Insurance and the computer industry

Consider security and safety in the real world. Businesses don’t install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates. Hotels and office buildings don’t install sprinkler systems because they’re concerned about the welfare of their tenants, but because building codes and insurance policies demand it. These are all risk management decisions, and the risktaker of last resort is the insurance industry. This is sometimes difficult for computer science professionals to understand because they are so used to technologies solving their problems. In the real world, businesses get security through insurance. They take the risk they are not willing to accept themselves, package it up, and pay someone else to take it. If a warehouse is insured properly, the owner really doesn’t care if it burns down. If the owner does care, he or she is underinsured. If a network is insured properly, the owner won’t care whether it is hacked or not. Imagine the future: Every business has network security insurance, just as every business has insurance against fire, theft, and any other reasonable threat. To do otherwise would be to behave recklessly as an executive and be open to lawsuits. Details of network security become check boxes when it comes time to calculate the premium. Do you have a firewall? Which brand? Your rate may be one price if you have one brand, and a different price if you have another brand. Do you have a managed security monitoring service? If you do, your rate is lower. This process changes everything. What will happen when the CFO looks at his premium and realizes it would go down 50% if the company got rid of all insecure Windows operating systems and replaced them with a secure verInsurance and the Computer Industry