More on politics and society from The Atlantic Monthly.


The Atlantic Monthly | September 2002

[From "Homeland Insecurity," by Charles C. Mann]

 
How Insurance Improves Security

Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance.

Consider security, and safety, in the real world. Businesses don't install building alarms because it makes them feel safer; they do it because they get a reduction in their insurance rates. Building-owners don't install sprinkler systems out of affection for their tenants, but because building codes and insurance policies demand it. Deciding what kind of theft and fire prevention equipment to install are risk management decisions, and the risk taker of last resort is the insurance industry ...

Businesses achieve security through insurance. They take the risks they are not willing to accept themselves, bundle them up, and pay someone else to make them go away. If a warehouse is insured properly, the owner really doesn't care if it burns down or not. If he does care, he's underinsured ...

What will happen when the CFO looks at his premium and realizes that it will go down 50% if he gets rid of all his insecure Windows operating systems and replaces them with a secure version of Linux? The choice of which operating system to use will no longer be 100% technical. Microsoft, and other companies with shoddy security, will start losing sales because companies don't want to pay the insurance premiums. In this vision of the future, how secure a product is becomes a real, measurable, feature that companies are willing to pay for ... because it saves them money in the long run.

Bruce Schneier, Crypto-Gram, March 15, 2001

What do you think? Discuss this article in Post & Riposte.


Charles C. Mann, an Atlantic correspondent, has written for the magazine since 1984. He is at work on a book based on his March 2002 Atlantic cover story, "1491."
Copyright © 2002 by The Atlantic Monthly Group. All rights reserved.
The Atlantic Monthly; September 2002; Homeland Insecurity; Volume 290, No. 2; pp 81–102.