On Apr 28, 3:15pm, Mike Shaver wrote:
[Sort of in response to Russ's insurance idea]
> ObFirewallsSummary: In order to make the computer security field `fit'
> with traditional risk models, we need to find a way of quantifying the
> risk. That can be a hard problem. (Stuff like `the NSA/FBI/NBC says
(I think this idea is terrific, btw; I wish I knew more about the
insurance biz, but I can smell money in this idea)
I don't think you have to necessarily restrict yourself to
secrets or confidential information, & the problems quantifying
damage as a result of loss of these secrets. I work for an organization
that's suffered damage as the result of hacking, & this damage
almost always consists of items such as time spent repairing
systems vandalized or tampered with by intruders, damage control
in relationships to the press, extra burdens imposed on users &
organizations, time devoted to security issues and/or extra hires
to deal with the problems, &c. It's quantifiable. Historically
we were an open organization where nothing was "secret". There is
also the issue of indemnifying an organization from claims from
another organization, should our site be used as a platform
for intrusions into another organization.
I realize this is a stretch from firewalls per se & apologize,
but it's interesting enuf to merit discussion somewhere.