Derivatives as a solution to imbue IT vulnerabilities with economic force appears to be a confused idea with potentially disastrous consequences. The date of the paper on that subject should be considered in its review. In the heady days of 2007 prior to the fat tail event that we now know as the Great Recession risk swapping was all the rage. It turns out that we have numerous examples in the past few decades (Enron weather futures, Mortgage Credit Default Swaps (CDS), etc) of the counterintuitive cost of derivatives when used for risk mitigation. Instead of mitigating risk they actually leverage it into the stratosphere.
Consider the economic forces at work in buying and selling swaps on whether a certain exploit will appear in the next month against a specific target. I can see the same forces that had hedge fund managers creating CDSs of mortgages designed to fail so they could bet against them acting in this space. Consider that you have a bet on a rare event happening to a large credit card company. The company could claim they were covered for the related liabilities by offloading the risk to the AIG of exploits insurance. The motive for the fellow on the other side of those AIG swaps would be to see the rare even happen. He could even place thousands against the odds of the event (paying out millions as is the nature of derivatives) and be quite incentivized by the very economic forces we are trying to harness to the opposite effect.
That aside, let’s considers more traditional economic forces in the context of this question. A vendor that provides software or hardware that is critically flawed are they not liable in the same manner as the auto manufacture that produces a car which occasionally bursts into flames? As of today the answer is no. This situation will see an interesting evolution when we have software induced auto failure as we almost did with the uncontrolled acceleration accusation against Toyota. When that happens does the fact that it was related to IT firmware or software release the manufacture from liability as we don’t consider that liability valid as it has the COTS complexity immunity factor. The same economic question can be asked of those that provide services such as our banks. If they expose my identity which in turn allows the theft of my cash in their bank will there come a day that the liability burden is moved more completely to the service provider and not the victim?
The maturation of the traditional economic forces related to vendor and service provider liability would be impeded by security risk derivatives. Derivatives would incentive the evil doers to speculate and attack and disincentive the vendors and service providers as they lay off their risk (spell that responsibility) to the AIG of vulnerabilities swaps.