nach oben

Zeitschrift für die gesamte Versicherungswissenschaft

Erschienen in:

01.12.2015 | Abhandlung

Components and challenges of integrated cyber risk management

verfasst von: Thomas Kosub

Erschienen in: Zeitschrift für die gesamte Versicherungswissenschaft | Ausgabe 5/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Cyber risk has become increasingly important as the severity and frequency of cyber incidents is steadily on the rise. Cyber risk management is thus a necessity for businesses to ensure firms’ stability and operability, which is partially even required by law. Therefore, this paper focuses on the major components of an effective cyber risk management process. This is based on a comprehensive review of the academic literature and relevant frameworks (ISO/IEC 27000 series) and by outlining the cyber risk management process step by step. In addition, we discuss existing challenges and problems of cyber risk management. The study emphasizes that a comprehensive management of cyber risks needs well-designed internal risk management structures as well as adequate awareness for such threats.

Vorheriger Artikel Aktuarielle Besonderheiten bei der Kalkulation von Telematik-Tarifen in der Kfz-Versicherung

Nächster Artikel Die Zurechnung von Gesellschafterverhalten im Versicherungsrecht

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://www.agcs.allianz.com, access 06/18/2013.

Behrends (2013, p. 25), Sinanaj and Muntermann (2013, p. 88).

http://www.roberthalf.de/id/PR−04055/cyber-security-unterschaetzt, access 01/27/2015.

Dowdy (2012, p. 129).

German Federal Ministry of the Interior (2014, p. 1).

Von Solms and van Niekerk (2013, p. 97).

German Federal Data Protection Act, Haas and Hofmann (2014).

With the first unofficial consolidated version of the European General Data Protection Regulation, the European Commission is adjusting the fine up to 5 % of annual worldwide turnover, or up to 100 million Euros, whichever is the larger value (http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-consolidated-LIBE.pdf, access 03/04/2014).

European Commission (2012, pp. 92–93).

According to the European General Data Protection Regulation, see European Commission (2012, p. 28). With the current data protection laws, only personal data violations have to be reported immediately (§ 42a German Federal Data Protection Act; Behrends, 2013, p. 25).

Behrends (2013, p. 25).

Biener et al. (2015a, p. 132), Cabinet Office (2011, p. 11).

NIST (2013, p. 58).

Biener et al. (2015a, p. 132), Hult and Sivanesan (2013, p. 97).

Biener et al. (2015a, p. 133), Cebula and Young (2010, p. 2).

German Federal Ministry of the Interior (2014), German Federal Office for Information Security (2012).

Munich Re (2012, p. 39), Slay and Miller (2008, p. 80).

Slay and Miller (2008, pp. 73–75).

Fernandez and Fernandez (2005, pp. 162–164), Rinaldi et al. (2001).

E.g., Hult and Sivanesan (2013, p. 99), Lenz (2009, pp. 17–18).

Lenz (2009, pp. 24–25).

Hult and Sivanesan (2013, p. 99).

Von Solms and van Niekerk (2013, pp. 100–101).

Brenner et al. (2011, pp. 3–5), Dinger and Hartenstein (2008, pp. 189–190), Posthumus and von Solms (2004, pp. 639–640).

The SOX Act is applied to firms that offer stocks on the US stock markets, equity securities (not listed) or public offerings, as well as all subsidiary companies. The “EURO-SOX”, however, refers to all larger capital companies (listed and not listed).

http://www.kompass-sicherheitsstandards.de/43738.aspx, access 11/28/2014, for further information on these regulations.

BaFin—MaRisk VA 7.2.2.2, https://www.bafin.de, access 11/28/2014.

This refers to the ISO/IEC 27001:2005 standard; however, the ISO/IEC 27001:2013 standard does not limit the information security management system to the PDCA cycle but also allows other improvement processes, such as the Six Sigma DMAIC (define, measure, analyze, improve and control).

Brenner et al. (2011, pp. 21–24).

We therefore particularly focus on the ISO/IEC 27001:2005 and the ISO/IEC 27005:2008, if the standards’ version is not specifically outlined.

See further information on identification and valuation of assets within the ISO 27005 Annex B and e.g., Siegel et al. (2002, p. 33).

Brenner et al. (2011, p. 16), Kersten et al. (2013, pp. 24–25).

Luzwick (2001, pp. 16–17), Marsh (2014, p. 11).

E.g., Shackelford (2012, pp. 4–5).

Denial-of-service is a cyber attack aiming to influence the availability of, e.g., a network, database or website (see Brenner et al. 2011, p. 4).

ISO/IEC 27005 Annex A.

See ISO/IEC 27005 Annex B for examples of assets and business processes, Annex C for examples of threats, and Annex D for vulnerabilities and their assessment methods.

Kersten et al. (2013, p. 31).

Romeike and Hager (2009, p. 377).

Siegel et al. (2002, p. 34).

Biener et al. (2015a, p. 139).

Posthumus and von Solms (2004, p. 641).

Brenner et al. (2011, p. 16).

Kersten et al. (2013, pp. 27–28).

E.g., Baer and Parkinson (2007, p. 53).

Romeike and Hager (2009, p. 377).

Brenner (2011, p. 39).

Romeike and Hager (2009, p. 378).

Smith (2004, p. 51).

Smith (2004, pp. 52–53).

Öğüt et al. (2011, p. 497), Smith (2004, pp. 50–51).

Cavusoglu et al. (2014b, p. 72).

Smith (2004, p. 46).

Öğüt et al. (2011, p. 497).

Cavusoglu et al. (2014a, pp. 72–73).

Smith (2004, p. 51).

Smith (2004, p. 55).

Romeike and Hager (2009, p. 379).

Brenner et al. (2011, pp. 40, 42), Romeike and Hager (2009, pp. 378–380).

Romeike and Hager (2009, p. 161).

E.g., Gibson (2010, p. 17).

Francis (2013, p. 28).

Gibson (2010, p. 96).

Each of these categories consists of further controls and control objectives (see Brenner et al., 2011, pp. 63, 65–128). See ISO/IEC 27001 Annex A.

ISO/IEC 27005 Annex F.

E.g., Behrends (2014, p. 16), Kersten et al. (2013, p. 59), Zurich (2014, p. 27).

Siegel et al. (2002, p. 33).

Based on Baer and Parkinson (2007), Gordon et al. (2003), Shackelford (2012).

Brenner (2011, p. 42), Kersten et al. (2013, p. 60).

Brenner et al. (2011, pp. 44–46, 51–52), Romeike and Hager (2009, p. 387).

E.g., Biener et al. (2015a, p. 139).

Training is necessary for all employees, as cyber risks do not only occur by immediate interruption of hardware or software systems monitored by internal IT departments but also by, e.g., social engineering, the social manipulation of employees to get user passwords and thereby access company systems.

Francis (2013, p. 28).

Stoneburner et al. (2002, p. 6).

COBIT (2012, pp. 76–77).

Biener et al. (2015b, p. 34).

Romeike and Hager (2009, pp. 396–399).

Cavusoglu et al. (2004b, pp. 75–76), Smith (2004, p. 51).

Biener et al. (2015b, p. 36).

Baer and Parkinson (2007, pp. 53–54), Böhme (2005, p. 13).

Biener et al. (2015b, p. 46).

Cavusoglu et al. (2014b, p. 87), Dowdy (2012, p. 131), Gordon et al. (2003, p. 82), Herath and Herath (2011, p. 9).

E.g., Biener et al. (2015a, p. 139).

Baer, W.S., Parkinson, A.: Cyber insurance in IT security management. IEEE. Secur. Priv. 5(3), 50–56 (2007)CrossRef

Behrends, J.: Cyber-Versicherungen haben eine große Zukunft. Versicherungswirtschaft. 2, 24–25 (2013)

Behrends, J.: (2014): Die Cyber-Versicherung: Unerlässlicher Teil eines effektiven Risikomanagements, I.VW Management-Information, St. Galler Trendmonitor für Risiko- und Finanzmärkte, 01/2014: 13–16

Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: An empirical analysis. Geneva. Pap. Risk. Ins. 40, 131–158 (2015a)CrossRef

Biener, C., Eling, M., Matt, A., Wirfs, J.H.: Cyber Risk: Risikomanagement und Versicherbarkeit, I-VW HSG Schriftenreihe, Bd. 54 (2015b)

