** *** ***** ******* *********** *************
Insurance and the Future of Network Security
Eventually, the insurance industry will subsume the computer security
industry. Not that insurance companies will start marketing security
products, but rather that the kind of firewall you use -- along with the
kind of authentication scheme you use, the kind of operating system you
use, and the kind of network monitoring scheme you use -- will be strongly
influenced by the constraints of insurance.
Consider security, and safety, in the real world. Businesses don't
install building alarms because it makes them feel safer; they do it
because they get a reduction in their insurance rates. Building-owners
don't install sprinkler systems out of affection for their tenants, but
because building codes and insurance policies demand it. Deciding what
kind of theft and fire prevention equipment to install are risk management
decisions, and the risk taker of last resort is the insurance industry.
This is sometimes hard for computer techies to understand, because the
security industry has trained them to expect technology to solve their
problems. Remember when all you needed was a firewall, and then you were
safe? Remember when it was an intrusion detection product? Or a PKI? I
think the current wisdom is that all you need is biometrics, or maybe
smart cards.
The real world doesn't work this way. Businesses achieve security through
insurance. They take the risks they are not willing to accept themselves,
bundle them up, and pay someone else to make them go away. If a warehouse
is insured properly, the owner really doesn't care if it burns down or
not. If he does care, he's underinsured. Similarly, if a network is
insured properly, the owner won't care whether it is hacked or not.
This is worth repeating: a properly insured network is immune to the
effects of hacking. Concerned about denial-of-service attacks? Get
bandwidth interruption insurance. Concerned about data corruption? Get
data integrity insurance. (I'm making these policy names up,
here.) Concerned about negative publicity due to a widely publicized
network attack? Get a rider on your good name insurance that covers that
sort of event. The insurance industry isn't offering all of these
policies yet, but it is coming.
When I talk about this future at conferences, a common objection I hear is
that premium calculation is impossible. Again, this is a technical
mentality talking. Sure, insurance companies like well-understood risk
profiles and carefully calculated premiums. But they also insure
satellite launches and the palate of wine critic Robert Parker. If an
insurance company can protect Tylenol against some lunatic putting a
poisoned bottle on a supermarket shelf, anti-hacking insurance will be a snap.
Imagine the future.... Every business has network security insurance,
just as every business has insurance against fire, theft, and any other
reasonable threat. To do otherwise would be to behave recklessly and be
open to lawsuits. Details of network security become check boxes when it
comes time to calculate the premium. Do you have a firewall? Which
brand? Your rate may be one price if you have this brand, and a different
price if you have another brand. Do you have a service monitoring your
network? If you do, your rate goes down this much.
This process changes everything. What will happen when the CFO looks at
his premium and realizes that it will go down 50% if he gets rid of all
his insecure Windows operating systems and replaces them with a secure
version of Linux? The choice of which operating system to use will no
longer be 100% technical. Microsoft, and other companies with shoddy
security, will start losing sales because companies don't want to pay the
insurance premiums. In this vision of the future, how secure a product is
becomes a real, measurable, feature that companies are willing to pay
for...because it saves them money in the long run.
Other systems will be affected, too. Online merchants and
brick-and-mortar merchants will have different insurance premiums, because
the risks are different. Businesses can add authentication mechanisms --
public-key certificates, biometrics, smart cards -- and either save or
lose money depending on their effectiveness. Computer security
"snake-oil" peddlers who make outlandish claims and sell ridiculous
products will find no buyers as long as the insurance industry doesn't
recognize their value. In fact, the whole point of buying a security
product or hiring a security service will not be based on threat
avoidance; it will be based on risk management.
And it will be about time. Sooner or later, the insurance industry will
sell everyone anti-hacking policies. It will be unthinkable not to have
one. And then we'll start seeing good security rewarded in the marketplace.
A version of this essay originally appeared in Information Security Magazine:
<http://www.infosecuritymag.com/articles/february01/columns_sos.shtml>
An article on hacking insurance:
<http://cgi.zdnet.com/slink?85060:8469234>
** *** ***** ******* *********** *************