Insuring software will boost security: expert

The challenges and problems of computer and network security won’t be adequately addressed until companies can be held liable for their software and the use of their computer systems and until insurance companies begin to offer computer intrusion insurance, according to Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc.

Insurance companies and liability laws need to come into play because the real problems of computer security are not technical problems, he said at the RSA Conference 2002. “Technology is not going to solve this,” Schneier said. “Fundamentally, security is a business problem. It’s a people problem.”

Within companies, especially software companies, security is looked at as a trade-off, he said. More secure products cost more to produce and have fewer features, which angers customers, while the other option is less secure software that could result in bad press, angry customers or regulatory pressure. Faced with that choice, many companies will offer less-secure products because the risk is smaller, Schneier said.

However, when audits, costs and liability are injected into the equation, the business analysis changes, he said. Firewalls became standard parts of companies’ security arsenals because without them companies could fail security audits, he said. Security is only driven by its ability to affect the bottom line, he said.

“The CEO is only going to do what everyone else does because that’s the business analysis,” Schneier said.

Security would affect the bottom line if developers were held liable for flaws in their software, he said. “Software should not be exempt from normal product liability,” he said. “If no one is accountable for a problem, no one will do anything about it.”

When developers are liable for their products, they will want to transfer that liability to insurance companies to be able to predict costs and protect their bottom line, he said. This is the thinking that drives “real world” companies to insurance, he added. “I think insurance is a big part of (improving) computer security,” he said. “In the real world, insurance drives security.”

Computer security will be aided by the presence of insurance companies in the market because insurance companies will look for a way to standardize models for determining the level of risk a potential customer poses, Schneier said. As they seek this model, they will make determinations about which products are more secure, which may, in turn, lead companies to use those more secure products in order to save money, he said.

“(Insurance companies) are going to want better products and services,” he said.

“The risks will always be with us. The best thing we can do is manage the risk — just like in the real world.”