Archives for collaboration

Would you freely share cyber security information with Government?

January 30, 2012 by tim in Risk Management | Leave a comment

This article from Sci-tech today discusses a new report due out in a couple of days from The Constitution Project.

According to the article, the report will discuss how:

The federal government’s plan to expand computer security protections into critical parts of private industry is raising concerns that the move will threaten Americans’ civil liberties.

In a report for release Friday, The Constitution Project warns that as the Obama administration partners more with the energy, financial, communications and health care industries to monitor and protect networks, sensitive personal information of people who work for or communicate with those companies could be improperly or inadvertently disclosed.

I am sure the concern about the exposure of personal information is genuine but it seems to me that the real threat is to the efficacy of a cyber risk sharing initiative proposed and supported by Government.

In my experience, of all the entities firms are willing to share information with, Governments are at the bottom of the list.

(Another) Top insurance executive misses the point shock…

January 20, 2012 by tim in Observation | Leave a comment

Update 9/2/12:  Joe Plumeri (Martin Sullivan’s boss – see below) makes the same 300 year old speech but (naturally) more colourfully at InsiderScope…  ”The golden age of insurance is upon us” – apparently…

I have just read a report (subscription required) in The Insider (an excellent London market based insurance magazine @InsuranceInside) about a speech Martin Sullivan gave two days ago to an Insurance Institute of London meeting at Lloyd’s.  Though Sullivan is currently Deputy Chairman of Willis, he is better known as the former head of AIG.

Now, because I wasn’t at the speech, I may be about to be very unfair to The Insider or to Martin Sullivan because either;

  1. the report was dreadfully incomplete or
  2. the speech was dreadfully incomplete.

Can someone please tell me which is true?

Here’s what I mean.

According to the report, Sullivan’s speech seems to have been celebrating the 350th (or so) anniversary of the ‘there are lots of scary new risks out there and we need to be innovative about designing new products for them’ speech.  Since new risks have always emerged, Sullivan seems to have inserted some nearly interesting if entirely predictable comments about volcanos, tsunamis, reputations, cyber, patents and IP, and supply chain risk into the blanks of the ‘scary new risk’ speech template.

Templates are very useful but when they get out of date, as this one has, they can be extremely dangerous.  The problem with the ‘scary new risks’ speech template is that the first half of its thesis (that there are lots of scary new risks) is unarguable – in the way the bleeding obvious is always unarguable.  This lulls listeners into accepting what sounds like a perfectly plausible second half of the thesis; that innovative new products are the natural response to new risks.  Except that they aren’t any more.

Innovation is something individual firms choose to do, sometimes for tactical, sometimes for strategic reasons and most innovation is incremental.  Even at a specific level therefore, Sullivan’s prescription for dealing with the new risks is flawed.  For example, incremental approaches won’t deal with the dynamism of some of the new risks, other new risks are networked so individual firms can’t hope to deal with them on their own and most of the new risks are to some extent the result of a new environment, where tools also from the new environment are necessary to deal with them – but I’ll come back to those points another day.

My point is that innovation is a logical response only in an unthinking ‘if new this, then new that’ sort of a way but its ‘straight on’ logic puts me in mind of the the kind of tumbleweed moment Wile E. Coyote has when he realises he has run off a cliff.  The logic appears perfect, yet is completely flawed because of the turn not taken.

The turn not taken?  This is where the prescription is more fundamentally flawed.

We are living in arguably the most exciting times since Gutenberg developed a workable printing press.  The means to generate, produce, add to, filter and disseminate information now exist in the hands of anyone with an Internet connection.  As a result, industries – particularly information industries like insurance – are being fundamentally re-shaped.  Some completely new industries and companies have started to emerge; think social media, Google and Facebook.  Some old industries have resorted to fighting tooth and nail to try to save themselves; think old media and SOPA.  And former titans of the old world are disappearing; 131 year old Eastman Kodak has just filed for Chapter 11 bankruptcy protection.

