Smeed’s law and information security
Will Smeed's law apply to the dangers from hackers? Probably not. Here's why.
Smeed's law is based on a 1949 observation by Reuben Smeed that the number of deaths per vehicle from automobile accidents tends to decrease over time. So even if the numbers of cars driven increases dramatically, the number of deaths caused by cars will decrease even faster than the number of cars increases, resulting in fewer deaths per car.
Smead claimed that this was due to a sort of group psychology that understands and adapts to risks over time. Some data suggests (PDF), for example, that when cars with modern safety features are used in developing countries the fatality rates per car are as much higher than you'd expect for the same car driven in a more developed country, which is exactly what we'd expect from Smeed's law.
Let's suppose that that people's behavior actually causes Smeed's law. If that's true, we might expect them to adapt to the dangerous world of the Internet, learning to avoid phishing, etc., over time. But this doesn't seem to be happening. That's probably because the threat environment changes too quickly. What's a very serious information security threat today may not be serious at all a year from now, and a year may be too short of a time for the group psychology in Internet users to understand and adapt their behavior to the changing threat.
And unless the adaptation is close to perfect, it may not be enough to significantly affect the threat landscape. If people adapted to spam by never clicking on it, for example, then spamming would become unprofitable and the flood of spam would stop. But because it takes very few people falling for spam-based schemes for the schemes to be profitable, it's unlikely that it will ever be possible for enough people to adapt to spam enough to make it disappear. So even if the group psychology effect of Smeed's law is real, it seems unlikely that it's effects will ever be significant for the risks that information security manages.