Insurance CAN be a good thing, if written and done correctly, because it can give an immediate economic incentive (lower premium) for doing the right thing. Thus companies with better security save money before an event occurs, by having a discount for their defenses.

Unfortunatly, the insurance companies writing such policies probably aren't in a position to evaluate the security risks specific companies use, at a fine enough level to make a difference. [1].

Yet Clark doesn't understand, or at least acknowlegde, the most powerful incentive: liability. When he was talking at Berkeley (a rather uninteresting talk, BTW), the first question was about software liability, and he ducked the issues completely. In an era where 50% of the flaws are still buffer overflows (and another good 30-40% due to microsoft's "Integrate everything because it helps our monopoly" strategy), liability is one hell of a lever.


[1] The obvious exception would be discounts for services like Counterpane's.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/94/14161#14161