[belorn]

The best defense an organization can employ, is to make departments/managers/people economical liable. This result in insurance being bought, budgets assign to risk management, and practical prevention mechanism being implemented.

No organization like being attacked, but any defensive measure that cost money will always be balanced to the potential loss, risk, and convenience of employees. If the risk feels low, the potential loss minimum (worst case, government will intervene), and employees inconvenience high from employing effective security schemes, then no such efforts tend to be used.

[DominikR]

I'd like to see the sysadmin or programmer that is willing to take the loss if someone hacks the network (or an app) of his employer and steals a few hundred million dollars.

[ams6110]

Professional Engineers (mechanical, civil, etc.) are exposed to liability for the buildings, bridges, etc. they approve.

[smnrchrds]

But we are not liable as long as we follow standards, e.g. building codes. And it's easily verifiable by the government, the employer and the engineer himself whether the standards are being complied with.

Until you have similar standards for software development, I cannot see how such liability shift could work. This is one of the reasons I tend to avoid using the phrase software engineering. It's so different from traditional engineering that it feels incorrect to put it in the same category.

[TwoBit]

It's not enough to put standards in the software development. Users can misuse software regardless of how well it's written. Same as if you build a bridge and users overload it.

[foldor]

Engineers are not liable for not preventing sabotage (like a a bomb for example) however.