When most Computer Security specialists talk of "Security",
they talk of securing the system against unauthorised intrusion . This could
be achieved by installing a good firewall system and keeping it updated.
Perhaps a Mcafee or Norton Anti Virus programme with a personal firewall
component will be considered by most as acceptable security standard for
personal desktop security.
It must however be remembered that no security software is
foolproof. Today's viruses are being created with an ability to cheat the
known anti-virus devices and most sophisticated hacker attacks can bypass an
ordinary personal firewall system.
What then happens to the Information Property Owner and his
need to secure his assets?. Should we say that this is all that technology can
achieve at this point of time and you have to live with the insecurity beyond
the conventional security?
Let's see what we do when we face a similar situation in
our physical world. If we have installed a Godrej tamper proof lock and it is
picked by a thief, we expect as a consumer to be compensated by the lock
manufacturer if he has warrantied that it is pilfer proof. Otherwise we go for
an insurance. We accept that no technical device can be foolproof and
therefore the only way we can secure ourselves is through Insurance. Insurance
system itself expects that you take all prudent measures to ensure security
including using the best lock available in the market.
In a way the Insurance terms drive a "Security Discipline"
to the community and ensures that there is a minimum standard of security
policy that every person follows. In the process they promote sale of good
locks. By a differentiated premium system, they can even bring in a "Lock
Certification System" which may provide a quality guidance to the lock
manufacturer also.
Thus the "Insurance" system helps the community to adopt
better security standards and incentivises them through reimbursement of a
loss that occurs despite all the precautions having been taken. Even though
the consumer knows that the total revenue of the Insurance company is higher
than the claims settled and therefore the Community is actually picking up a
net cost for the insurance service, the removal of "Uncertainty" is enough
intangible benefit for the additional cost that the society bears out of the
insurance.
With the removal of the uncertainty, the society is able to
unleash the creative energy and increase its productivity. If in the process,
the insurance company has a surplus income over claims settled, it is well
covered by the increased productivity.
It is time that we realize that a similar approach is
required for securing the Cyber Space. While we set up security guidelines for
the public to follow, unless there is an incentive for them in the form of
reimbursement of a loss that occurs despite the security measures having been
taken, the adoption of security discipline will be low.
We therefore need an insurance scheme that protects the
Information assets against hacking and virus attacks. It would be most ideal
if the service is available at a cost which most consider as affordable.
Are our General Insurance Companies capable of assessing
the risks, arriving at a reasonable premium rate and devising a monitoring
mechanism to administer an Information Asset Insurance Programme? ..is
our concern. Obviously, at this point of time the Insurance Companies are not
capable of undertaking such a responsibility. But unless we start thinking in
this direction, we will not be able to develop such a system in the near
future.
naavi.org therefore requests suggestions form the public on
how a workable Information Asset Insurance programme can be developed in
India.
Naavi's own suggestion is to create first a "Apex Agency
for Information Asset Insurance" with the necessary expertise which sets forth
the broad parameters for the consumer level insurance. Under the guidance of
such an organization, the General Insurance Agencies can develop individual
schemes and market them to the consumers.
The development of such a system will encourage the
Computer users to voluntarily adopt "Security Standards" and be "Cyber Law
Compliant". In such an environment "Security" will always mean "Techno-Legal
Security" and a foundation for providing recovery of losses that an
Information Asset owner suffers when the conventional security fails for one
reason or the other beyond the control of the owner.
naavi.org welcomes suggestions from the public in this
regard.
Naavi
October 27, 2002
Related Article:
Cyber Space Security..You Have a Role in it
Too?
Cyber Space
Security..Whose Responsibility is It?