Information industries are being re-shaped because the value chains by which information based products and services are produced or distributed (or both) have changed beyond all recognition – many disappearing altogether.  The firms and industries that survive will be those able to adapt to the new information value chains, not those that just innovate better products.  Innovation is not nearly enough.  Kodak, for example, is in desperate trouble not because it was deficient in innovative capacity.  Its patent assets are its most valuable (only?) asset.  It was a deficiency of adaptive capacity that turned Kodak from the company that once had such an exciting future, it was a catalyst for Warren and Brandeis to write “The Right to Privacy“, into what now looks, waddles and quacks very much like a patent troll.  How the mighty are fallen…

Adaptation is something firms across an industry have to do in the face of a fundamentally new environment.  Unlike innovation, failure to adapt means certain death.  What has this got to do with the insurance industry?  I don’t know if you think data (the raw material of information and its yet more refined cousin ‘knowledge’) is ‘one of’ or ‘the’ core ingredient in insurance but it is one or the other.  Which if the two you think it is, is however unimportant because the extent of the change to information value chains is so significant.  Insurance is used to commanding and controlling data but data is now, and will increasingly become, user generated, networked and so open to direct customer analysis.

The insurance industry’s future won’t therefore be shaped by how well or not we develop innovative new products to flog to customers already disgruntled by our out-dated processes and approaches.  It will be determined by how well and how quickly we adapt to how our customers are already starting to develop their own risk knowledge, to share it freely among themselves and where differentiation will be determined by customers gradually learning how to apply their newly developed knowledge in their own interests.  It will also be determined by how well we meet customer demands for products they design, based on their expert and/or crowd-sourced analysis of the risk.  It is almost rude to mention this last challenge – last in this incomplete list that is – that customers will also be able to generate more, richer and dynamic information, more cheaply than insurers.

At the risk of repeating myself – as anyone who has been kind enough to listen to me or read this blog before will know – I expect the application of social/collaborative technology to better connect the networks that currently operate too distinctly across risk, risk owner and risk management systems will be our key adaptation challenge but I also acknowledge the challenge may come from another direction.

In an earlier post, I wondered if the insurance industry would learn from the mistakes of the old media industry.  One of their mistakes was not to realise what was coming; another was to respond inappropriately when ‘it’ arrived.

The insurance industry doesn’t have the excuse of not knowing what’s coming and yet if we maintain the ‘straight on’ strategy the report suggests Sullivan called for two days ago, we will innovate ourselves off a cliff.

So, who was I unfair to?

Implementing Social Solutions to Improve Collaboration

January 16, 2012 by tim in Observation, Social technology, Uncategorized | Leave a comment

Via Scoop.itInsurance 2.0

Interesting article, though I would be surprised if the comparative level of ignorance of enterprise social media tools compared to their consumer versions is as prevalent as the article suggests. I suspect the still disappointing adoption rates of enterprise social strategies has less to do with ignorance and more to do with the simple difficulty of making them successful.

I also suspect that the more successful strategies are the more deliberately disruptive ones – in all senses of the word. And disrupting a culture, business model or industry is, challenging though it may be for any established firm to consider, rather the point of the exercise.
Via blogs.msdn.com

A collaborative approach to cyber risk

December 5, 2011 by tim in Insurance, Network Security, Risk Management | Leave a comment

I have now had a chance at a first read of the UK Government’s Cyber Security Strategy.

There is some solid stuff in here and I obviously can’t argue with the essentially collaborative approach it espouses – I have been going on about that for years.

I will be particularly interested in watching what happens – if anything – at the ‘strategic summit’ proposed with ‘professional business services, including insurers, auditors and lawyers to determine the role they might play in promoting the better management of cyber risks’.

On one hand, I fully expect it to be one of those meetings for which all Governments are famous – meetings meant to show something is being taken terribly seriously rather than to actually achieve anything.  And that would be fine because the tenor of the Executive Summary is that the Government is inviting the private sector to join their ‘vision’ – yes, they use the ‘vision’ word.

I don’t want to get all Libertarian on everyone but in the interests of all cyber security stakeholders, shouldn’t the private sector be leading the initiative on developing better cyber risk management?   And most of all, isn’t that because cyber risk management is essentially a practical concern?

How will cyber risk be modelled? Part 1

November 1, 2011 by tim in Cyber, Network & Information, Insurance, Network Security, Risk Management | Comments Off

Insurers are struggling to model cyber risk.  In this first of two posts, I suggest that because of the dynamism and complexity of cyber risk, insurers should reconnect with the original purpose of models and then re-think their design.  The result could be cyber risk models primarily designed to understand cyber risk rather than the risk insurers accept, which is not the same thing at all.  The way cyber risk is understood also points to how it will then be managed.

