To illustrate the need for cyberinsurance, we'll be using commonplace IT incidents that are easy to explain in August's awareness materials, being familiar to or readily understood by the target audiences.
People who don't already know much about insurance may be surprised to learn that such incidents are not covered by traditional policies - at least not for certain, and not in full. So that's something they will learn. They will also learn that cyberinsurance is available, and (if properly specified) would cover those same incidents. Probably, and again not in full - another learning point.
So aside from simply learning stuff, what if anything are people supposed to do differently if August's security awareness effort is effective? To answer that requires us to figure out what behavioral changes might be expected to occur in the organization.
One way to think this through is to identify activities that should ideally start or increase, or should decrease or stop, such as:
- Cyberinsurance-related awareness activities should of course increase, for example more visits to the intranet pages on this topic, awareness materials being downloaded, people attending seminars etc.;
- Workers in general ought to be thinking and hopefully chatting about cyberinsurance:
- It should feature on relevant agendas e.g. in information risk and security management meetings, and perhaps board or exec team meetings;
- Managers and professionals should start thinking of cyberinsurance as a commercially viable way to treat cyber risks, for instance including it explicitly as an option to consider in related policies, pprocedures, guidelines and checklists;
- Cyberinsurance terms should crop up more often in various internal communications (aside from the awareness materials, that is), such as emails, memos, reports and casual conversation;
- Someone should start digging out and checking through the fine print of existing insurance policies, and if appropriate procuring, negotiating or renegotiating cyberinsurance cover;
- There should be an increase in the associated procurement and insurance activities;
- Studies, reviews and audits may be conducted in this area;
- There will probably be demonstrable management decisions in this area e.g. approval to (re)negotiate cyberinsurance and spend money;
- There may be budgetary impacts if cyberinsurance is increased and/or conventional insurance is pared-back;
- There should probably be a reduction in the level of residual information risk that is accepted by the organization, as other forms of risk treatment (not just cyberinsurance) increase;
- People should stop naively thinking of insurance as a catch-all solution to all their cyber problems.
Anything that can be observed to change can be measured, hence our analysis is a basis for identifying possible information security metrics in this area. It supports the GQM approach through which one identifies business Goals, poses Questions arising, then comes up with Metrics that would help answer the questions and so fulfill the goals.
Despite cyberinsurance being such an unusual and arguably esoteric topic, this amply demonstrates the nature and depth of analysis required to come up with valuable security metrics in general - all of which is fueled by effective security awareness.