Privacy & Data Security
|May 08, 2004 7:52 pm
||re: Insuring against information security risks
| Richard Danielli
There are certain issues I feel that surround the concept of insuring against security breaches.
The insurance industry will only participate in situations where they have a reasonable expectation for profit. This expectation is based on costs and probability.
How would we measure the damage done by a hack, or even a simple web deface? How much monetary value can one place on intellectual property, and public opinion? How can anyone provide assurances on the probability of a wide spread security breach happening or not happening tomorrow?
So we should offer the hackers insurance against litigation, and then we move to providing the hacker targets with a real value add.
I donít see how the introduction of insurance would provide predictable costs for security infrastructure. Predictability would only be achieved through commoditization and there are too many unique circumstances to support a level of commoditization greater then we have now.
In regards to the revenue stream, I think that would only last only until the next round malware runs through the Internet. I believe it was ComDisco, the business continuity people, who tried to provide insurance for business and because of an unforeseen event on Sept 11, 2001; they ended up filling Chapter 11.
One last point, for the most part the flaws in data security are carbon based and not the found in the silicon.
Private Reply to Richard Danielli (new win)