Last month I wrote about the economic return of security and how the status quo over insecure code will not really change until the 'externalities' of software development and deployment can be turned into liabilities against the perpetrators (see http://www.infosecnews.com/opinion/2003/03/19_04.htm).
In this article I explore how the insurance model can potentially inject new genetic code into the DNA of the information security industry to accelerate its evolution towards a 21st century of best practices. The insurance model holds some pretty interesting cards with regard to reducing losses and providing a real economic benefit to security spending. But just as with the dinosaurs this evolution will not happen without a lot of help from end-users, government regulators, and the court system.
First, a few words of explanation on how the insurance model works and how it can potentially impact the state of information security. Insurers collect premiums in the expectation (or hope) that they won't have to pay out as much in claims should something bad occur. They are betting their economic livelihood that they can spread the risk of something bad happening across a large enough population to decrease the chances of a catastrophic loss at any one company putting them out of business. As long as the insurer can take in more revenue than it has to pay out in claims and overheads it turns a profit and can remain in business.
Two results of this model are: first, in an emerging marketing-like information security the insurer tends to make only 'safe' bets on which events to indemnify losses against, much the same way at a casino the house always wins in the long run. That is why the industry has specifically modified its standard policies to exclude coverage against losses from information security breaches. Hacker insurance is available, but at an extra cost. Second, and more important, as the market matures insurers must get very good at estimating risk, otherwise they will eventually make a string of bad bets and go out of business.
This risk estimation requires good data, not only on the types of possible losses (and therefore the threats that can create these losses) but also on the status of the information security defenses at the insured company. That's why you see insurers such as AIG partnering with information security risk specialists like Computer Associates, Predictive Systems, Unisys, Vigilante and RipTech (now part of Symantec). However, this is only primordial progress in the vast scheme of information security market evolution. Without a new level of maturity in the information security risk model the market will not evolve quickly enough to sustain a viable insurance business. With the insurers making only safe bets the information security market does not have much incentive to clean up its act. The result is the insurer's bets do not do much to advance the state of information security.
A few factors need to come into play before the insurance model can take hold. First, there needs to be competition amongst insurers to encourage them to take risks and push the envelope of what is a covered loss. Today few competitors have entered this space, leaving AIG with 70 percent of the market. With few insurers, the incentive for any one to take a risk and provide a level of coverage that might truly protect against unforeseen events is fairly low. Second, there needs to be standards for due care established in the insured companies with respect to minimal safeguards and best practices to avoid the risk of loss in the first place. Security standards like ISO 17799/BS7799 can help to provide a common framework with which to evaluate security compliance, much the same way standardized testing in schools can help identify weaknesses in educational policy.
Third, the insurers need to work with the software companies and system integrators to develop new development and implementation methodologies such that IT infrastructures are inherently safer. This happened on the property and casualty side over a century ago with the introduction of fire suppression systems and flame resistant building materials in the building construction trade.
Finally, systems will need to be put in place to enforce compliance with mandated regulations and to provide a minimum standard of 'due care' that can be enforced in the courts. Here in the U.S., we are starting to see some encouraging signs with the recent flurry of regulations in the health care (Health Information Portability and Accountability Act - HIPAA) and financial services (Gramm-Leach Bliley and Sarbanes-Oxley Act to name two) industries. Hopefully some information security best practices will emerge out of these two industries that when combined with a maturing insurance model will push the entire industry into the next evolutionary epoch. Perhaps not as quickly as in Jurassic Park, but inevitably.
Robert Lonadier is president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. He can be reached at firstname.lastname@example.org. RCL does not currently have any relationships with the companies mentioned in this article.