| When they are enforced | Before attacks occur | After attacks occur |
| Incentive | Regulation (rules) | Liability |
| How they work | Always follow required processes | Only matters when there is an attack |
| Benefits | Easier to tell if followed | Difficult to tell if not working |
| When costs happen | Regular budget (low risk) | Only when attacked (high risk) |
| Challenge | What rules will stop attacks? | Will liability be enough to motivate security? |
| Doesn’t work when | Lack info about harms, protections | Firms can’t be held liable, or can’t pay enough |