Using cars as an analogy for the computing industry is a well-respected tradition. If your car came without locks, or shipped with an airbag that stopped working after 90 days unless you paid a subscription, critics say the industry would be in uproar. And yet computer users gracefully accept similar conditions all the time.
But there is another way in which cars are different from computers: it is compulsory to insure the former against harming someone, but very difficult to insure the latter. And yet, when computer security is breached, lots of people can get hurt, including the companies that operate them, and their shareholders and customers.
"The industry is well aware of the fact that it has to provide insurance in this domain, but there are few companies willing to stick their necks out," says Hugh Penri-Williams, who also worked in the insurance industry for 15 years, and is the newly-appointed senior security advisor to Accenture in France and former chief infosecurity officer at Alcatel. Why is that?
Lack of drive
"Insurance companies run into the lack of data," says Hemantha Herath, associate professor in the department of accounting at Brock University in St Catherines, Canada. We've been driving cars for a century, but using computers in anger for just a few decades. Actuaries have collected substantial data on criteria such as age, geographical region and occupation that can be applied to other domains, where the threats change relatively slowly. Not so with computers, where things move blindingly quickly, and where nothing is discrete. "It's difficult to do, especially when there are a lot of network connections and it is all interrelated," Herath says.
We should not underestimate the interdependencies of modern computer systems when trying to assess the economic cost of securing them – or failing to do so. "Originally all of the computer systems were separate. They weren't connected with networks. So you did a risk assessment for each one and decided the security measures," says David Lacey, founder of the Jericho Forum and former director of information security at the Royal Mail. Then, everyone connected to the same network, and some form of standardisation was needed. "At that point, we came out with BS7799," he says.
| "So on top of the general controls, you need this ring-fence around your specific data" |
| David Lacey |
Now, things are changing yet again. Attacks are becoming more sophisticated, says Lacey. Malicious parties know what they want – your customers' credit card details, the blueprint for your next product, or the chemical compound for the drug you are patenting. "So on top of the general controls, you need this ring-fence around your specific data," he says, and that calls for an understanding of what that data is, where it is, and all the possible routes to get to it. Suddenly, risk evaluation and impact assessment becomes more difficult even for those inside companies trying to work out how much to spend on security. No wonder insurance companies are nervous.
As companies scramble to understand these parameters, the goalposts continue to move. "Even if you feel that you've covered all the bases, companies are so locked into their suppliers, their customers and others, that it is extremely difficult to predict what is going to happen on that front," says Penri-Williams. Companies buy their software from third parties, some of which test their software more thoroughly and patch more frequently than others. Telecommunications companies run companies' networks for them. Key processes are smeared across yet more systems, operated by a whole supply chain of outsourcing providers. And the ability to farm out processes is increasing, thanks to the increasing standardisation of all layers of the networking stack, from IP through to XML-based web services. A cynic might long for the simple days when you bought your computers and software from one mainframe vendor, and never used anything else.
Random numbers
But whereas computing systems are becoming increasingly transparent, the departments that use them retain a depressing opacity that can further hinder the evaluation of security budgets. The chief security officer doesn't have all the answers, points out Barry Horowitz, professor of systems and information engineering at the University of Virginia and former chief executive of the MITRE Corporation, a US government-funded technology researcher. To evaluate the level of investment required, a company has to make assumptions, and then tie values to them, he says. Only then can rational decisions be made. Otherwise, policy makers are simply whistling in the dark. The problem is that those assumptions are scattered around the organisation.
Getting at that data can be a challenge, says Lacey. "To manage security you'd need an intelligence system of your own," he says. Do you know what a particular department does when a laptop is lost? How many are they losing a month? Without knowing, say, what make of car their salespeople are using, you may not be able to research the fact, discussed on enthusiast bulletin boards, that thieves have found and exploited a vulnerability in that car's central locking system. Without that information, evaluating the cost of fixing the problem becomes difficult.
| "I've never been at a meeting where the lawyer, the project manager, the money maker, the R&D investment group and the cyber security guy are all present" |
| Barry Horowitz |
"I've never been at a meeting where the lawyer, the project manager, the money maker, the R&D investment group and the cyber security guy are all present," Horowitz says. His approach involves collaborative web tools that enable nominated people from each department to gather and input that information more quickly. In a world where threats evolve at breakneck pace, that's an important factor, he argues.
