Felix Stalder on 16 Mar 2001 20:51:57 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] Insurance and the Future of Network Security

This is, as usual for Bruce Schneier, a very well written article. It
highlights to what degree questions that seems primarily  technical (e.g.
windows vs linux) are shaped by nontechnical factors (e.g. design of
insurance premiums). Things become even more ,muddles when it comes to
vague notions such as "security" particularly when understood when
understood from the point of view of "risk management". The main argument,
which is worth repeating, is that a system can be secure and hacked at the
same time, depending on how you deal with risk. Felix

[To: crypto-gram@chaparraltree.com
From: Bruce Schneier <schneier@counterpane.com>
Subject: CRYPTO-GRAM, March 15, 2001]

Insurance and the Future of Network Security

Eventually, the insurance industry will subsume the computer security
industry. Not that insurance companies will start marketing security
products, but rather that the kind of firewall you use -- along with the
kind of authentication scheme you use, the kind of operating system you
use, and the kind of network monitoring scheme you use -- will be strongly
influenced by the constraints of insurance.

Consider security, and safety, in the real world. Businesses don't install
building alarms because it makes them feel safer; they do it because they
get a reduction in their insurance rates. Building-owners don't install
sprinkler systems out of affection for their tenants, but because building
codes and insurance policies demand it. Deciding what kind of theft and
fire prevention equipment to install are risk management decisions, and the
risk taker of last resort is the insurance industry.

This is sometimes hard for computer techies to understand, because the
security industry has trained them to expect technology to solve their
problems. Remember when all you needed was a firewall, and then you were
safe? Remember when it was an intrusion detection product? Or a PKI? I
think the current wisdom is that all you need is biometrics, or maybe smart

The real world doesn't work this way. Businesses achieve security through
insurance. They take the risks they are not willing to accept themselves,
bundle them up, and pay someone else to make them go away. If a warehouse
is insured properly, the owner really doesn't care if it burns down or not.
If he does care, he's underinsured. Similarly, if a network is insured
properly, the owner won't care whether it is hacked or not.

This is worth repeating: a properly insured network is immune to the
effects of hacking. Concerned about denial-of-service attacks? Get
bandwidth interruption insurance. Concerned about data corruption? Get data
integrity insurance. (I'm making these policy names up, here.) Concerned
about negative publicity due to a widely publicized network attack? Get a
rider on your good name insurance that covers that sort of event. The
insurance industry isn't offering all of these policies yet, but it is

When I talk about this future at conferences, a common objection I hear is
that premium calculation is impossible. Again, this is a technical
mentality talking. Sure, insurance companies like well-understood risk
profiles and carefully calculated premiums. But they also insure satellite
launches and the palate of wine critic Robert Parker. If an insurance
company can protect Tylenol against some lunatic putting a poisoned bottle
on a supermarket shelf, anti-hacking insurance will be a snap.

Imagine the future.... Every business has network security insurance, just
as every business has insurance against fire, theft, and any other
reasonable threat. To do otherwise would be to behave recklessly and be
open to lawsuits. Details of network security become check boxes when it
comes time to calculate the premium. Do you have a firewall? Which brand?
Your rate may be one price if you have this brand, and a different price if
you have another brand. Do you have a service monitoring your network? If
you do, your rate goes down this much.

This process changes everything. What will happen when the CFO looks at his
premium and realizes that it will go down 50% if he gets rid of all his
insecure Windows operating systems and replaces them with a secure version
of Linux? The choice of which operating system to use will no longer be
100% technical. Microsoft, and other companies with shoddy security, will
start losing sales because companies don't want to pay the insurance
premiums. In this vision of the future, how secure a product is becomes a
real, measurable, feature that companies are willing to pay for...because
it saves them money in the long run.

Other systems will be affected, too. Online merchants and brick-and-mortar
merchants will have different insurance premiums, because the risks are
different. Businesses can add authentication mechanisms -- public-key
certificates, biometrics, smart cards -- and either save or lose money
depending on their effectiveness. Computer security "snake-oil" peddlers
who make outlandish claims and sell ridiculous products will find no buyers
as long as the insurance industry doesn't recognize their value. In fact,
the whole point of buying a security product or hiring a security service
will not be based on threat avoidance; it will be based on risk management.

And it will be about time. Sooner or later, the insurance industry will
sell everyone anti-hacking policies. It will be unthinkable not to have
one. And then we'll start seeing good security rewarded in the marketplace.

A version of this essay originally appeared in Information Security Magazine:

An article on hacking insurance:

Copyright (c) 2001 by Counterpane Internet Security, Inc.

Les faits sont faits.

Nettime-bold mailing list