Why Information Security is Hard - An Economic Perspective

In an ideal world, the removal of perverse economic incentives to create insecure systems would depoliticize most issues. Security engineering would then be a matter of rational risk management rather than risk dumping. But as information security is about power and money, the evaluator should not restrict herself to technical tools like cryptoanalysis and information flow, but also apply economic tools such as the analysis of asymmetric information and moral hazard.

'Why Information Security is Hard - An Economic Perspective' by Ross Anderson - pdf file - (through netsec blog )