To be honest once I saw the title of this article I ignored in the beginning but I got surprised when I tried to look in the figures represented in the article. The annual gross premium revenue for cyber insurance policies has grown from less than US$100 million in 2002 to US$300 to 350 million by mid 2006 (
The Reference). The author of the article claims by expanding the market the Insurance companies could drive the Information Security industry and make it more sustainable and controlled. I followed one of his reference which is “
Computer Security: It’s the Economics, Stupid,” by B. Schneier.
Mr. Schneier explained well some facts regard the investment in information security from software vendors and private sector. He said:
“most organizations don’t spend a lot of money on network security. Why? Because the costs are significant: time, expense, reduced functionality, frustrated end users. On the other hand, the costs of ignoring security and getting hacked are small: the possibility of bad press and angry customers, maybe some network downtime, none of which is permanent. And there’s some regulatory pressure, from audits or lawsuits, that add additional costs. The result: a smart organization does what everyone else does, and no more.”
And he added also:
“The same economic reasoning explains why software vendors don’t spend a lot of effort securing their products. The costs of adding good security are significant—large expenses, reduced functionality, delayed product releases, annoyed users—while the costs of ignoring security are minor: occasional bad press, and maybe some users switching to competitors’ products. Any smart software vendor will talk big about security, but do as little as possible. “
Mr. Schneier said a very good statement that is
“Network security is a business problem, and the only way to fix it is to concentrate on the business motivations. We need to change the costs; security needs to affect an organization’s bottom line in an obvious way. In order to improve computer security, the CEO must care.”
He is absolutely right. I consider Information Security should be business enabler and be aligned with the organization business objectives and the business strategic. But because his paper is very old since 2002 in Workshop on the Economics of Information Security (WEIS). Nowadays the new regulation targeting the liability as he suggested in his paper. Also, COBIT 4.1 or ITIL v3 all of these frame work have the same objective which is the Information Security should be aligned with over all organization business objectives and strategy.
Reference: IEEE Security & Privacy magazine, (Vol. 5, No. 3)
No comments:
Post a Comment