Showing posts with label insurance. Show all posts
Showing posts with label insurance. Show all posts

Saturday, September 29, 2007

Cyberinsurance in IT Security Management

One more thought before I retire this evening. I really enjoyed reading Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. Here are my favorite excerpts.

IT security has traditionally referred to technical protective measures such as firewalls, authentication systems, and antivirus software to counter such attacks, and mitigation measures such as backup hardware and software systems to reduce losses should a security breach occur. In a networked IT environment, however, the economic incentives to invest in protective security measures can be perverse. My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others.

In economic terms, the private benefits of investment are less than the social benefits, making networked IT security a public good — and susceptible to the free-rider problem. As a consequence, private individuals and organizations won’t invest sufficiently in IT security to provide an optimal (or even adequate) level of societal protection.

In other areas, such as fire protection, insurance has helped align private incentives with the overall public good. A building owner must have fire insurance to obtain a mortgage or a commercial business license. Obtaining insurance requires that the building meet local fire codes and underwriting standards, which can involve visits from local government and insurance company inspectors. Insurance investigators also follow up on serious incidents and claims, both to learn what went wrong and to guard against possible insurance abuses such as arson or fraud. Insurance companies often sponsor research, offer training, and develop best-practice standards for fire prevention and mitigation.

Most important, insurers offer lower premiums to building owners who keep their facilities clean, install sprinklers, test their control systems regularly, and take other protective measures. Fire insurance markets thus involve not only underwriters, agents, and clients, but also code writers, inspectors, and vendors of products and services for fire prevention and protection. Although government remains involved, well-functioning markets for fire insurance keep the responsibility for and cost of preventive and protective measures largely within the private sector.

That is so compelling. Unfortunately, the cyberinsurance market is currently small:

[B]usinesses now generally buy stand-alone, specialized policies to cover cyberrisks. According to Betterley Risk Consultants surveys, the annual gross premium revenue for cyberinsurance policies has grown from less than US$100 million in 2002 to US$300 to 350 million by mid 2006. These estimates, which are based on confidential survey responses from companies offering cyberinsurance, are nearly an order of magnitude below earlier projections made by market researchers and industry groups such as the Insurance Information Institute.

But Betterley, like many other industry experts, believes that cyberinsurance will be one of the fastest growing segments of the property and casualty market over the next several years. With only 25 percent of respondents to the most recent Computer Security Institute/US Federal Bureau of Investigation Computer Crime and Security survey reporting that, “their organizations use external insurance to help manage cybersecurity risks,” the market has plenty of room for growth.

So what are the problems?

The reported 25 percent cyberinsurance adoption rate appears low to many observers, given well-publicized increases in IT security breaches and greater regulatory pressures to deal with them. Although we could partially attribute the slow uptake to how long it takes organizations to acknowledge new security risks and budget for them, several other factors seem to be of particular concern for cyberinsurance. They include problems of asymmetric information, interdependent and correlated risks, and inadequate reinsurance capacity...

Insurance companies feel the effect of asymmetric information both before and after a customer signs an insurance contract. They face the adverse selection problem—that is, a customer who has a higher risk of incurring a loss (through risky behaviors or other—perhaps innate—factors) will find insurance at a given premium more attractive than a lower-risk customer. If the insurer can’t differentiate between them—and offer differentiated premiums—it won’t be able to sustain a profitable business.

Of course, to some extent, insurance companies can differentiate between risk types; sophisticated models can predict risk for traditional property/casualty insurance, and health insurance providers try to identify risk factors through questionnaires and medical examinations. Insurers can also apply these mechanisms to cyberinsurance: they can undertake rigorous security assessments, examining in-depth IT deployment and security processes.

Although such methods can reduce the asymmetric information between insurer and policyholder, they can never completely eliminate it. Particularly in the information security field, because risk depends on many factors, including technical and human factors and their interaction, surveys can’t perfectly quantify risk, and premium differentiation will be imperfect.

The second impact of asymmetric information occurs after an insurance contract has been signed. Insured parties can take (hidden) actions that increase or decrease the risk of claiming (for example, in the case of car insurance, driving carelessly, not wearing a seatbelt, or failing to properly maintain the car), but the insurer can’t observe the insured’s actions perfectly. Under full insurance, an individual has little incentive to undertake precautionary measures because any loss is fully compensated—a problem economists term moral hazard.

