• “Consider the use of smart cards ... for especially critical functions.  Although more costly than software, when properly implemented the assurance gain is great.  The form-factor is not as important as the existence of an isolated processor and address space for assured operations – an ‘Island of Security,’ if you will.  Such devices can communicate with each other through secure protocols and provide a web of security connecting secure nodes located across a sea of insecurity in the global net.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

    Read more...
  • “Assurance is best addressed during the initial design and engineering of security systems, NOT as an after market patch. The earlier you include a security architect in your design process, the greater the likely hood of a successful and robust design. As the quip goes, he who gets to the (module) interface first wins.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", AusCERT 2008

    Read more...
  • "Given their power to intercept and disrupt secret communications, it is not surprising that quantum computers have the attention of various U.S. government agencies.  The National Security Agency, which supports research in quantum computing, candidly declares that given its interest in keeping U.S. government communications secure, it is loath to see quantum computers built. On the other hand, if they can be built, then it wants to have the first one.”

    Prof Seth Lloyd of MIT, MIT Review 2008

    Read more...
Home Resources Frequently asked questions Security in general fact: The insurance industry is moving towards incenting high assurance systems
fact: The insurance industry is moving towards incenting high assurance systems
Thursday, 11 December 2008 07:41


To quote Brian Snow (former director of the Information Assurance Directorate of the US National Security Agency) at the end of his presentation at the AUScert 2008 security conference:

There is one other process going on now in the insurance industry that I think is great.  It’s putting the financial issue in the right place.  One of the most promising recent occurrences in the insurance industry was stated in the report of Rueschlikon 2005 (a conference serving the insurance industry).  Many participants felt that, and this is a direct quote:

‘The insurance industry’s mechanisms of premiums, deductibles, and eligibility for coverage can incent best practices and create a market for security . . .  This falls in line with the historic role played by the insurance industry to create incentives for good practices, from healthcare to auto safety . . .   Moreover, the adherence to a set of best practices suggest that if they were not followed, firms could be held liable for negligence.’

Bluntly, if your security product lacks sufficient robustness in the presence of malice, your customers will have to pay more in insurance costs to mitigate their risks.  Insurance is a recurring cost that business certainly try to manage.

Differential pricing based on quality of your security components, its coming.

I checked just before coming to this conference with a senior manager of Swiss Re, they are still on that path, and they are going to pull it off. (2008)

I think that is one of the greatest plugs that could possibly get going for us out there.  It’s great news.

Last Updated on Friday, 16 January 2009 13:25
 

Related Items