If the assumptions and the values attached to them are available, a company is in a reasonable position to document its risks, so that it can start budgeting for the most critical requirements. "You need to do it with a particular methodology," says Penri-Williams. Several exist.
Carnegie Mellon University’s infosecurity-focused CERT programme provides Octave (www.cert.org/octave/), which folds organisational and technological risks together. The Information Security Forum offers the Information Risk Analysis Methodologies (IRAM) system, which uses three phases: business impact assessment, threat and vulnerability assessment, and finally control selection.
Such methodologies may tell you where to direct the bulk of your budget, but may not tell you how much to spend. For that, companies must assess the potential losses arising from a security breach. “The thing to do is not to listen to the guff handed down about metrics," Lacey warns. "Not everything is measurable," he explains. "You don't know what the damage is. You can't see what the customers are thinking." Issues such as reputational risk, the cost of dealing with disgruntled customers, potential legal suits, technical remediation and so on are all factors. And in some cases costs are not linear, Lacey points out – the cost of replacing the thousandth customer credit card record that was stolen because you didn't encrypt your data may not be the same as the cost of replacing the first.
At a premium
But companies still have to write some numbers down somewhere. Today, they are vague, compared to the numbers that actuaries play with in other domains. Even those insurance firms that do tackle this problem do it in relatively simple ways. Safe Online, which brokers cyber-security risk on its own and via Lloyd's syndicates, divides customers into five categories. Large financial institutions are in the riskiest category, whereas a shop selling baked goods online as a side venture would be further down the scale. It sends in the auditors to evaluate security preparedness, explains partner Chris Cotterell, and considers risks such as likely fines from regulators, customer notification costs, and so on. Then, it makes its calculations and presents the premium.
And what of those tricky questions about interdependency? The challenge of considering a loosely coupled but intricately connected set of technical elements spanning many different systems both inside and outside the target company? "I think we take it as read that these things happen. We can't really put that into the mix of underwriting because then we'd never insure anyone," he says. The firm assumes that there will be a certain lag in time between a vulnerability appearing and a patch being released by the vendor, for example, and accepts it as a risk of doing business. "We've probably got the rates right, because at the moment the underwriters aren't losing money."
Even though the methods for assessing risks and potential premiums in cyber-security are still relatively immature, people are working on the problem. In conjunction with his wife and fellow academic Tejaswini, Herath took known information about security events and losses from ICSA Labs and analysed them using a statistical function known as a copula, which joins complex multi-variable systems together to one-dimensional distribution functions. He has applied this to insurance pricing for cyber-security in a complex statistical paper (http://weis2007.econinfosec.org/papers/24.pdf), and delivered some numbers. This actuarial approach appears to be the closest thing that the industry has to a formal methodology for calculating an insurance premium for cyber-security risk, but Herath points out that it relies on empirical data that is still scant and difficult to verify.
A difficult operation
While we continue to refine the project cost of a security breach, the cost of preventing it is also a moveable feast. There are different ways of solving the problem, which will cost different amounts and potentially come from different budget lines. Is a security risk an issue of capital expenditure or operational refinement?
Ross Anderson, professor of security engineering at Cambridge University's computer laboratory, puts it succinctly: "Usually, the best course of action involves effort, such as patching properly, or training staff not to click on links," he says. "However, this is 'difficult' for the security manager, as it means bothering people and thus undermining their own career prospects. It's a lot easier to just buy a firewall, declare the problem solved, and hope for the best." Clearly, in the real world, all dollars are valuable, but some dollars are more valuable than others.
It's a pretty clear bet that many companies will shamble along blissfully unaware of these underlying complexities, spending as much on security as the budget that year allows. But those worrying about this intricate problem may have more sleepless nights ahead of them. "It's becoming less likely that insurance can be a part of the action than it has been," says Horowitz.
Random security events are difficult enough, but attacks are becoming more organised and focused. The days of mass-mailed ILOVEYOU-type malware are ending. Now, criminals know what they want, and who from, and are more intent on getting it. This development gives attackers a substantial advantage. As states have said on numerous occasions when discussing rogue attackers, the defence has to be win every time, whereas the attacker has to win just once.
In such an environment, Horowitz worries that insurance companies will feel less inclined to take a piece of the action. "Who ever insured warfare?" he asks. Who, indeed?