In a second post, I will describe some of the elements I expect will form part of cyber risk models.

These ideas came out of reading a LinkedIn Groups (Privacy Risk Management specifically) response to this post.  The response was:

The challenge for an insurer to provide DDoS cover is to find a model with which to assess the exposure, and thus ascertain the cover and risk exposure. This requires an assessment model of sorts to score the potential client (and maybe a form of compliance statement to ensure a minimum standard of care before cover can be provided). Developing that model is not impossible, but it will take some time before that model can be tuned as there are no histories to work with.

It made me read the original post, which turned out to be one of those well-researched but slightly generic descriptions of cyber insurance written by a law firm advertising for coverage counsel work; i.e. interesting if deliberately not very specific.

Back to the response, it is a straightforward, high-level route map to underwriting cyber risk and so it is difficult to argue with some of it.  Like most commentaries on cyber risk however, it discusses cyber risk models without offering very much in the way of how such models might actually be designed.  It also makes two common but I believe fundamental mistakes.  It assumes cyber risk models will be like traditional models and that time alone will make cyber risk models effective.

On the contrary, I don’t believe cyber risk models will resemble anything traditional – i.e. loss based and tuned to emerging portfolio characteristics.  In fact, I think that if we pursue traditional modelling approaches, we will never effectively model cyber risk.

One reason traditional models can’t cope with cyber risk is, perhaps curiously, because of their reliance on portfolio theory.  Portfolio theory is the core underpinning of risk acceptance, allowing insurers to safely assume that not all risks are going to have losses every year, even if they don’t know how many will have losses.  But in relation to the amount and detail of risk information captured by insurers, and the frequency with which risk information is up-dated, portfolio theory also means insurers only capture enough information on each risk to verify that the risk falls broadly within the range of risks they want in a particular portfolio.  This is because, while the portfolio gradually changes all the time – for example as new risks enter and non-renewals leave it – the insurer operates under the reasonably safe assumption that neither individual risks nor other elements of the portfolio (the environment in which the risks exist for example) will usually change so quickly that the insurer can’t react to them.

The problem is that cyber risk isn’t like that; it changes a lot and quickly.  There are risks that potentially effect far more people, like pandemic risk and risks with far greater severity potential, like quake.  But there is no other risk that combines the number of potentially effected people and systems with so much severity potential, that is also in so constant a state of change, that is so complex and which, hardly surprisingly, crystallises into big losses so frequently.

Cyber risk is so different in fact that I don’t think cyber risk models will be designed to serve insurers in the way traditional models are.  Rather, I imagine cyber risk models will take a back to basics approach and be designed simply to understand cyber risk.  Risk management, with risk transfer as an integral part of the overall process, will flow from understanding the risk – at least as well as that is possible with a risk that changes so much and so quickly.  I believe in this idea of an independent model for two reasons.

First, because of cyber risk’s complexity I doubt that any one entity (insurer or otherwise) will be able to build an effective model on their own.  A model that is effective at understanding cyber risk will necessarily therefore be a collaborative process, first to collect sufficient data and second, so appropriate expertise is available to understand the data collected.

Second (and reinforcing the idea that collaboration can be a valid profit optimising strategy), in order to benefit from a collaborative modelling process, collaborators must have good reason to invest the time, money and effort needed to make an effective model.  I therefore expect that potential collaborators - system owners, insurers and the many experts needed to analyse cyber risk – will each want to be free (probably within a creative commons framework) to make decisions about how they choose to address cyber risk in their own interests.

A further purpose of the model will then be to allow for and to accommodate those decisions within the model – up to a point of course; ignoring cyber risk not being one of the options!  System owners will be able to decide how much to spend (on security for example) and what to prioritise based on model outputs of the latest threats or new legal concepts.  Insurers will be able to make similarly based decisions on the kind and amount of exposure they wish to accept.  Experts will be able to offer their services to system owners, insurers and others based on what they learn from the model, as long as the service is attributed to the model.

