Information security is an area of inquiry with many fronts - technology standards, international and national regulation, product development, crime - that is defining itself and its depth and scope simultaneous with the growth of electronic commerce (e-commerce). Many gaps in knowledge about information security and its potential risk management exist. An increasing number of brokers, consultants, and underwriters are crafting products that attempt to address information security's insurable risks. Despite these efforts, no one has yet formulated a broad approach to Internet information security risk management, nor has anyone yet offered a comprehensive insurance product addressing this risk. In this brief, we'll explore why the insurance industry's progress in addressing this market has been slow.

The Current State of Information Security Insurance

Insurance products are being developed that apply to the financial loss resultant from computer security failures. Typically, these products strictly delineate the limits of liability, the scope of coverage, and other conditions as well as subject their policyholders to various operational requirements. Statutory liability and intellectual property infringement including copyright, patent, trade secret, and trademark issues are covered to varying degrees by these products.

Among the parties currently offering Internet liability-related and information security liability insurance products are the consulting arms of some brokerages that offer e-business development planning, systems, and security assessments. These firms' assessments serve a dual role as underwriting tools for these brokers' underwriters. The insurance products offered typically insure third-party claims resultant from information security breaches in corporate computer networks and Web sites. These products usually respond to third party claims resultant from the peril of "hacking".

Broadly defined, current attempts at information security polices might address some or all of the following types of losses - illegal entry, theft of resources, vandalism, fraud, copyright infringement, sabotage of third party property, and third party business interruption.

First party property losses resultant from attacks, for example, system damage as a result of a cyberextortion attempt, however, are usually not covered. Coverage of losses resultant from information theft, financial market manipulation, remote control crime (including physical injury crime), and physical damage, including sabotage of first party property, or physical theft crimes, and defense of systems' use (for example, freedom of speech defense) are also seldom addressed by current product offerings.

The shortfall in the current state of insurance products is largely the result of two factors. First, issues concerning what is a covered loss have yet to be adequately described and adequately quantified. Secondly, and equally importantly, issues perhaps unique to electronic commerce, or, at least, issues that are potentially large-scale for the first time are emerging that need to be contemplated in a risk management approach to information security and described clearly in insurance policy language. Policy language that adequately addresses both the transnational and immediate nature of e-commerce as well as case law that provides direction for case adjustment remain in an infantile state of development.

The Characteristics and Quantification of Trust in Information Security

An important first step in the process of understanding the risks of information security and of developing robust, viable insurance products is the development of a quantifiable concept of trust. With the growth of e-commerce, potential business partners are more likely than ever before to be faceless strangers. Hence, trust in others has tended to decrease. Increasingly, methods of measuring trust and of the quanta of trust extension are being contrived as the importance of trust in economic relationships is becoming more explicit.

The concept of "trust" is being explored in the information security profession. Elaboration of a pragmatic, formalized concept of trust is progressing as e-commerce increases. Characteristics of trust that have been classified as important in the process of developing information security standards and practices include proximity, accuracy, repetition, variance, accreditation, expertise, and history. These e-commerce "trusting" concepts closely parallel the conceptual underpinnings of insurance underwriting.

Assuring trust requires security. In the field of information security, it is customary for experts to approach a client's needs for security from three areas of concern. Information confidentiality and control are the first interest of security professionals. For example, a clear and precise definition of the concept of confidentiality with respect to one's firm and the methods and systems in place to enforce these confidentiality requirements are prerequisites to providing security.

Information integrity, authentication, and repudiation (collectively, issues of identification) are the second area of concern. Integrity deals with the issue of assuring that information is what its user thinks it is. Authentication involves methods of assuring clients that their customers are who they claim to be and of verifying or repudiating their claims.

Information availability and utility are the third, major information security class of concern. Access by employers to employees' private keys is one of the issues that is being explored in this area of inquiry. Addressing this class of problems and its related issues of availability and usability involve the areas of data control and data audit.

Information must be secure before its entry into an electronic database or transaction. While, depending upon their application and use, current technological controls may or may not be adequate, it is the area of human resources security management (i.e., "social engineering" techniques) that most needs improvement. Personnel training in requisite computer security procedures and skills can prevent many information crimes by enabling awareness and understanding of potential security problems.

A secure infrastructure is necessary for the implementation of large-scale transactions involving information retrieval, for the processing of financial transaction, and for other, sensitive identification purposes. Regardless of its technological sophistication however, one cannot be ensured that transactions in this environment are free of risk. Methods for managing the amount of risk one takes, and the amount of trust one extends to others, are required.

Improving the State of Information Security Risk Management and Insurance

Insurance underwriters need to develop products that simultaneously address the technological complexity and the quantification of trust. Technology could learn about trust management from the insurance industry, and, as the insurance industry ceases to be blinded by the glitter of technology, it will respond to this call for responsive products.

Characteristics of Trust

Proximity: means that a basis for believing something may be its affinity with something or someone else. In other words, a relationship with a third party may be used as a basis for believing another's assertions.

Accuracy: describes the degree to which one person's assertion's correctness matches another's assertion's exactitude.

Repetition: refers to multiple, consistent actions from agents over time as an indicator of trust.

Variance: is the relative degree to which an assertion differs from aggregated experience.

Accreditation: is one agent's assertions about another agent.

Expertise: is a proclamation by an agent who is known to be trusted with regard to assertions about an area of specialty (e.g., a licensed physician).

History: is the chronicle of events related to a party or class of parties.