Responsibilities for Risks of Innovations

John W Lewis's picture
Chat Date: 
Thu, May 18, 2017

Any innovation has risks. Who is responsible for managing them?

Recent ransomware attacks have illustrated the risks of operating information systems connected to the Internet. Operation of safe systems requires customers to follow procedures, including management of passwords and updating products to maintain their effectiveness, including their safety.

How are the responsibilities for managing the risks of innovations split between vendor and customer?

This is not a new issue, at least at this meta-level. If you buy any product which is potentially dangerous, you expect the manufacturer and the vendor (who might not be the same) to provide a safe product. But there are limits. The safety of the product also requires you to operate it safely.

If you own and operate a car, it is your responsibility to check the oil level, the tyre pressures, etc.. Even if you drive it over a cliff, that is not the manufacturer's responsibility.

On the other hand, if you do follow the recommended procedures, including for maintenance, and the car does not perform as specified or is dangerous in some way, then the manufacturer has a responsibility.

How does the situation in information systems compare and contrast with that in other fields: aircraft, cars, electrical appliances, drugs, etc.?

In those other fields, in most countries, there is a third actor: a regulator. Products are not allowed to be offered unless they have been tested as being safe. Maybe there is a role for regulation in the information systems field, so that products must be tested before they can be sold?


Let's discuss this topic during #innochat on Twitter on May 18th 2017, starting 12 noon Eastern time, based on the following questions:

  1. Who is responsible for the risks of using information systems?
  2. What responsibilities do customers have for information system risks?
  3. What responsibilities do vendors have for information system risks?
  4. How are the risks in information systems different from those for products in other fields?
  5. What benefits and costs would a regulator bring to the field of information systems?


All donations go to help defray hosting, maintenance and domain name costs. Thanks!