The sum of these issues suggests to me that it will make more sense for insurers and system owners to work together with relevant experts to design a model; an alternative would be to leave the design to an independent third party.  In either case, there are a few implications that flow from this suggestion…

One is that, by designing a full risk management model that fully integrates risk transfer, the model would put insurance (at least for cyber risk) back into its proper relationship with the rest of risk management, as opposed to it being the afterthought it often seems today.  Another would be that the almost impossible problem of both insurers and their customers maintaining ‘utmost good faith‘ towards each other, in the face of a constantly changing risk, would be eliminated.  Yet another however, is that the insurance value chain, as we know it today, would cease to exist.  But I’ll stick with the model discussion for now…

In this first post, I have indicated why I don’t think traditional modelling approaches will be effective for cyber risk and that insurers aren’t going to have enough resource or expertise to build the new kinds of models needed on their own.  Equally however, risk owners and experts aren’t going to invest time, money, data or expertise into a model that doesn’t directly help them otherwise address cyber risk in their own interests.

In part two, I will try to describe some of the main ingredients of such a cyber risk model.

Risk, unlike insurance, is no pig; an introduction to gamification

October 11, 2011 by tim in Social technology | Leave a comment

I understand why people get excited when Facebook makes a change.  Here is a good set of examples.  Quite apart from some changes – like default privacy settings – having been extremely poorly conceived and others poorly implemented, some people just don’t like change.

But it is a testament to Facebook’s success that their many changes – and they change things a lot and often – have generally been readily accepted, if not without initial ‘sound and fury’.  And I like the fact that Facebook changes a lot.  Indeed, I suspect Facebook would be much less successful without frequent change.

Why is lots of change so important?

I certainly enjoy sharing my friends and relatives lives and doings on Facebook; for me and almost everyone else this is, of course, Facebook’s primary feature.  But let’s be honest, much of what we read about some of our friends and family is less than scintillating, so the sharing process itself has to be engaging.  Facebook isn’t successful simply because it allows us to connect with people we know who are otherwise too far away to see and hear from everyday; nor is it successful just because it is an application we all enjoy using – an enjoyment that is kept fresh by change.  I think it is the combination of the connections and the process – in different proportions for different people - that explains Facebook’s success.

It is as much the medium as the message that engages us.  Another day, I might ponder on what I see as Facebook’s biggest challenge for its future – how it maintains an engaging process in the face of plans to become a utility, at least as that word is traditionally understood, and in the face of the “seen that, got the tee-shirt, move along” attitude towards sharing others’ lives – but for now, that is a digression.

What I am curious about now, and what I see as offering significant potential to the risk and insurance industries, is a process I am seeing mentioned more and more often; ‘gamification‘ – the use of game design techniques to engage audiences.  This post (by Confused of Calcutta) is a good discussion of the topic.  This TED video is good too.

Change is the biggest gamification example of them all – “a new game every week” – and Wikipedia lists the following further gamification examples:

  • achievement “badges”
  • achievement levels
  • “leader boards”
  • a progress bar or other visual meter to indicate how close people are to completing a task a company is trying to encourage, such as completing a social networking profile or earning a frequent shopper loyalty award.
  • systems for awarding, redeeming, trading, gifting, and otherwise exchanging points
  • challenges between users
  • embedding small casual games within other activities.

Back to the Confused of Calcutta link above, and where this all hopefully starts to make sense when it concerns risk, JP suggests something along the lines of: gamification used on its own is like “putting lipstick on a pig”…

He is talking about the fact that, if an underlying subject or process is fundamentally dull, no amount of gaming layered on top is going to make the slightest difference.  He is specifically talking about work – he now works for salesforce.com – and rather candidly suggesting, I think, that just sticking a salesforce platform under a dull business won’t make it any less dull – but I am getting back to the medium and the message again and away from my point.

Gamification won’t make the process of buying (or selling) insurance any more “fun” but it will be one of the tactics used to encourage people to share their knowledge about uncertainty – something I believe people are genuinely interested and concerned about, and which has nothing to do with insurance, right?

So, to the extent uncertainty about particular things (for example, activities {like driving}, events {a party for example} or processes {like banking}) is one core feature of the more general term “risk”, I expect gamification will be a key element used to encourage people to start sharing knowledge about specific uncertainties.  Such collaborative processes will begin to cause reductions in some specific uncertainties, and lead all of us to be able to start thinking differently about risk generally, and produce new ideas for dealing with it.

And risk, unlike insurance, is no pig.