Insurers may be able to mitigate certain actions through partial insurance (so making a claim carries a monetary or convenience cost) and clauses in the insurance contract—for example, policyholders must usually meet a set standard of care, and fraudulent or other criminal actions (such as arson) are prohibited. However, many actions remain unobservable, and it’s difficult to prove that a client didn’t meet a due standard of care.

Cyberinsurers could administer surveys at regular intervals and link coverage to a certain minimum standard of security. Although this might be feasible from a technical standpoint, human factors are often the weakest link in the chain and possibly unobservable, so the moral hazard problem might not be completely alleviated, implying that the purchase of cyberinsurance could in fact reduce efforts on information security. Nevertheless, purchasers also have incentives to increase effort—that is, to invest in security to obtain insurance or reduce premiums—that would outweigh moral hazard effects in a viable and well-functioning market.

The problem of asymmetric information is common to all insurance markets; however, most markets function adequately given the range of tactics used by insurance companies to overcome these information asymmetries. Many of these remedies have developed over time in response to experience and result in the well-functioning insurance markets we see today.

This gives me some hope. The article continues:

[G]overnment actions to spur development of the cyberinsurance market could include assigning liability for IT security breaches, mandating incident reporting, mandating cyberinsurance or financial responsibility, or facilitating reinsurance by indemnifying catastrophic losses. Clarifying liability law to assign liability “to the party that can do the best job of managing risk” would make good economic sense, but it seems a political nonstarter in the US—and the problem’s global nature would require a global response.

Similarly, government regulations that mandate reporting of cyberincidents (similar to that required for civil aviation incidents and contagious disease exposures) appear to have little political support. Probably more plausible in the short run would be contractual requirements that government contractors carry cyberliability insurance on projects highly dependent on IT security...

Jane Winn of the University of Washington School of Law has proposed a self-regulatory strategy, based on voluntary disclosures of compliance with security standards and enforcement through existing trade practices law, as a politically more viable alternative than new government regulation. Such a strategy would require increased public awareness of cybersecurity (with possible roles for government) as well as public demand that organizations disclose whether they comply with technical standards or industry best practices.

Disclosures would be monitored for compliance by their customers and competitors; and in the case of deceptive advertising, the US Federal Trade Commission could take enforcement action under existing regulation. This strategy could spur cyberinsurance adoption, which would indicate that the organization has passed a security audit or otherwise met underwriters’ security standards.

Perhaps the most important role for government would be to facilitate a full and deep cyberreinsurance market, as the UK and US have done for reinsurance of losses due to acts of terrorism.

What a great article. I recommend reading it.

Security Staff as Ultimate Insurance

I'm continuing to cite the Fifth Annual Global State of Information Security:

Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend.

The IT department wants to control security again.

In the first year of collaboration on this survey, CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company's security group reported to IT. Those companies also spent more on security.

The reason CIO and CSO have always advocated for the separation of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative use of IT and the security of that project — which might slow down the project and add to its cost — he's got a serious conflict of interest. In the 2003 survey, one CISO said that conflict "is just too much to overcome. Having the CISO report to IT, it's a death blow."

Ouch. CIO continues:

What's going on here? Johnson has one theory: "Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it's happening much faster. During the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone or it was buried."

In the case of the quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But the evidence in the survey suggests that security is neither ingrained nor valued. It's not even clear companies know where to put security, which would explain the "gobs of dotted line" reporting structures.

That brings us to another theory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness the survey has indicated actually exposed the typical IT department's insecure practices?

One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled.

Interesting. The article finishes with these thoughts:

[M]aybe security was never as separate as it seemed. Companies created CISO-type positions but never gave them authority. "I continually see security people put in the position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group to take the hit."

This leads me to the title of my post. What if security staff is the ultimate insurance -- for the CIO? In other words, what if the CIO performs "security theater," creating a CISO position and staff, but doesn't give the CISO the authority or resources to properly defend the enterprise? If no breaches (seem) to occur, then the CIO looks like a hero for keeping security spending low. If a breach does occur (and is discovered), the CIO blames the CISO. The CISO is fired and the CIO keeps his/her job -- at least for now. I don't see a CIO executing this strategy more than once successfully.

What do you think?