On Mon, 27 Apr 1998, Marcus J. Ranum wrote: > Adam Shostack wrote: > >I'm very curious as to what people think of the idea of insurance for > >infosec failures. Will it encourage standards of due dilligence and > >due care for the industry, the way bank insurance has driven bank > >safes to be stronger and stronger? > > I'm sure that it will, so it's a good thing. Presumably the insurance I'm not so sure it's a good thing. The medical insurance industry is part of what got us ambulance chasing lawyers. While the thoughts of insurance mandating "safe" sites, such as blocking *outbound* spoofing are certainly tantalizing, I'm not so sure that this is an overall good thing. Insurance creates liability. In the case of the computer industry, making an administrator liable for insecurity is a double-edged sword. It's almost time to start "Server Farm", the admin liability insuracne company... > premium will be somehow tied to whether or not you observe due diligence > at varying levels. I expect they tie it to some kind of review of > existing practices -- much like when you get a million dollar life > insurance policy in the US: they draw blood, do an EKG, and urinalysis. > Very different from getting a $50,000 life insurance policy. You'll > note the quote in the article from the guy from Asset Management I'm not so sure it won't be more like medical insurance, where you're either rich enough to afford it, and to heck with your health, you can always get it fixed for a $20 copayment, or you can't afford it, and you cross your fingeres and hope for the best. > Solutions, Inc, which helps with the assessments. About a year ago > NCSA (now ICSA) did a similar deal where you could get web site > insurance through Prudential, if you first passed their test. I > suspect a lot of this is really a game to sell a high-priced ISS > scan, which probably costs more than the insurance policy. > > pointing. It's going to drive a whole new market for event > recording, if it takes off. And a whole new market for legal services once that happens :( > > My guess is that "security insurance" isn't going to take off in > a big way. Companies are already sensitive about spending $$ to do > security in the first place -- why would they spend $$$$ to avoid > it? Well, there I disagree, I've seen way too many companies throw money at a firewall to just have one without looking at what it does. "We're insured, we're safe" is a great deal easier to say than "Let's hire someone competent to manage our security policy and tell us we can't have hyper-video-active-browser-kill 4.0 coming in. "why would they spend $$$$ to avoid it?" Because (1) The insurance will pay off the shareholder lawsuits that due dilligance won't. (2) It pushes things away from technological assessements of what's safe into paying premiums for full coverage. (3) Doing the right thing is painful. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." PSB#9280
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:01 PDT