dards, but at the cost of difficulty of evaluation. Note that in both building code and computer security experience, major innovations have taken some ten years to go from concept to general acceptance.

The UL experience shows that an evaluation process can be initiated in the private sector and then accepted by government, and that it is not necessary to begin such an activity with a legal or administrative mandate. The FASB is also an example of a private effort that achieved government recognition.

The FASB's history shows quite clearly that a forcing function is needed both initially and in the long term. In the case of the FASB it is the threat of government regulation of a particular profession. The experience with the FASB, and to a lesser extent the building codes, shows the importance of determining, by consensus, standards that balance the interests of all involved parties, and of setting up those standards according to a due process. The FASB's history also illustrates the importance of institutional independence in balancing pressures and criticisms from interested parties.

Those concerned with setting standards for computer security should nevertheless be cautious in drawing too close an analogy to the FASB. Computer security does not involve an organized, recognized profession whose prerogatives are threatened. Much less money is involved (at least directly), and a clear forcing function, either in the form of an initiating incident or ongoing threat of government action, is not present, although a liability crisis for system vendors, were it to develop, could serve that purpose.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement