How do corporations determine what is a necessary level of something (in this case security) to have? Why do businesses follow what are known as “best-practices”? Well these are just a couple of questions that will be answered within in this article.

Utilizing IT as an example to better understand what will be explained; corporations that require security, such as insurance agencies or brokerage firms, adopt security according to their budgets. Security is not too important to them with it primarily being seen as a commodity. Corporations typically adopt security measures for the following three reasons: business cost, indirect cost, and/or business strategy.

Business cost refers to an actual threat that could and is likely to occur thus being detrimental to business profits. It is then adopted to protect the business and its employees from any losses and is under the umbrella of real security. Indirect costs involve the implementation of security in order to protect consumers from a viable threat such as a hindrance to corporate reputation — also falling under the umbrella of real security.

Now for the less charitable of the three, business strategy. This involves the implementation of security measures to take hold of and maintain a tenacious grip on customers. An example of this would be the formation of a binding contract to prevent customers from doing anything inappropriate with the corporation’s devices and transfer liability away from senior executives of the corporation while utilizing technical lock-in to keep customers. If you have ever heard of a corporation using “best-practices” or following industry guidelines, they are doing it as a part of business strategy to attract consumers rather than for the adoption of real security to safeguard profits.

A prominent strategy known as strategic differentiation is commonplace nowadays with a corporation adding an overall impractical fix/patch to their product. Why is this done? Well, let’s say that a phone company has developed an unprecedented form of cryptography for their software in response to an alleged hacking of a couple devices. These alleged hackings pose no risk to direct business profits nor do they pose risk to any indirect losses such as reputation due to their rarity and unreliability. However, by offering advanced protection that other corporations saw no use for, customers will have a way of differentiating the products ergo augmenting the likelihood of their product being purchased over another.

In conclusion, it is always good to ask yourself why a company would perform certain decisions. There is always a purpose and rarely will industries take it upon themselves to simply protect a couple consumers out of good will.