[ Thanks to Fred Mobach
for this link. ]
“Imagine the future…. Every business has network security
insurance, just as every business has insurance against fire,
theft, and any other reasonable threat. To do otherwise would be to
behave recklessly and be open to lawsuits. Details of network
security become check boxes when it comes time to calculate the
premium. Do you have a firewall? Which brand? Your rate may be one
price if you have this brand, and a different price if you have
another brand. Do you have a service monitoring your network? If
you do, your rate goes down this much.”
“This process changes everything. What will happen when the
CFO looks at his premium and realizes that it will go down 50% if
he gets rid of all his insecure Windows operating systems and
replaces them with a secure version of Linux?” The choice of
which operating system to use will no longer be 100% technical.
Microsoft, and other companies with shoddy security, will start
losing sales because companies don’t want to pay the insurance
premiums. In this vision of the future, how secure a product is
becomes a real, measurable, feature that companies are willing to
pay for…because it saves them money in the long run.”
“Other systems will be affected, too. Online merchants and
brick-and-mortar merchants will have different insurance premiums,
because the risks are different. Businesses can add authentication
mechanisms — public-key certificates, biometrics, smart cards —
and either save or lose money depending on their effectiveness.
Computer security “snake-oil” peddlers who make outlandish claims
and sell ridiculous products will find no buyers as long as the
insurance industry doesn’t recognize their value. In fact, the
whole point of buying a security product or hiring a security
service will not be based on threat avoidance; it will be based on
risk management.”