On Sat, 29 Dec 2001, Steven M. Bellovin wrote:
Yes, but insurance companies often move in and set certain behavioral requirements as a coverage requirement, just to cut their own payouts. To give just a couple of examples, both Underwriters' Laboratories and the National Electrical Code are spinoffs of the insurance industry.
We don't wait for buildings to burn down before checking the electrical wiring. We don't take the electrician's word the wiring is correct. A building inspector checks the wiring before the walls are covered up. Its not perfect, and the inspectors can miss alot. But its proven to be more effective than trusting the builder will do the right thing. Where are the building inspectors for the Internet? As the insurance industry figured out, SLA's alone don't improve things. You have to inspect and verify. How can I inspect and verify a carrier did what they promised? If I pay for a diverse circuit, can I check it is in fact diverse? Is it a matter of money? The Chicago Board of Trade had a multi-day network failure. The New York Stock Exchange had a multi-day network failure. The NASDAQ had multiple shorter network failures. Essentially all of them traced back to carrier problems. You could hire me to inspect your network, but that doesn't scale.