The Insurance Takeover

  • Bruce Schneier
  • Information Security
  • February 2001

Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.

Consider security, and safety, in the real world. Businesses don’t install building alarms because it makes them feel safer; they do it to get a reduction in their insurance rates. Building owners don’t install sprinkler systems out of affection for their tenants, but because building codes and insurance policies demand it. Deciding what kind of theft and fire prevention equipment to install are risk management decisions, and the risk taker of last resort is the insurance industry.

This is sometimes hard for computer techies to understand, because the security industry has trained them to expect technology to solve their problems. Remember when all you needed was a firewall to make you feel safe? Remember when it was an intrusion detection system? Or a PKI? I think the current wisdom is that all you need is biometrics, or maybe smart cards.

The real world doesn’t work this way. Businesses achieve security through insurance. They take the risks they’re not willing to accept themselves, bundle them up, and pay someone else to worry about them. If a warehouse is insured properly, the owner really doesn’t care if it burns down or not. If he does care, he’s underinsured. Similarly, if a network is insured properly, the owner won’t care whether it’s hacked or not.

This is worth repeating: A properly insured network is immune to the effects of hacking. Concerned about denial-of-service attacks? Get bandwidth interruption insurance. (I’m making these policy names up here.) Concerned about data corruption? Get data integrity insurance. Concerned about negative publicity due to a widely publicized network attack? Get a rider on your good name insurance that covers that sort of event. The insurance industry isn’t offering all of these policies yet, but they will before long.

When I talk about this future at conferences, a common objection is that premium calculation is impossible. Again, this is a technical mentality talking. Sure, insurance companies like well-understood risk profiles and carefully calculated premiums. But they also insure satellite launches and the palate of wine critic Robert Parker. If an insurance company can protect Tylenol against some lunatic putting a poisoned bottle on a supermarket shelf, anti-hacking insurance will be a snap.

Imagine the future…. Every business has network security insurance, just as every business has insurance against fire, theft and any other reasonable physical threat. To do otherwise would be to behave recklessly and open up the organization to lawsuits. When it comes time to calculate the premium, the details of network security become checkboxes. Do you have a firewall? Which brand? Your rate may be one price if you have ABC brand, and a different price if you have XYZ brand. Do you have a PKI? If so, which kind and which brand? And so on.

This process changes everything. What will happen when the CFO realizes he can cut his insurance premium in half if he gets rid of all his insecure Windows OSes and replaces them with a hardened version of Linux? The choice of which OS to use will no longer be 100 percent technical. Microsoft, and other companies with shoddy security, will start losing sales because companies don’t want to pay the insurance premiums. In this world future, how secure a product is becomes a real, measurable feature that companies are willing to pay for…because it saves them money in the long run.

Other systems will be affected, too. Online merchants and brick ‘n’ mortar merchants will have different insurance premiums, because the risks are different. Businesses can add authentication mechanisms—public-key certificates, biometrics, smart cards—and either save or lose money depending on their effectiveness. Computer security snake-oil peddlers who make outlandish claims and sell ridiculous products will find no buyers as long as the insurance industry doesn’t recognize their value. In fact, the whole point of buying a security product or hiring a security service will not be based on threat avoidance; it will be based on risk management.

And it will be about time. Sooner or later, the insurance industry will sell everyone anti-hacking policies. It will be unthinkable not to have one. And then we’ll start seeing good security rewarded in the marketplace.

Categories: Business of Security, Computer and Information Security

Sidebar photo of Bruce Schneier by Joe MacInnis.