RE: Lloyds to offer hacker insurance

[Russ <Russ.Cooper () rc on ca>]

mjr said...
> My guess is that "security insurance" isn't going to take off
> in a big way. Companies are already sensitive about spending
> $$ to do security in the first place -- why would they spend
> $$$$ to avoid it?

Its far more obvious how to buy insurance than it is to secure a
network. Paying a policy premium is a heck of a lot more straightforward
than hiring/training/purchasing/implementing good security.

The only way I can see Security Insurance making security better is if
they distinguish between attacks against you and attacks from you.
Ideally, I would like to be able to lay a claim against a company with
security insurance due to someone/thing from their network "attacking"
me and causing me harm. This will lead to better legal enforcement of
"hacking", which in turn will possibly start to discourage its
widespread "abuse" amongst "kids".

Take spamming, for example, if I could actually enforce a claim against
someone who had an open SMTP server that was used for relaying spam to
me, it would hopefully cause them to close it.

If the insurance was a combination only deal, i.e. you must purchase
both inbound and outbound, then the cost of protecting yourself against
attacks is directly related to your attempts to prevent attacks
originating from your network. No different than saying that your car
insurance rates are not only affected by the kind of car your drive, but
also how well you drive it.

Once insurance companies start paying off against such claims, and more
get involved, they will quickly move to increase costs which will, in
turn, drive customers to spend those dollars on secure solutions...or so
the theory goes...;-]

Cheers,
Russ