nach oben

Information Systems Frontiers

Erschienen in:

18.03.2017

A model to analyze the challenge of using cyber insurance

verfasst von: Tridib Bandyopadhyay, Vijay Mookerjee

Erschienen in: Information Systems Frontiers | Ausgabe 2/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This work analyzes and extends insurance dynamics in the context of cyber risk. Cyber insurance contracts, when used as a means to manage residual cyber risk, could behave differently from other traditional (e.g., property) insurance. One important difference arises from the complexity involved in the post-breach decision of whether and how a firm should optimally plan to claim indemnity in the event of a cyber breach. We define different types of cyber breaches leading to different claiming scenarios, whose roots lie in the impact of secondary loss caused by certain but not all types of breaches. We build a model to capture the impact of secondary loss in structuring the use of cyber insurance and then combine the backward analysis of myriad breach scenarios to derive the overall optimal decision to purchase cyber insurance. We demonstrate that the optimal purchase decision depends on the mix of the types of cyber breaches that a firm faces. Numerical experiments corroborate market observation of limited use of cyber insurance after 20 years from when these products became available.

Vorheriger Artikel Enterprise security investment through time when facing different types of vulnerabilities

Nächster Artikel Predictive maintenance: strategic use of IT in manufacturing organizations

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

For some recent cyber insurance contract pricings (albeit without the deductibles, which are equally determining of the premium structure), please see the pertinent webpage of Data Breach Insurance Inc., USA (https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/)

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx#1

It is an understandable posture of the managers. For example, in the 2014 third quarter filing, Home Depot has shown a $15 million cyber insurance receivable (McLeod 2015), which obviously depicts that a severe breach was realized. Had the case been a non-required disclosure breach, the balance sheet or flow statement would have made it apparent to the stakeholders of the event of a breach.

Raviv extends Arrow”s work and shows that risk preferences do not necessarily determine the forms of an optimal insurance contract and that an optimal contract may feature both deductible and coinsurance. In this research we restrict ourselves with a simple, general deductible based cyber insurance contract

The Great Debate, ISSA journal 2008, available at http://cdn.coverstand.com/1336/3515/ISSA_0408_bt.pdf

In practice, cyber insurance providers employ interviews, questionnaires and other instruments as well as technical audits to appraise themselves of the state of residual risk after the technological controls are in place. The insured firm must agree to these inquisitions before a cyber insurance contract is written by the insurer.

For example see www.aig.com, www.chubb.com etc. by visiting their cyber insurance product pages

While the other expressions including the premiums and the profit functions remain same as those in CARA, the utility function for the CRRA function is U = qpLn(W − P − x₁) + q(1 − p)Ln(W − P − a) + (1 − q)pLn(W − P).

Cavusoglu et al. (2004) estimate secondary losses somewhat below 4% for the firms in their dataset.

Cyber insurance providers routinely assess the security health of a prospective firm before offering a contract.

More of the perpetrators of current computer crime are motivated by money, not bragging rights (CSI survey, 2007).

for some small scale analysis of indemnity payout in cyber insurance, please refer to the 2011 and 2012 reports from Netdiligence Inc. at http://netdiligence.com/files/CyberLiability-0711sh.pdf and http://www.resultstechnology.com/files/2013/05/2012-10-Cyber-Claims-Study.pdf

http://blogs.wsj.com/cio/2014/03/27/cyber-insurance-just-one-component-of-risk-management/

Based on our private communications on the value of cyber insurance with CIOs/CISOs.

2008 Annual Study: Cost of a Date Breach - Understanding Financial Impact, Customer Turnover and Preventive Solutions. Ponemon Institute, LLC.

Anderson, R., & Moore, T. (2007). The economics of information security: A survey and open questions. Proceedings of the Fourth bi-annual Conference on the Economics of the Software and Internet Industries. France: Toulouse.

Arrow, K. J. (1971). Essays in the theory of risk bearing. Chicago, IL: Markham Publishing Co.

Baer, W. S. (2004). Private sector incentives for managing security. In E. O. Goldman (Ed.), National Security in the information age. Routledge.

Baer, W. S., & Parkinson, A. (2007). Cyber insurance in IT security management. IEEE Security and Privacy, 5(3), 50–56.CrossRef

Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why IT managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68–73.CrossRef

Berinato, S. 2008. Data Breach Notification Laws, State By State. Available at http://www.csoonline.com/article/2122493/compliance/cso-disclosure-series---data-breach-notification-laws--state-bystate.html.

Bohme, R. (2005). Cyber insurance revisited. Boston, USA: Proceedings of the Workshop on the Economics of Information Security.

Bohme, R., & Kataria, G. (2006). Models and measures for correlation in cyber insurance. Boston USA: Proceedings of the Workshop on the Economics of Information Security.

Bohme, R., & Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. Cambridge USA: Proceedings of the Workshop on the Economics of Information Security.

Borch, K. (1960). The safety loading of reinsurance premiums. Skandinavisk Aktuarietidtidskrift, 43, 163–184.

Bowers, N. L., Gerber, H. U., Hickman, J. C., Jones, D. A., & Nesbit, C. J. (1997). Actuarial mathematics (2nd ed.). Schaumburg, IL: Society of Actuaries.

Calandro, J., Matrejek, E., Pollard, N. (2014). Managing cyber risks with insurance: Key factors to consider when evaluating how cyber insurance can enhance your security program. Price Water House Publication number BS-14-0534-A.0614. Available at (http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-managing-cyber-risks-with-insurance.pdf).

Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. The Journal of Computer Security, 11(3), 431–448.CrossRef

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcement on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 70–104.CrossRef

Ernesto, V. d. S. (2009). Mininova Hit By Massive DDoS Attack. Available at https://torrentfreak.com/mininova-hit-bymassive-ddos-attack-090307/.

