It is clear to me now that the phrase “the future of Internet security is insurance” as used on Perilocity is not actually suggestive of a replacement strategy (although I believe its awkward syntax suggests it) and actually is intended to mean “insurance will be a driver for stronger Internet security.” I have been thinking about this a lot since the previous posts, because I still can’t figure out how insurance will have a significant impact. I understand the argument, I just think that regulation got there first. That, and the PCI standards. And SAS 70s and attestations and every other requirement under the sun.
Sure, insurance may come with prerequisites, but I can’t come up with any scenarios strong enough to be a significant driver for security over and above what exists today. Business continuity insurance – companies already have it. Consumer liability insurance – consumed by regulations. Professional insurance – A possibility, but it doesn’t seem like something with enough magnitude.
(Note: Specialty Insurance Blog weighed in as well with their opinion, which is substantially supporting Perilocity’s. As an aside, I believe their use of the term “risk management” is inaccurate as a replacement for prevention: an organization can manage its risks very closely and yet still be highly risk tolerant and willing to accept them.)