I buy Time magazine now and then when I\u2019m waiting in a long line at the local supermarket. It\u2019s the only magazine on the racks that doesn\u2019t have covers with starlets falling out of their dresses or space aliens impersonating politicians - or impregnating the starlets (no, really).The Feb. 13 issue has some interesting articles in the cover series (\u201cIs America Flunking Science?\u201d). I was struck by the following comment on p.24 of the paper version in the article by Michael D. Lemonick, \u201cAre we losing our edge?\u201d (online for subscribers only or temporary access for $1.99):\u201c[E]xperts in business and academia have been warning for decades that U.S. science was heading for trouble for three simple reasons. The Federal Government, beset by deficits for most of the past three decades, has steadily been cutting back on investment in research and development. Corporations, under increasing pressure from their stockholders for quick profits, have been doing the same and focusing on short-term products. And the quality of education in math and science in elementary and high schools has plummeted, leading to a drop in the number of students majoring in technical fields in college and graduate school.\u201dI won\u2019t address the government-funding issue here, but the second comment reminded me of a longstanding theme that bears repeating: short-term horizons are inimical to information security. During the dot-com boom of the 1990s, it seemed that many executives were hopping from job to job, often more than once in a year. With short residency in an organization, irresponsible managers could look good in the short term by skimping on longer-term cost-avoidance measures of all sorts, inflating short-term profitability, and then getting out as they hopped to the next company. The consequences of their short-term strategy would then fall on the next managers to take over.Information security suffers from a serious structural problem: the better we are at preventing harm to our information, the less hard evidence we can present to na\u00efve colleagues that our measures are effective. We are accused of being like the madman on the street corner who is waving a dead chicken around his head. \u201cWhy are you doing that?\u201d people ask. \u201cTo keep the flying elephants away.\u201d \u201cBut,\u201d people protest, \u201cthere are no flying elephants.\u201d \u201cSee?\u201d he responds in triumph. \u201cIt works!\u201dUnless we have carefully implemented intrusion detection systems (IDS), we can\u2019t show our bosses that our security measures are resisting real attacks. But even getting the money to implement IDSs - let alone all the other expensive toys and the potentially burdensome policy changes we want - requires cost justifications.Cost justifications usually require ROI calculations. ROI usually involves annualized loss expectancies (ALE). ALEs are calculated by summing the products of event probabilities by their expected costs (e.g., the probability that a disaster will happen times the cost of the disaster, plus the probability that the disaster won\u2019t happen times the cost of the disaster-prevention-mitigation-recovery efforts).Unfortunately, we don\u2019t know the probabilities because (1) people don\u2019t notice all the security incidents that happen; (2) people don\u2019t report all the incidents that they notice; (3) there is no central database of reported incidents; (4) there is no classification scheme allowing actuarial accuracy in predicting the rates of occurrence of security incidents as a function of the nearly infinite range of user classes, network and system configurations, software products and software versions implemented in organizations.So what\u2019s left? We have to convince our non-technical colleagues to pay attention to legal requirements for data protection such as (in the United States) the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act. The European Privacy Directive is critically important in Europe and also helps us build a case even in the United States for transnational corporations or those doing business in the European Community.Oh well, at least I got something from my time in the checkout line in addition to this week\u2019s groceries.