Category Archives: Internet risk management strategies

Insurance and Risk Management

Maybe I hit a nerve recently. Over on Specialty Insurace Blog, Bob Sargent follows up on my post about Insurance and Prevention with this:

We use the term risk management rather than prevention, and find that insurers insist on risk management.  In professional liability this is the core of the underwriting process.  For example, professional liability underwriters expect their professional insureds to have robust internal procedures and systems, and underwriters of D&O expect insureds to follow the internal control directives embodied in Sarbanes-Oxley.

Sargent provides a concrete example of an employment practices liability application, and sums up the general situation:

Rather than insurance being a replacement for risk management, our experience is that insurance drives risk management.

Also, AIG has told me that their Internet business continuity insurance requires an assessment to see if the customer has traditional Internet security before selling them the insurance. Sargent’s summation applies in every case of Internet-related insurance I’ve seen so far.

-jsq

Why Phishing Works

Short version of why phishing works: users don’t look at the URL because they don’t understand URL or domain syntax, and they do believe graphics, as in if the web page has a security symbol on it, they think it’s secure. Long academic paper referenced by a news story,

For their paper, titled "Why Phishing Works," ( PDF here) Rachna Dhamija of Harvard University and Marti Hearst and J.D. Tygar of the University of California at Berkeley, conducted tests on a small sample of users. They found that 90 percent of subjects were unable to pick out a highly effective phishing e-mail when simply judging whether or not it was genuine.

The secret of phishers’ success By Will Sturgeon, Special to CNET News.com, Published: April 3, 2006, 10:20 AM PDT

In other words, people believe what they see. Seeing may be believing, but it’s not very good security.

-jsq

Yahoo Sued on Behalf of Imprisoned Chinese Activist

Occasionally I’ve posted items about the problems of U.S. companies such as Yahoo!, google, cisco, and Microsoft kowtowing to the Chinese government’s rules. A new wrinkle is that Someone in China has lodged a complaint against Yahoo! for its part in the current imprisonment of the Chinese activist Shi Tao.

Is it good risk management to do things that keep being brought up as bad by legislatures and journalists?

-jsq

PS: Seen on BoingBoing.

Insurance and Prevention

Over on Spire Security Viewpoint they quote me from yesterday, “the future of Internet security is insurance.” Then they remark:
I don’t really get why people keep saying this about security. Sure, insurance is useful. But the implication is that it is okay to do less preventive stuff. I think insurance needs to be treated as a last resort.
Nope, that’s not the implication at all. Continue reading

Credit Cards as Online Insurance

For small transactions, many of us depend on credit cards as effectively online insurers, because credit card companies will void fraudulent transactions. This was necessary a few days ago for thousands of transactions worth millions of dollars.
The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said.

Payment processor fears credit card crooks By Joris Evers, Staff Writer, CNET News.com, Published: April 3, 2006, 7:27 PM PDT

For once, automated online feedback mechanisms provided the leverage needed to counter the leverage crooks get by using the Internet. Also, multiple eyes at multiple merchants spotted it due to that feedback. Continue reading

The Insured Online Checkout Lane

Here’s an example of online insurance: BuySAFE insures online transactions up to $25,000. They do due diligence on merchants and bond them for up to that amount. Their partners include eBay for online markets and Liberty Mutual as the bond issuer.

The founder, Steve Woda, used to be a surety bond underwriter. Woda says his inspiration was when he bought a PDA on eBay and got ripped off. Instead of whining, he started a company to deal with it. Apparently he went to the Wharton School of Business at the University of Pennsylvania to learn how to do a startup that he originally called BondMyAuction. The president of BuySAFE is Jeff Grass, who formerly founded PayMyBills.com, since sold to PayTrust.

BuySAFE is more evidence that Dan Geer, Bruce Schneier, and Hal Varian have been right all along: the future of Internet security is insurance. Or, when security becomes a matter of credit or operational risk beyond the control of a single company, risk management is the answer, and insurance is one of the first forms of financial risk transfer that can implement risk management.

-jsq

PS: Thanks to Bob Stratton (CTO, Revive Systems, Inc.) for the pointer.

Software Telephony

This is what caught my eye:
Electric utility Southern Co. is using Asterisk in a pilot program to translate voicemail into text messages for 30 managers’ BlackBerrys.
Nevermind the BlackBerry angle: finally, something to translate slow and opaque voice messages into searchable and readily fileable text!

This is the story hook:

Spencer is the inventor of Asterisk, a free software program that establishes phone calls over the Internet and handles voicemail, caller ID, teleconferencing and a host of novel features for the phone. With Asterisk loaded onto a computer, a decent-size company can rip out its traditional phone switch, even some of its newfangled Internet telephone gear, and say good-bye to 80% of its telecom equipment costs. Not good news for Cisco (nasdaq: CSCO – news – people ), Nortel or Avaya (nyse: AV – news – people ).

Dial D for Disruption Quentin Hardy, Forbes.com, 10 March 1006

It’s taken decades for somebody to turn VoIP software (anybody remember vat?) into a business. The reporter is playing it up as open source disruption to the office telecom equipment market, but it goes farther than that. Continue reading

POTS is Dead! Long Live the ILECs?

Chandler Howell remarks:

POTS is dead, it’s just being kept on life support by the SBC’s, AT&T’s and BellSouths of the world until they figure out how to extend their monopoly rents up the IP stack past the wire.

This is in a blog entry about John Robb’s essay that proposes that parallel communications networks for first responders may spread as more general wireless networks, thus subverting the Incumbent Local Exchange Carrier (ILEC) gerontocracy. John Robb is no stranger to networks, having spent some years as COO of a successful network monitoring fim. He is normally so realistic in using network science to explain terrorist activities that he may appear the be the most Casandra of pessimists, so it was a little surprising when I earlier encountered his prediction.

Continue reading

Piracy is as Piracy Does

Interesting note here about how the MPAA is blaming piracy for 9% less revenues last year. Why is it always piracy? maybe Lucas is right; maybe the era of the blockbuster is over. If so, blaming the customers for demonstrating a market need for something else delivered differently won’t solve the motion picture industry’s malaise.

Continue reading