IT Security: The Actuarial Table
Earlier this week I talked about building out an actuarial table for defining risk in information security as something that would work in helping information security professionals being insured against the work that they do.
Now, Dark Reading has a similar article written by Tim Wilson, the Site editor for Dark Reading, as part of the response to McAfee’s report “International Perspectives on Information Security Practices“.
On the 13th of December I wrote in the article “Information Security Malpractice” the following: “Defining malpractice enough to insure against it, and then defining the patterns and practices that will help build out an actuarial table so that risk can be defined in the classic insurance model is going to be difficult until we come up with a national body, that defines the standards, patterns and practices for the information security industry.” (Dan)
This week at Dark Reading the thoughts were: “But insurance companies changed that cost/benefit perception by creating actuarial data that cross-references the likelihood of an event, its potential costs to the owner, and the effectiveness of specific safety features in preventing the event from occurring. They then gave the incentive to construction firms and other businesses to implement the most effective safety features by offering implementers a discount on insurance premiums.” (Dark Reading)
Three different sources of information, and the same idea over a 5 day range, with a major company, a major security group, and my own company all thinking the same thing. To quantify risk, there are existent methods that work in helping to define how to properly assure against risk, and the quantification of risk.
An actuarial table goes well beyond the simple math that SANS teaches for quantifying risk. The catch to this is that the data itself will have to be supplied by people who are making claims against said insurance. Like a health actuarial table or a car insurance actuarial table, the more data, the more refined it gets, the better able we are able to quantify risk in both a business, government and private market.
I would at this point then not be surprised that companies that specialize in risk, like Lloyds of London or others are busy developing such risk models, so that the process can be quantified in insurance risk terms. There is already one company that does insure for “network security insurance” and they state that:
“Network Security insurance coverage protects you from losses associated with unauthorized access to or theft of your data or e-business activities, computer viruses, denial of service attacks, as well as alleged unauthorized e-commerce transactions. The new digital world of network connectivity has served to significantly expand exposures to internal and external dangers. Data/system integrity problems, denial of service losses, and security breaches could all cause you to suffer significant revenue losses as well as represent a catastrophic blow to your organization’s reputation. Network security insurance is required to cover the potential losses by electronic theft or sabotage.” (Insure New Media)
As any industry grows older, it is easier and easier to see what is risky behavior and what is not, then insure against unforeseen risk via the use of an actuarial insurance system. One more sign that Information Security is getting older in the longer run, as well, as we continually grow, the more demands that we will face, and companies will face to ensure that they have the best information security people to ensure that insurance premiums stay low.
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.