-----BEGIN PGP SIGNED MESSAGE----- Remember what insurance boils down to, a gamble you are betting that you will need the insurance. The company is betting that you will not. on this basis ANYTHING can be insured for a profit if the odds are calculated correctly. David Lang On Mon, 27 Apr 1998, Marcus J. Ranum wrote: > Date: Mon, 27 Apr 1998 09:35:45 -0400 > From: "Marcus J. Ranum" <mjrat_private> > To: Firewall Wizards List <firewall-wizardsat_private> > Subject: Re: Lloyds to offer hacker insurance > > Adam Shostack wrote: > >I'm very curious as to what people think of the idea of insurance for > >infosec failures. Will it encourage standards of due dilligence and > >due care for the industry, the way bank insurance has driven bank > >safes to be stronger and stronger? > > I'm sure that it will, so it's a good thing. Presumably the insurance > premium will be somehow tied to whether or not you observe due diligence > at varying levels. I expect they tie it to some kind of review of > existing practices -- much like when you get a million dollar life > insurance policy in the US: they draw blood, do an EKG, and urinalysis. > Very different from getting a $50,000 life insurance policy. You'll > note the quote in the article from the guy from Asset Management > Solutions, Inc, which helps with the assessments. About a year ago > NCSA (now ICSA) did a similar deal where you could get web site > insurance through Prudential, if you first passed their test. I > suspect a lot of this is really a game to sell a high-priced ISS > scan, which probably costs more than the insurance policy. > > Of course, as the CEO of a company that makes the Internet's most > butt-kicking network event recorder, I'm thrilled to death to see > this kind of thing, because it'll make NFR money. :) One of the > things that's got to come up if anyone ever tries to lodge a claim, > is proving that the damage was covered by the insurance! Let's say > you have "firewall insurance" --- OOOPS you gotta be able to prove > they broke in through the firewall, not the dialin server, because > you don't have "modem pool insurance" And was that attack really > covered by "firewall insurance"? It might have been an attack > applet not covered because you didn't pay for the "java insurance" > rider policy. Etc, etc. There's infinite room here for finger > pointing. It's going to drive a whole new market for event > recording, if it takes off. > > My guess is that "security insurance" isn't going to take off in > a big way. Companies are already sensitive about spending $$ to do > security in the first place -- why would they spend $$$$ to avoid > it? > > mjr. > -- > Marcus J. Ranum, CEO, Network Flight Recorder, Inc. > work - http://www.nfr.net > home - http://www.clark.net/pub/mjr > > -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNUXfAz7msCGEppcbAQG0CggArK6nk7h5DVlmQlCokeFWmxuXKVgtPRAQ Zrg3aJGSVASKWfp8iRAVGaqK8q3F+rZjm5OrqAbRyYFNo/mjO20lfFguDHUUfecA gRxHliKL370VjCjjj+P/WTDKj0/AGO1Ya+3RgOejrqll+dytlnGOdbQw9Jc+Epyp jiYnIWT9aroFyogeBl5Ys4UTACR+5KT1tGGrBlrgmJuRDJx62pMAwf6ZudznT6iY 7hiIx+1f+Jsou359j7QLD9pEwAjgzwfigmlA3eFTcLoR6s6yDtjhcCVbY+o4pZ8R zPG3XqKLD1UUz9RLLgEXVbCiaTwRbtd0Z1z6LKXPtDmW5ZrtZyv6vQ== =agjf -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:11 PDT