Evers, J. (2007). T.J. Maxx hack exposes consumer data. C-Net news, available at https://www.cnet.com/news/t-j-maxxhack-exposes-consumer-data/.

Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3), 399–416.CrossRef

Floresca, L. 2014. Cyber Insurance 101: The basics of cyber coverage. Available at https://wsandco.com/cyber-liability/cyber-basics/.

Fourth Annual US Cost of Data Breach Study. (2008). Ponemon Institute LLC.

Global Cyber Impact Report. (2015). Ponemon LLC. Available at (http://www.aon.com/attachments/riskservices/2015-Global-Cyber-Impact-Report-Final.pdf).

Global Information Security Survey. (2008). Ernst and Young LCC. Available at (http://www.ey.com/Global/assets.nsf/UK/Global_Information_Security_Survey_2008/$file/EY_Global_Information_Security_Survey_2008.pdf).

Gollier, C. (1996). Optimal insurance of approximate losses. The Journal of Risk and Insurance, 63(3), 369–380.CrossRef

Gollier, C., & Pratt, J. W. (1996). Risk vulnerability and the tempering effect of background risk. Econometrica, 64(5), 1109–1123.CrossRef

Gordon, L. A., Loeb, P. M., & Sohail, T. (2003). A framework for using insurance for cyber risk management. Communications of the ACM, 46(3), 81–85.CrossRef

Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks, the growing threat. USA: Insurance Information Institute.

Johnson, T. A. (2014). Cybersecurity: Protecting critical infrastructures from cyber attack and cyber warfare. USA: CRC Press.

Kovacs, P., Markham, M., Sweeting, R. (2004). Cyber incident risk in Canada and the role of cyber insurance. Institute for Catastrophic Loss Reduction. ICLR Research Paper Series - No. 38.

Mader, B. 2002. Cyber insurance's higher rates make it a long-term sell. (Available at http://sanjose.bizjournals.com/sanjose/stories/2002/11/04/focus2.html).

Majuca, R. P., Yurcik, W., Kesan, J. P. (2006). The Evolution of cyber insurance. (Available at http://arxiv.org/ftp/cs/papers/0601/0601020.pdf).

McLeod, D. 2015. Increased cyber losses means more litigation over claim. Business Insurance. (Available at http://www.businessinsurance.com/article/20150222/NEWS06/303019999/1248).

Meland, P. H., Inger, A. T., & Solhaug, B. (2015). Mitigating risk with cyber insurance. IEEE Security and Privacy, 6, 38–43.CrossRef

Moore, T. (2005). Countering hidden-action attacks on networked systems. Proceedings of the Workshop on the Economics of Information Security. Cambridge: USA.

Mossin, J., & Smith, T. (1968). Aspects of rational insurance purchasing. Journal of Political Economy, 76, 533–568.CrossRef

Nelson, S. D., Simek J. W. 2005. Cyber insurance: singing in the Rain. (Available at http://www.senseient.com/pdf/CYBER INSURANCE.pdf).

Ogut, H., Raghunathan, S., & Menon, N. (2005). Cyber insurance and IT security investment: Impact of interdependent risk. Cambridge, USA: Proceedings of the Workshop on the Economics of Information Security.

Pols, J., Parker, D. 2008. The great debate: security spending. Information Systems Security Association Journal, 6(4) ,21-25.

Raviv, A. (1979). The design of an optimal insurance policy. American Economic Review, 69, 84–96.

Schlesinger, H. (1981). The optimal level of deductibility in insurance contracts. The Journal of Risk and Insurance, 48(3), 465–481.CrossRef

Schroeder, D. 2014. Cyber Insurance: just one component of risk management. The Walstreet Journal, May 27 2014. Available at http://blogs.wsj.com/cio/2014/03/27/cyber-insurance-just-one-component-of-risk-management/.

Schwartz, G., Shetty, N., & Warland, J. (2010). Cyber-insurance: Missing market driven by user heterogeneity. Cambridge, USA: Proceedings of the Workshop on the Economics of Information Security.

Siegel, C. A., Ty, R. S., & Serritella, P. (2002). Cyber-risk management: technical and insurance controls for enterprise-level security. Information Systems Security, 11(4), 33–49.CrossRef

Steele, C. (2007). Cyber insurance supplements, not replaces data breach security (Available at http://searchsecuritychannel.techtarget.com/news/article/0289142sid97_ gci1262357 00.html).

The Betterley Report: Cyber risk and Privacy Market Survey (2010). (Available at http://betterley.com/samples/CyberRisk10nt.pdf).

The Betterley Report: Cyber risk Market Survey (2008). (Available at http://www.betterley.com).

The Betterley Report: Cyber/Private Insurance Market Survey. (2015) (Available at http://www.betterley.com).

Richardson, R. (2008). The CSI Computer crime and security survey. Available at (https://www.miel.in/pdfs/CSIsurvey2008.pdf).

The CSI/FBI Computer Crime and Security Surveys 2000-2006. (Available at http://www.gocsi.com).

Wood, L. (2007). Can 'cyber insurance' protect you from data breach catastrophe? (Available at http://tinyurl.com/3co9hd).

Titel: A model to analyze the challenge of using cyber insurance
verfasst von: Tridib Bandyopadhyay
Vijay Mookerjee
Publikationsdatum: 18.03.2017
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 2/2019
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-017-9737-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2019

Leveraging collective intelligence for behavioral prediction in signed social networks through evolutionary approach

Dynamic network analysis of online interactive platform

The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats

Risks and rewards of cloud computing in the UK public sector: A reflection on three Organisational case studies

Enhancing mobile data services performance via online reviews

Using sentiment analysis to improve supply chain intelligence