I don’t really get why people keep saying this about security. Sure, insurance is useful. But the implication is that it is okay to do less preventive stuff. I think insurance needs to be treated as a last resort.Nope, that’s not the implication at all.
To quote Hal Varian from way back in 2000:
At first glance, it appears that this is counterproductive: if you are perfectly insured against liability, why should you invest in risk management? But this ignores the incentives of the insurers: they only want to insure clients who use good security practices, giving them every incentive to instruct their clients in how to improve their Internet security.The usual analogy is with fire insurance: you can’t get it unless you have a sprinkler system.Managing Online Security Risks Hal R. Varian, New York Times, 1 June 2000
Also, on the Internet, there are whole categories of risk that the individual enterprise cannot prevent. You can have all the firewalls, intrusion detection, and spyware detection you want, yet if there’s a slowdown or outage outside the firewall that keeps your customers from reaching your servers, you lose business, and none of that traditional Internet security helps at all.
Nonethless, insurers selling Internet business continuity insurance will require you to have firewalls, and other traditional security, because they don’t want to insure any bigger risk than they have to.
And in the specific case of Internet seller bonding in the previous post, if I were the bond issuer, I sure wouldn’t want to bond until I knew that the seller had all the usual tradtional Internet security paraphenalia, because I wouldn’t want somebody breaking into that seller and causing a bad sale that would trigger the bond.
So insurance for Internet problems doesn’t reduce preventive measures. Quite the opposite: insurance should increasingly become a driver for more application of tradtional Internet security.
-jsq