mjr said... >My guess is that "security insurance" isn't going to take off >in a big way. Companies are already sensitive about spending >$$ to do security in the first place -- why would they spend >$$$$ to avoid it? Its far more obvious how to buy insurance than it is to secure a network. Paying a policy premium is a heck of a lot more straightforward than hiring/training/purchasing/implementing good security. The only way I can see Security Insurance making security better is if they distinguish between attacks against you and attacks from you. Ideally, I would like to be able to lay a claim against a company with security insurance due to someone/thing from their network "attacking" me and causing me harm. This will lead to better legal enforcement of "hacking", which in turn will possibly start to discourage its widespread "abuse" amongst "kids". Take spamming, for example, if I could actually enforce a claim against someone who had an open SMTP server that was used for relaying spam to me, it would hopefully cause them to close it. If the insurance was a combination only deal, i.e. you must purchase both inbound and outbound, then the cost of protecting yourself against attacks is directly related to your attempts to prevent attacks originating from your network. No different than saying that your car insurance rates are not only affected by the kind of car your drive, but also how well you drive it. Once insurance companies start paying off against such claims, and more get involved, they will quickly move to increase costs which will, in turn, drive customers to spend those dollars on secure solutions...or so the theory goes...;-] Cheers, Russ
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:05 PDT