This book is about expanding Internet business risk management strategies
into resilience such as software diversity; into financial risk transfer instruments
such as insurance policies, catastrophe bonds, performance bonds, and
self-insurance as in Basel II; and into reputation systems.
Traditional Internet performance and security solutions are no longer adequate
to manage Internet business risks that have increased rapidly starting in
2000. As recently as 2003, many chief-level officers (CEOs, CFOs, CTOs, and so
forth) and boards considered business interruption due to worms, viruses,
cable cuts, routing flaps, and attacks to be off their radar; they thought the
Internet “just worked.” By the first quarter of 2004, after the northeast power
outage, the myDoom and SoBig worms clogging the Internet infrastructure,
and the leak of Microsoft’s NT and Windows 2000 source code, placing still
more opportunities in the hands of crackers, some S&P 500 CEOs changed
their minds and now think they are facing a potential $100 billion global cybercatastrophe
risk. The SoBig worm alone caused $30 billion in damages.3 Such
cyberhurricanes blur the line between security and performance; degraded
performance can cause a customer to abandon a transaction or even seek
another vendor.
Many Internet risks outside the firewall cannot be eliminated by any single
enterprise. Encryption is good, but what if the packets don’t arrive? Intrusion
prevention can stop worms at the firewall, but congestion can still make customer
accesses too slow. Dynamic rerouting can find uncongested routes, but
what if there are none? Such risks have grown too large and frequent to be
accepted. They have grown beyond gale force into cyberhurricanes that are
force majeure events affecting entire industries or the whole Internet.