An Introduction To
Information, Network and Internet Security

Show table of contentsGlossary

Risk transfer: the concept of insurance

Insurance in its simplest form is familiar to everyone in their personal lives in the form of car insurance, buildings and contents household insurance and life insurance. Each person or household pays a premium to transfer 'catastrophic risks' to an insurance organisation. The insurer calculates the premiums according to actuarial techniques using statistical data, such that on average the insurer makes a profit, even though it will have to pay out on some claims. The principle is based upon the insurer spreading its risk over many different clients, some of who will sustain losses and make claims, but most of who will not.

The insurer does not take on the entire risk, since there is usually an 'excess' on the insurance policy - a base sum below which the claimant takes the financial pain. This is in effect the 'risk tolerance' or 'risk appetite' of the individual taking out the insurance. Some policies allow you to choose your own 'excess' depending on how much risk you want to take on yourself. By taking a larger 'excess' you can get a lower insurance premium - in other words you balance the risks of a lower upfront cost against a lower payout if you have a claim, or vice versa.

The level of risk appetite depends on what you can afford to lose. Losses above what you can afford are 'severe' or 'catastrophic' losses and it is these that you seek to insure against. If you own one house, it makes sense to insure it against fire and other catastrophic events, because if it is destroyed you have lost everything. However, if you owned a thousand houses, as many companies do, it is nonsense to take out fire insurance on all these properties because your risk is already spread, and statistically you are unlikely to have more than one or two of these properties damaged by fire (unless they are crowded closely together). If they are all in same locality you may be unlucky enough to have them all damaged by the same storm, but not so if they are widely spread throughout distant locations.

The need to insure is therefore calculated on the basis of analysing the risks and looking at the spread that exists. Where you have a high concentration of risk for one type of asset then insurance is likely to be a useful solution. Where the risk is widely spread, self-insurance (that is carrying the financial risk yourself) is likely to be more economic.

The Security Practitioner

An Introduction to Information Security