Schneier said information security threats are becoming more aggressive and more sophisticated technically, and users are confused and frustrated by their inability to keep up. More and more are looking to industry suppliers, including both application developers and service providers, to provide the technical shields to deter attacks and defend their data.
The computer security industry is ignoring how to make people feel secure in favour of addressing threats, and it is not working, said Schneier.
"Fear is a pretty poor sell, because it needs educated customers. Compliance, on the other hand, is the only stick that works. Security is going to become another compliance issues like insurance, which is the price of risk for a known liability," said Schneier.
Users mostly still have to analyse their risks to get a better handle on how much to invest in mitigating it, he said.
But the risk profile keeps changing. "When you have a million or two PCs in a botnet, the question is how to monetise it," he said. For now, most criminals are using botnets ultimately to defraud or extort their victims, but a small minority are using it for industrial espionage, he said.
Schneier said it was hard to be certain of the extent of industrial espionage. "But we get the occasional shadow," he said. Examples include reported Chinese attacks on the US military (and several European governments), car magazines that want pre-release pictures of new models, pharmaceutical companies looking for an edge over the competition, and Boeing vs Airbus, he said.
"You see it when for some reason one company starts winning a lot of bids against its competitors," Schneier said.
Schneier said US government agencies routinely bought data that federal and state laws prohibited them from collecting, and vice versa.
"It is not that government and criminals are in cahoots against individuals it is more like government and big businesses are in cahoots against the competition."