Felix Stalder on 17 Mar 2001 04:13:49 -0000 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> Insurance and the Future of Network Security |
This is, as usual for Bruce Schneier, a very well written article. It highlights to what degree questions that seems primarily technical (e.g. windows vs linux) are shaped by nontechnical factors (e.g. design of insurance premiums). Things become even more ,muddles when it comes to vague notions such as "security" particularly when understood when understood from the point of view of "risk management". The main argument, which is worth repeating, is that a system can be secure and hacked at the same time, depending on how you deal with risk. Felix [To: crypto-gram@chaparraltree.com From: Bruce Schneier <schneier@counterpane.com> Subject: CRYPTO-GRAM, March 15, 2001] Insurance and the Future of Network Security Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use -- along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use -- will be strongly influenced by the constraints of insurance. Consider security, and safety, in the real world. Businesses don't install building alarms because it makes them feel safer; they do it because they get a reduction in their insurance rates. Building-owners don't install sprinkler systems out of affection for their tenants, but because building codes and insurance policies demand it. Deciding what kind of theft and fire prevention equipment to install are risk management decisions, and the risk taker of last resort is the insurance industry. This is sometimes hard for computer techies to understand, because the security industry has trained them to expect technology to solve their problems. Remember when all you needed was a firewall, and then you were safe? Remember when it was an intrusion detection product? Or a PKI? I think the current wisdom is that all you need is biometrics, or maybe smart cards. The real world doesn't work this way. Businesses achieve security through insurance. They take the risks they are not willing to accept themselves, bundle them up, and pay someone else to make them go away. If a warehouse is insured properly, the owner really doesn't care if it burns down or not. If he does care, he's underinsured. Similarly, if a network is insured properly, the owner won't care whether it is hacked or not. This is worth repeating: a properly insured network is immune to the effects of hacking. Concerned about denial-of-service attacks? Get bandwidth interruption insurance. Concerned about data corruption? Get data integrity insurance. (I'm making these policy names up, here.) Concerned about negative publicity due to a widely publicized network attack? Get a rider on your good name insurance that covers that sort of event. The insurance industry isn't offering all of these policies yet, but it is coming. When I talk about this future at conferences, a common objection I hear is that premium calculation is impossible. Again, this is a technical mentality talking. Sure, insurance companies like well-understood risk profiles and carefully calculated premiums. But they also insure satellite launches and the palate of wine critic Robert Parker. If an insurance company can protect Tylenol against some lunatic putting a poisoned bottle on a supermarket shelf, anti-hacking insurance will be a snap. Imagine the future.... Every business has network security insurance, just as every business has insurance against fire, theft, and any other reasonable threat. To do otherwise would be to behave recklessly and be open to lawsuits. Details of network security become check boxes when it comes time to calculate the premium. Do you have a firewall? Which brand? Your rate may be one price if you have this brand, and a different price if you have another brand. Do you have a service monitoring your network? If you do, your rate goes down this much. This process changes everything. What will happen when the CFO looks at his premium and realizes that it will go down 50% if he gets rid of all his insecure Windows operating systems and replaces them with a secure version of Linux? The choice of which operating system to use will no longer be 100% technical. Microsoft, and other companies with shoddy security, will start losing sales because companies don't want to pay the insurance premiums. In this vision of the future, how secure a product is becomes a real, measurable, feature that companies are willing to pay for...because it saves them money in the long run. Other systems will be affected, too. Online merchants and brick-and-mortar merchants will have different insurance premiums, because the risks are different. Businesses can add authentication mechanisms -- public-key certificates, biometrics, smart cards -- and either save or lose money depending on their effectiveness. Computer security "snake-oil" peddlers who make outlandish claims and sell ridiculous products will find no buyers as long as the insurance industry doesn't recognize their value. In fact, the whole point of buying a security product or hiring a security service will not be based on threat avoidance; it will be based on risk management. And it will be about time. Sooner or later, the insurance industry will sell everyone anti-hacking policies. It will be unthinkable not to have one. And then we'll start seeing good security rewarded in the marketplace. A version of this essay originally appeared in Information Security Magazine: <http://www.infosecuritymag.com/articles/february01/columns_sos.shtml> An article on hacking insurance: <http://cgi.zdnet.com/slink?85060:8469234> -------------------------------------------------------- <http://www.counterpane.com/> Copyright (c) 2001 by Counterpane Internet Security, Inc. --------------------++----- Les faits sont faits. http://www.fis.utoronto.ca/~stalder # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net