John Quarterman has an interesting post about bonding companies for online insurance. I suspect this type of thing will come up more often and parallel the physical world – we create insurance and bonding programs all the time, for any number of reasons.
I confess that I am perplexed, however, by his statement that “the future of Internet security is insurance.” It gave me an opportunity to review a post I wrote quite a while ago on this topic. It is a short post, so here it is in its entirety:
It seems to be a fairly common assertion these days that security should be thought of like insurance. I disagree (surprised?). Insurance is what you do with the residual risk after you’ve done all you can (or want to). The “all you can” part is security. The leftover is giving up – that is insurance. So security and insurance are complementary, but insurance is more like “not-security.”
This is illustrated fairly easily when you consider your premium for insurance if you buy a cybersecurity policy. Premiums go up with weak security. Another way to think about it is as preventive maintenance (we do this today with cars and our health).
Security adds structure and control to our computing environment.
I don’t really get why people keep saying this about security. Sure, insurance is useful. But the implication is that it is okay to do less preventive stuff. I think insurance needs to be treated as a last resort.
Insurance and Prevention
Quite the opposite: insurance should increasingly become a driver for more application of tradtional Internet security.
Pete:
Reread JSQ’s next sentence –
“Or, when security becomes a matter of credit or operational risk beyond the control of a single company, risk management is the answer, and insurance is one of the first forms of financial risk transfer that can implement risk management.”
Nothing controverisal there. JSQ’s only “error” is one of verb tense — the future isn’t risk management, the present is.