Guidelines for labeling of software against cyber attacks? Food for Thought

The Food & Drug Administration (FDA) in the United States mandated that added sugars in food be labeled in 2016. The move was expected to 'create savings' of more than USD30 billion in healthcare costs for the US over the next 20 years.

If you read the label of any prescription drug, you will likely find a long list of potential side effects, many of which may be frightening. This leads to an 'information overload' and may have a chilling effect on some people who could benefit from certain prescription medications. That's why in the healthcare industry, the key thing is for the patients to ask your doctor about side effects because doctors are pretty good filters.

Similarly in the IT environment, there are so many types of software available for organisations to build up their cyber resiliency and manage their risks to cyber attacks. It leads to a similar situation as in the drug industry - an overload of information for organisations. 

We were just wondering that for organisations to filter and easier for them to decide which preventive software to purchase and install, would the government or the software industry voluntarily labeled their software like what the pharmaceutical companies are mandated to do i.e., label their drugs with a list of potential side effects? 

There have been discussions on standards, certification, and labelling requirements for connected devices that make up the Internet of Things (IoT). But progress has been slow or it was a non starter as the proponents calling for it is truly aware that cybersecurity is not static. It is constantly evolving. A device that is considered secure on the day it is sold may not be secure thereafter, as new vulnerabilities are discovered. In short, security requires vigilance to stay one step ahead of those seeking to do harm. The other argument is that if consumers does not implement basic cyber hygiene, cyber breaches, no matter the security processes and technology installed, would still happened.

But preventive software against cyber risks are like drugs for medication. It is prescribed to minimise health risks. Preventive software are installed to minimise cyber risks. If prescription drugs are required to have health warnings on its potential side effects, shouldn't the same be applied for preventive software?  

Just like the FDA requirement for added sugar to be labeled, potentially saving the US government in healthcare costs, the labeling of software on its side effects from cyber risks could potentially save organisations from losses and damages from a breach in their network.