undefined | Better HN

0 pointspjmorris9y ago0 comments

Seems to me that the core of insurance is actuarial analysis of the potential risks and costs... and I don't think anyone has a good model or good data for when and why security problems occur. For the time being (and perhaps for the rest of time) we need a security crash reporting agency, analogous to a transportation crash reporting agency, e.g. the US NTSB. Getting standard reporting on security breaches might be a good start. I think the National Vulnerability Database [0] is honorable and well-intended, but the reporting there is uneven.

[0] https://nvd.nist.gov/

0 comments

1 comments · 1 top-level

ethbro9y ago

This. We model death rates somewhat accurately. Health care costs somewhat less so. Macro financial systems somewhat less so. I'd put "assign risk to a moderate sized enterprise's network of data systems" at more complex than all of those.

j / k navigate · click thread line to collapse