Conventional billing software resides on a server computer system, called a server, and a client computer system called a client. Billing software in the server can determine if the client usage of the application is allowed and/or how much the user should be charged for that usage. Billing software in the client can provide usage information, such as the length of time the application was open, to the server for the purpose of billing.
This conventional approach works for software applications where usage is appropriately charged based on the length of time the application is used, such as a word processor or spreadsheet, or by the amount of data transferred, such as relational database searches or web-based searches.
The conventional approach, however, does not work for billing for security products and services because the benefit from security products is not a function of time or the amount of data transferred. The true value of a given security product is a function of the reduction in risk that the product delivers to the customer. Moreover, Internet attacks are uncertain and, therefore, the benefit from security products occurs unevenly with time.
Existing security solution providers sell their products based on a flat rate derived from total bandwidth or speed of the device, the number of hosts protected, the number of users and/or the number of connections that the device can support. This approach is similar to the approach taken by network infrastructure device manufacturers whose devices deliver value based on the size of network they can support. When applied to security products this approach creates perverse incentives: high-risk networks pay the same as low-risk networks. Highly efficient organizations are not rewarded for their effective practices and organizations with poor security practices don't have an incentive to improve. In addition, this flat-rate pricing keeps sophisticated protection out of the reach of small, budget constrained consumers which leaves their networks and devices vulnerable to compromise and may be used to attack others.
Accordingly, there is a need for a method and apparatus that can estimate the reduction in risk that a given security solution delivers to each customer thereby allowing the security provider to charge for their products based on the value they truly deliver to the consumer.