I have followed Markel and Tom Gayner (Markel's CIO) for several years. Markel is often classified as a Baby Berkshire in that they are an insurance company who invests their float (the premiums before they are paid out) in a conservative, long term stock portfolio. Markel writes some pretty interesting policies (they got started many years ago insuring jitneys) including Data Breach insurance (you will see why). Tom Gayner spoke at Motley Fool on some of Markel's background and approach which has some overlaps to infosec risk and security metrics and ideas on how to make forward progress, here are my notes:
Cocktail party definition of Markel if someone asks about Markel, its an insurance company that they've never heard of. Well an easy way to think about that is if you have an insurance policy that you can get easily and quickly, well we wouldn't do that. We do the sorts of insurance where people go 'Oh no. We've got a problem or we've got a situation' This isn't to disparage the other insurance companies, we all have a role in life. What GEICO says yes to is not going to be the same thing that Markel says yes to. What Markel says yes to isn't going to be the same thing that GEICO says yes to. Its a different organization and orientation.
We do 100 different forms of insurance - everything from children's summer camps that are out in the middle of nowhere, that have teenagers supervising teenagers and no fire departments nearby, kids jumping on trampolines and being out in canoes, all the sorts of exposures that go with that (Note: just like infosec!).
We would do oil rigs that are out in the Gulf of Mexico (one of the ways we lost some money this year), those sorts of things need insurance and Markel is a company that for decades has been in that business, and its a good business, but there are days when you wake up and read the headlines and go 'Oh no', but that is why people buy insurance.
We do things like bass boats with too big a motor on it, this has always been intriguing to me. Bass boats tend to be flat bottomed, and they come with a 10-15 hp motor or something like that, but if you are really into bass fishing you have to get to the spot in the corner of the lake faster than the other guy. So people put 250 hp engines on their bass boats. I can tell you that every accident or loss report reads the same way, and that is: 'Craft traveling at a high rate of speed, when it hit a submerged object. Occupants hurled from the craft.' When you are trying to buy insurance on your bass boat and you are a State Farm or GEICO customer, they're going to ask you about how many horsepower you have on your boat and when you answer 250 they're gonna say 'thanks but you need to find somebody else to that.'
Well, we're the Statue of Liberty, bring us your tired your poor, yearning to be free. Short line railroads, little spur lines with only one customers. We do bars and taverns that are sometimes on the wrong side of town. On and on and on.
So with that backdrop its not too surprising that Markel is involved with data breach insurance. What's also interesting is the commentary on how they approach risk management in these sorts of unique situations, responding to a question 'if Liberty Mutual is writing a life insurance policy they can go to the bureau of statistics and get all the life expectancy data that they need, you on the other hand are confronted with this remote entity let's call it Camp Haltertop, where do you go to get information to find out how much you are going to charge for your policy?' Tom Gayner replied:
Excellent question and really illustrates some points with the games you're playing with the statistics. Life insurance - those statistics are disturbingly known. As we were eating hamburgers at Five Guys before we came to the meeting today I was probably dooming myself to the left hand side of the curve. Those numbers are well known, we really wouldn't sell life insurance, with the only exception that we do sell life insurance for horses. One of our specialized niches of policy.
For the sort of thing we do, there are two ways to deal with it. One if you're talking about summer camps which was your example. Well we have been in the summer camp business since the 1930s. So whatever statistics there are, its not the law of super huge numbers that you have when you are talking about life insurance and mortality statistics or autos and miles driven, we can have the advantage because we have been in that marketplace for so long - we have the law of kind of big numbers on our side
The second thing is and this salutes the culture of the Motley Fool, there's no formula, there's no spreadsheet, there's no mechanical thing you can do that is going to give you 100% of the answer. you need to do those things, but don't pretend and delude yourself that you've done all you need to do once you've done the mechanical, calcuable things. you still need to think. What we have are a cadre of incredibly thoughtful, professional underwriters who've been at this sort of thing for a long time and there is an element of judgement that those people need to apply when they are in a situation where they need to ask themselves - 'what bad can happen to me? What are my policy limits here? What sort of odds are there that that will occur?' Just a simple example if you have a $100 policy and you calculate there's a one in three chance that it will occur then your actuarial burn rate is $33 so you know you need to charge something more than $33 to offer that policy. Now those are subjective probabilities, they're not precise and not completely explained by statistics. there's some statistics, there's some numbers that are helpful, but there;s also seasoned judgement which adds to that.
And the other thing you need to know is - its an iterative process. That's the decision you make today, tomorrow you get the good fortune of being faced with another decision so if you are wrong or new information is starting to come in - you iterate to a higher or lower number as your judgement is confirmed or blown up. You iterate through in the policy line and across policy lines.
I see a tremendous amount of overlap in Markel's process and the role of infosec, in the case of the points Gayner mentions the first is action is - logs are really important. They won't give you everything, but gather whatever you can. Who is going to have better data on your system than you?
I am very tired of quant debates where proponents setup strawmen on subjective approaches versus supposedly uber logical objective ones and talk about how the supposed quant approach beats the subjective approach. Its not a matter of if you have subjectivity or not, its there in your biases when you made the model, its whether you recognize it or not, where you choose to place and how you iteratively improve you decisions with feedback loops from the real world.
To me the formula for infosec is objective measures through logging and monitoring, subjective decisions on where to place them, and what depth, a mix of subjective and objective review of the logs and data feedback from the system's performance over time.
In terms of overall architecture, structure is important. You can, and likely will, be wrong on some of the security architecture decisions. This should be factored in up front through gathering data and by giving yourself a place to fight back from. Wiring secuirty policy enforcement points into the system structure is a key initial decision, even when the policy decisions and answers are not known up front, locating where they will occur can be tremendously helpful down the road once real world feedback comes in. A good example here is the Security Gateway which can begin its role in your system by simply proxying communications and reducing attack surface but then additional services like access control, input validation can be layered on. The key here is that the system structure remains the same, and only behavior is changed to reflect updated security architecture goals.