Information Security as Insurance

Many years ago I read somewhere about the concept of information security as a function of insurance companies. The idea is that information security insurance would be prolific, and most companies would have an Information Assurance Policy that would absorb some of the financial risk of security-related incidents.

[Edit: So I shared this link with Bruce Schneier and he responded by pointing me to a similar piece he did -- in 2001. So, yeah, for my next vision I'm thinking about a control device for blocking network traffic based on "rules". I'm going to call it a Flamebarrier. More to follow.]

So in the event of a breach or a leak, x amount of money would be paid out by the insurance company based on how severe the incident was, etc. So FooInc lost 200,000 social security numbers and were assessed to have lost y amount of customer confidence (based on the number of cancellations) — so the payout is z. It sounds a bit squirrely I’m sure, but that’s because so many of these variables are squirrely. When the industry matures a bit it’ll be easy to base real numbers on these things.

Anyway, the idea is that we in infosec will all be either working for big IT companies such as IBM and Microsoft (see Schneier’s latest bit on this), or we’ll be working for the insurance companies themselves. If we’re working for the big IT giants we’ll be providing security to companies as a function of providing IT services, and if we’re working for the insurance companies we’ll be doing the audits.

How it Might Work

ACME company’s IT/IS provider is Microsoft, and they have an Information Assurance Policy (IAP) through FeelSafe insurance company. Their premium is based, as you might guess, on how “secure” they are. That equates to their premium being based on how secure an audit says they are — which is where the insurance company comes in.

The insurance company might do their own testing or they might hire someone like KPMG or PWC to do it. Either way the game is the same: perform a very well-defined list of tests against a given environment to determine how much risk they have of having an incident. So maybe they’ll do the following kinds of tests:

1. World-class Attack and Pen
2. General vulnerability scans
3. Checklists for common controls, e.g. NIPS, HIPS, Anti-Malware, etc., and how they’re deployed
4. Checking for the maturity level of their policies and procedures
5. Rating how well the company’s IT/IS provider handled the incident caused when the testing was done. Did they report it? Did they stop it?
6. How advanced is security awareness?
7. etc.

…and all that gets rated and scored.

1. What’s their COBIT maturity level in the following 10 areas? –> SCORE
2. Do they have NIPS, HIPS, FW, AV to the following standards? –> SCORE
3. Did they respond appropriately when attacked? –> SCORE
4. Did control w reach standard x, y or z? –> SCORE
5. etc.

At the end they tally up the scores and based on your company’s size and type of business they tell you how much your premium is going to be for a given amount of IA coverage. And of course there will be different flavors of coverage, like general policies, identity theft, or policies for loss of availability due to a server loss or failed backup, etc.

Interesting Outcomes

A couple of interesting things will potentially come from this:

• Insurance companies will have a very strong interest in performing some SERIOUS testing of the companies they’re insuring. The Attack/Pen/VA/Auditing world will suddenly get real serious when insurance companies are standing behind their policies with millions of dollars. The results of those tests will determine premiums, and therefore financial risk, to the insurance companies.

• Security vendors will have a whole new game to play. The game will be, “Our product implemented at level 7 will get you a 287 point drop in your IAP rating!” All the different IT companies will be fighting to get their products rated better, and will be advertising them based on what they’ll do for your IAP risk score.

• Companies will have two things to consider: the amount of money they spend on their outsourced (and internal) security programs, vs. the amount they pay for their Information Assurance Insurance. Will they elect to just go with less of a program because it’s cheaper to insure against certain types of issues (like failing SOX audits, maybe). Or will they always side with the better security program because certain types of incidents (e.g. public embarrassment, loss of reputation) are difficult to assign a dollar amount to?

Perhaps the most interesting thing about this is that the insurance companies will become the best judges of what products truly are secure, and which are crap. They’ll know this because they’ll have hard metrics to base their opinions on. And it’ll be in their best interest to have those metrics because they are what determine the financial risk — just as in the insurance industry we know today. The result will be ratings of products that actually matter.

Anyway, some cool ideas, but I’m not convinced the IT world is going to stabilize to any degree that would make this possible any time soon. To me the variables that effect IT risk are still fluctuating in such a violent and unpredictable manner that it would be almost impossible to base a business model on such metrics.

But I think the time will come, and perhaps it’ll happen quicker than we think.: