SMotW #41: insurance cover vs premiums
Security Metric of the Week #41: insurance coverage versus annual premiums
An organization's insurance arrangements potentially reveal quite a bit about management's stance on risk. Residual risks that management feel they cannot mitigate further, cannot avoid and will not accept, are typically transferred to third parties through various business arrangements, including insurance. The insurance premiums management is willing to pay give an indication of the value they place on those risks, as well as the insurers' assessment of the same risks from their perspectives.
Insurance coverage versus annual premiums is someone's attempt to specify an insurance-based metric. It sounds simple enough in theory: determine the insurance cover provided, divide it by the annual insurance premium, and plot it year-by-year to show ... errrr, what exactly? At face value, it's just a measure of the value obtained from the insurers (e.g. $10m of cover for a premium of $10k p.a. is 'obviously' better value than $10m of cover for $20k p.a.), but digging a bit deeper, there are several unknown variables if we only look at the headline figure.
What is meant by "$10m of cover" in fact? Assuming it is the maximum possible payout, it begs questions about how the actual payouts are determined, meaning we ought to look into the precise terms and conditions of cover.
"A premium of $10k" could also be misleading as the premium is often discounted in return for the customer accepting an 'excess', effectively a self-insured element.
The customer and insurer will normally have negotiated the rate, in the process exchanging vital information about the nature of the risks being insured and the nature of the insurance cover being offered. As currently stated, the candidate metric doesn't even specify that we are talking about information security risks, let alone clarify which information security risks are being insured against.
Finally, on a practical note, it is seldom as easy as you might think to determine total for a given type of expense, especially in large/diverse organizations. You may be lucky: there may be a specific accounting code for insurance premiums, and it may have been used correctly, but the chances of finding a reliable code for 'information security insurance' are slim.
So, let's take a look at Acme's PRAGMATIC scoring calculation:
P | R | A | G | M | A | T | I | C | Score |
64 | 46 | 5 | 25 | 20 | 16 | 10 | 82 | 94 | 40% |
Evidently, they are not terribly impressed with this candidate metric. Note the very low ratings for Actionability and Timeliness, and the very high rating for Cost-effectiveness of this metric. An annual, historical metric may be quite cheap and easy to calculate but frankly (as currently worded) it is not very useful.
['As currently worded' suggests that Acme might consider re-framing or re-phrasing the metric, checking the PRAGMATIC scores of variants to find more promising, much sharper candidates. Perhaps something can be done to improve those low ratings? This is an entirely valid and sensible way to use the PRAGMATIC method, although to be honest we would rather start with a better candidate in the first place, carefully honing it until it glistens like a Samurai sword in the moonlight. Any metric that initially scores below 50% is arguably too dull to justify the effort, unless there are no better alternatives on the rack.]