Social Network For Security Executives: Network, Learn & Collaborate
Security is crucial for a society to flourish otherwise it is only a matter of time before society will succumb to its sad end or shrink to an unnoticeable size. Societies which exist in today's world have done two things exceptionally right in their past. One, they have not merely defended themselves against invaders but attacked also. Two, if they could not beat the invaders, they did business with them. And such societies are flourishing even today. Others faded.
In today's society digital computing is one of the major agents which are responsible for its flourishing and prosperity. And hence security of digital computing infrastructure, institution which rely on this infrastructure and users who get benefited from these infrastructure and institutions should be protected.
Today, we have insurance for almost everything which has a market value. We can insure our lives, and our health. Government mandates that one should insure his vehicle. One can insure his real estate property. In fact, large insurance companies can provide insurance cover to space missions. If you understand how insurance work then you can skip a few following lines and start from next paragraph. Insurance works on simple principle that if N person are 'insured' against an event E, the probability of occurring event E to all the N persons together (in small time frame) is low and will decrease as N increases. Consider a scenario where a company insured 100,000 people against losing their lives for a modest fee of Rs. 10000 per annum for a period of 10 years. So, an insured has to pay Rs 10000 every year for 10 years and if he dies, then insurer will pay him big amount say Rs15,00,000. So company collected 100,000 x 100,000 in ten years and will pay 15,00,000 to family members of deceased one. The most unfavorable case for insurer is death of all 100,000 persons and most favorable case is of everyone surviving.
So insurer needs some analysis of an individual who seeks insurance. Insurer, will prefer persons from various localities whose death rates are low. Now insurer can say that event E is highly improbable and if it occurs it is really unfortunate and victim should be compensated for that. Such companies can even share their profit for steps towards health programs which in turn help society and companies.
Cyber insurance can be (and is) a lethal weapon against cyber attacks on enterprises. As human being is mortal, an organization is always in danger of being breached. An organization can be compromised either because of its loose security policies, unaware users or backstabbing employees and highly lethal security attacks.
Cyber insurance will work on strict security principles. If an organization is insured then insurer will pay for damages happened due to cyber security attacks. Cyber Insurer would like to prefer organizations which are good at security and has low chances of being breached. Insurer would also try its best to make sure that it does not insure an organization which is no way serious for security. As always, they generally insure only for highly improbable events. Now, if an organization keeps everything in place and spent millions of dollars on security and was never breached for say, 7 years. A security attack happened and organization lost some business then it can be compensated against these damages.
The new emerging business model of cyber insurance will have two though indirect but serious impacts:
1. Cyber security of course is big business but it is highly technology based only. Cyber insurance will make it more commodity based and couple it tightly with finance industry. This will pressurize the stakeholders to take serious steps towards security, standards and their enforcement. Eventually, Cyber insurance may become key driver for international internet police.
2. Cyber security insurers will themselves adopt attacking methodologies against cyber attacks and will force (or inspire) insured parties to be carefully defensive against cyber attacks.
Here little correlation between society surviving secrets and impacts of cyber insurance can be drawn.
Three basic questions need to be answered to put any insurance business in operation.
1. Which improbable event organization can be insured against?
2. What will be insurance claim amount in case of event occurred?
3. What will be mode of paying premium and how much premium has to be paid?
Cyber Insurance as a case has two specific challenges which are not yet solved completely and hence presents lucrative opportunities for researchers as well.
First challenge, advanced technologies are required (in their matured phase) to assess the security standards deployed in a particular organization and risk associated with it. These two things if can be quantified, then only it will become possible for an insurer to state that on what terms he can provide insurance policy to prospective insured. We will also need advance forensics techniques to verify the validity (or genuineness) of a cyber attack happened.
Second, innovative business models need to be explored and tough questions need to be answered in the language of insurance providers.
Cyber insurers are expected to bank on big data analytics to determine the expectancy rate of attacks for typical group of enterprises. Once cyber insurance policy are open in market, CISO has to choose the right policy for their organization. They need to be quite clear what they want to insure against. For example:
1. Loss in business due to shutdown hours
2. Loss in brand value due to data theft
3. Loss of employee productivity
4. Loss of infrastructure damage
Cyber insurance is almost ready to play a larger role in the enterprise security and risk policies. With this new paradigm shift in the risk management skills like big data analytic, security standards compliance testing, risk quantification approach and forensics are also expected to play important roles.