I am sympathetic to those who compare info security to insurance, but there are gaping holes in such an analogy which sometimes lead people down the wrong paths. Ultimately, the real point of the comparison is to attack the idea the security enables or generates revenue or something. Unless security is something you do as a business, it’s going to be a cost.
I’m going to drastically oversimplify some things here, and I don’t have experience in the underlying nuts and bolts of insurance, but humor me for a few minutes.
1. Being covered by insurance implies means you’ll be compensated if something goes bad (the “risk of contingent, uncertain loss” [wikipedia]). This would lead someone to think if they invest in security, then when an incident happens, they will get money back somewhere. While this might (arguably) work when specifically talking about actual ‘cyberinsurance,’ this doesn’t seem like a healthy way to look at your own internal security expense/duties. This then has nothing to do with prevention or detection or mitigation. Sure, those may be qualifying factors, but that’s security, not insurance. If I, as a CEO, spend money on security and I still get hacked, I better not be expecting compensation anywhere.
2. Nothing’s standard in IT. One of the biggest challenges to, well, anything in IT at all is the fact that every shop does things just a little bit differently, with lots of magic customized glue holding things together. Perhaps today’s SaaS/IaaS/Cloud will level the playing field a bit, but we’re a long, long ways away from being able to value anything properly. We have a hard enough time in specific industries. You can go to 10 companies in the same industry space and of similar sizing, and a deep dive into their security postures will probably yield 10 incompatible reports. (Note I mention a deep dive, not some piddly 2-day pen test and PCI-worthy interview process and vuln scan that harps on the same 12 things, but an actual analysis and hand-holding look beneath the covers.)
3. You don’t even need to be hacked to have your bottom line affected. Take last week’s Google Wallet disclosures. I’m not sure if anyone has actually attacked anyone with it (let alone Google), but just the presence and media attention has caused Google to take notice and even halt a line of their business while they attend to it. Try valuing that.
Anyway, I’ve exhausted my brain already on this, must be low on fuel or something, so I’ll just leave this as is.