+ From: Adam Shostack <adam @
+ Subject: Re: Insurance policy covering security breach
+ Date: Tue, 10 Dec 1996 16:46:13 -0500 (EST)
+ Sender: firewalls-owner @
+ What is the risk? I assert that you can't quantify it, and
+ thus insurance is not reasonable. You seem to say its very high, and
+ thus insurance is not reasonable. I agree that its very high, but
+ what about a company that goes to certain lengths to mitigate those
+ risks? We don't have mathematical tools to measure the effectiveness
+ of the security tools that we use.
For that matter, is there -any- firewall on the market that does *not*
include a DISCLAIMER of 'merchantability' as well as denying any claim
of "fitness for any specific/particular use"??
And an insurer is going to assume the risk of it -not- working properly??
+ I'm in full agreement about the false sense of security that a
+ firewall can bring, but its not new; the people who are happy with a
+ firewall are the ones who used to be happy with MVS & dialback modems.
+ Margaret H. McMahan wrote:
+ | > Insurance isn't about guaranteeing security, its about
+ | >re-arranging financial exposure to risk. For lots of money each year,
+ | >my insurance company agrees to pay out some when I get into an
+ | >accident. If I am statisticly likely to get into an accident, or live
+ | >in a high crime area, they change their fees.
+ | I'm not talking about insurance being the guarantee of security, but if an
+ | insurance company is saying that they'll pay for loss of data, etc, etc...
+ | The risk is just too high, in my opinion. The chance for an insurance
+ | company to make a profit would be rather low (again, this is in my humble
+ | opinion). There are too many ways of breaking into computers, and too fine
+ | lines that show what's damage, what's negligence, etc etc. I, as someone who
+ | knows something abotu security, might blame an administrator for not fixing
+ | PHF, while the administrator of the company would say it wasn't his fault.
+ | So who's going to pay? These are the grey areas of break ins... Who's fault
+ | is it? The cracker for finding a way in? The admin for leaving holes in the
+ | system?
+ | make sure it doesn't happen again. Unfortunately the dawn of firewalls has
+ | many people lulled into a false sense of security. "Oh I'm behind a
+ | firewall, all is well". However, it isn't enough. It's almost (well, not
+ | almost, VERY) silly to even think that anyone would WANT to insure computer
+ | security. Even the companies that MAKE the firewalls will not guarantee
+ | that. That ALONE should say something.
+ | > When we can't get insurance because the risks are too high,
+ | >I'll see that as a step forward, since we're being rigorous in our
+ | >assessments of the problems.
+ | That's what I was saying. The risk isn't worth it. Theres way too many grey
+ | areas, and not enough profit. Again, this is my opinion, and it's a damned
+ | good one. :)
+ | ____________________________________________________________________
+ | Margaret H. McMahan - Systems Engineer
+ | pmcmahan @
+ | V-ONE Corporation
+ | 1803 Research Blvd., Suite 305
+ | Rockville, MD 20850
+ | http://www.v-one.com
+ "It is seldom that liberty of any kind is lost all at once."