Interesting story on risk assessment pioneer Karen Clark:
The model's assumptions are based in part on assumptions of building code which in infosec points to need for things like assessment and static analysis. I enjoyed the last section that talks about the insurance industry being stuck in an old model - "Fire World"
In August 1992, when Hurricane Andrew was spinning toward south Florida, most experts in the “cat” risk assessment business were advising their insurance company clients to expect damages in the low hundreds of millions of dollars. Lloyd’s of London, more adventurous than most, suggested that the storm could cost insurers as much as $6 billion. Clark, whose five-year-old company was called Applied Insurance Research, thought they all had their heads in the sand. Her computer models, which had relatively little traction in the industry, put the potential damage at $13 billion — more if the overeager builders of south Florida had cut corners on local building codes.
Again we have a similar situation in infosec where models are predicated on inside the firewall and outside the firewall, however that model divereged from reality about 10 years ago.
An even greater problem, according to Clark, is that insurance companies are not collecting the right information. They’re stuck, she says, “in Fire World.”
“The insurance industry grew up in the middle of the last century, when the main risk was fire,” says Clark. “Today your house is still classified for its combustibility. The data collected on commercial properties are things like sprinkler systems and fire extinguishers. What’s wrong with that, from a business perspective, is that insurance companies now pay out about $9 billion to $10 billion in fire losses each year, but they are paying close to $30 billion for hurricanes, earthquakes, and winter storms. Companies are not collecting information that would indicate how susceptible buildings are to catastrophe. They need to start collecting things like roof type, roof age, and foundation type.”
Clark doesn’t expect a departure from Fire World anytime soon. “They’ve got hundreds of millions invested in systems, statistical plans, and collection processes,” she says. “They’ve got enormous IT systems all built around fire risk. It’s not the kind of thing that’s going to change overnight.”
And that’s a problem. Because in the wake of Katrina and other disasters, she says, it’s clear that a natural catastrophe could send us a bill in excess of $200 billion. The insurance industry will pay about half, and we — homeowners, business owners, and taxpayers — will have to pick up the rest of the tab.
“It’s not a question of if,” says Clark. “It’s a question of when.”