Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    Why Do Businesses Buy Insurance?

    I found this on the excellent Overcoming Bias weblog:

    “Why do corporations by insurance for fire damage and such? It seems to me that maybe the oughtn’t, since the cost of insurance is greater than the expected payouts (due to administrative costs, asymmetric information, moral hazards etc). Investors should presumably prefer corporations to be pure bets, and reduce risk and volatility by holding suitably diversified portfolios.

    One of the first analogies I ever heard for InfoSec (1994?) is that it was “like insurance”. This weblog discussion is a good read for those of you out there who are in a management position or simply like to think about IRM/InfoSec. You may also want to see this post, too:

    Hindsight Devalues Science

    The measure of your strength as a rationalist (insert: Risk Analyst) is your ability to be more confused by fiction than by reality.

    One of my favorite things to do with FAIR is to challenge all sorts of status quo “good practices” of Information Security. Now most of the time, FAIR shows that the traditions and lore of our “craft” to have merit. When this happens for you, don’t fall into the trap of thinking that you’ve wasted your time. This just means you’ve validated the practice within the context of your model.

    However, sometimes FAIR results challenge these “good practices”. When this happens, like a scientist should, we test and re-test against our model. When it is clear that the results are accurate, and that our model is showing us reality in similar tests - we can discount the “good” (merit) of these practices. Many times, this results in efficiencies. Efficiencies in:

    • our ability to reduce risk and/or,
    • how we perform our work tasks,

    which are 2/3 of the three basic value statements for Information Risk Management. Why should you be performing more risk analysis? Because it is the most efficient way to discover those things that create a competitive advantage for your organization.

    Tags: , , , , , , , , , , , ,

    (via RiskAnalys.is)



    August 21, 2007, 8:06am   Comments