else.
Agree, it's all judgement, and there's clearly a broad spectrum. Some good example points on it might include:
* Implemented all possible security measures, above and beyond reasonable, but were breached by a nation-state actor.
* Took reasonable professional-standards measures, but were breached by professional thieves.
* Took most standard measures, missed some, but were breached by a modestly skilled thief.
* Were somewhat negligent and some people found an unlocked door and stole the goods.
* Created an attractive nuisance, too tempting for some people to avoid, and some people looted the place.
* Left the goods out on the sidewalk and were surprised when people helped themselves.
In all but the last sidewalk example, I'd say the taker has full responsibility as a thief - an honest person would not get involved, and a skeptical person would wonder if it was a honeytrap.
All but the last two examples require not only dishonesty, but also require specific planning and actions to get the goods. In all but the last two examples, I'd say that the taker is responsible for their acts, and nothing about the owner's actions mitigates that.
That said, the protector of the goods also has full responsibility for taking appropriate measures for the reasonably foreseeable threats.
I guess I'd put it as responsibility is not divided but added or multiplied by the parties.
You can be both negligent _and_ preyed on by criminals. It doesn’t make the criminal any less criminal, but it also doesn’t make you any less negligent.
"Is it really the theft that cost the person the valuables stored at home, or the fact that they didn't have live armed guards or didn't store it in a vault? While the thief is obviously in the wrong here, you doubt it makes sense to pin the whole sum on him."
"Is it really the rapist that cost the person's life, or the fact that they weren't fully armed and were not at home after sunset? While the rapist/murderer is obviously in the wrong here, you doubt it makes sense to pin the whole sum on him."
These are not accidents like parking a car at the edge of a cliff and forgetting to put it in gear and set the parking brake.
These are deliberate premeditated actions by another party exploiting some weakness or error. Of course it helps to avoid weakness or errors, but the point of a civilized society is to not have to live like we're constantly under assault in an armed camp.
The criminal is a criminal, and the entire amount rests on his/her head.
That said, it is also appropriate for those who lost to analyze the losses and improve their situation. If there was already a spec or procedure to handle this, and it was not followed, then it would not be surprising to see some workers and managers retrained or sacked. But zero of this reduces the criminal's responsibility or liability.
I suppose that if there is anyone to blame for shortcomings incurring costs, it is the criminal herself. Aside from deciding to do the crime in the first place, she also had bad enough opsec to get caught, and that will come with a price.