Wow. Great post by Jon Robinson. Do go read. It’s especially interesting when read within the context of the most recent quote-to-be-adored (belonging to Marcus Ranum):

Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

Ranum’s wisdom can be interpreted to suggest that he believes the market for security investment (and therefore cyberinsurance) has reached a sort of macro-equilibrium for investment vs. amount of security, and regardless of future extra-market influence or innovation it will continue to do so. Safe bet considering that security is a cost-center.

If I can point out just one thing, it would be the following: The decision to buy or invest is primarily a risk decision. Not a security one. “Secure” is something we do to reduce vulnerability (defined as our ability to resist the forces of threat communities). Risk is something we believe concerning the probability of impact & probable frequency of occurrence. As soon as someone has something to say concerning the level of “security” or security investment (there’s a jump there that spending = security, but that’s another TLDNR blogpost) they are really saying that the current tolerance for risk in the market doesn’t meet a tolerance they think it should.

Personally, I’m not seeing significant evidence that consumers are dissatisfied the risk of PC or Internet use when compared to the benefit - and I suppose that’s the proof needed for a “market correction”, no?

Posted on October 3