Böhme, R.: Cyber-Insurance Revisited, Fourth Workshop on the Economics of Information Security (WEIS). Kennedy School of Government, Cambridge (2005)

Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance, Proc. of Workshop on the Economics of Information Security (WEIS), University of Cambridge, UK (2006)

Brenner, M., Gentschen Felde, N., Hommel, W., Metzger, S., Reiser, H., Schaaf, T.: Praxisbuch ISO/IEC 27001. Hanser Verlag, München (2011)CrossRef

Cabinet Office: The UK cyber security strategy. Protecting and promoting the UK in a digital world. https://www.gov.uk (2011). Accessed 01 July 2014

Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Secur. 11(3), 431–448 (2003)

Cavusoglu, H., Mishra, B., Raghunathan, S.: A model for evaluating IT security investments. Commun. ACM. 47(7), 87–92 (2004a)CrossRef

Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. Int. J. Electron. Comm. 9(1), 69–104 (2004b)

Cebula, J.J., Young, L.R.: A Taxonomy of Operational Cyber Security Risks, Software Engineering Institute, Carnegie Mellon University (2010)

Choudhry, U.: Der Cyber-Versicherungsmarkt in Deutschland, Eine Einführung. Springer Gabler Verlag, Wiesbaden (2014)

COBIT: COBIT 5. A business framework for the governance and management of enterprise IT. http://www.isaca.org (2012). Accessed 12 July 2014

Dinger, J., Hartenstein, H.: Netzwerk- und IT-Sicherheitsmanagement. Universitätsverlag Karlsruhe, Karlsruhe (2008)

Dowdy, J.: The Cyber security Threat to U.S. Growth and Prosperity, in: Securing Cyberspace: A New Domain for National Security (eds. Burns, N., and Price, J.), Aspen Strategy Group. http://www.aspeninstitute.org/ (2012). Accessed 02 Feb 2014

European Commission: General data protection regulation. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF (2012). Accessed 10 July 2013

Fernandez, J.D., Fernandez, A.E.: SCADA systems: Vulnerabilities and remediation. Journal. Comput. Sci. Coll. 20(4), 160–168 (2005)

Francis, T.: Managing cyber risk: The Trifecta. Am. Agent. Brok. 85(8), 28 (2013)

German Federal Ministry of the Interior (BMI): http://www.bmi.bund.de (2014). Accessed 03 Sept 2014

German Federal Office for Information Security (BSI): https://www.bsi.bund.de/ (2012). Accessed 07 April 2014

Gibson, D.: Managing Risk in Information Systems. Jones & Bartlett Learning, Sudbury (2010)

Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRef

Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM. 46(3), 81–85 (2003)CrossRef

Haas, A., Hofmann, A.: Risiken aus der Nutzung von Cloud-Computing-Diensten: Fragen des Risikomanagements und Aspekte der Versicherbarkeit. Zeitschrift für die gesamte Versicherungswissenschaft. 103(4), 377–407 (2014)CrossRef

Herath, H.S.B., Herath, T.C.: Copula-based actuarial model for pricing cyber-insurance policies. Insur. Mark. Co.: Anal. Actuar. Comput. 2(1), 7–20 (2011)

Hovay, A., D’Arcy, J.: The impact of denial-of-service attack announcements on the market value of firms. Risk. Manage.Insur. Rev. 6(2), 97–121 (2003)CrossRef

Hult, F., Sivanesan, G.: Introducing cyber. J. Bus. Contin. Emer. Plan. 7(2), 97–102 (2013)PubMed

Kersten, H., Reuter, J., Schröder, K.-W.: IT-Sicherheitsmanagement nach ISO 27001 und Grundschutz, 4th edn. Springer Vieweg Verlag, Wiesbaden (2013)CrossRef

Lenz, S.: Vulnerabilität Kritischer Infrastrukturen. Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (2009)

Luzwick, P.: If most of your revenue is from e-commerce, then cyber-insurance makes sense. Comput. Fraud. Secur. 2001(3), 16–17 (2001)

Marsh: Cyber-Risiken. Marktentwicklung & Risikomanagement, Frankfurt. http://www.lloyds.com (2014). Accessed 05 July 2014

Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: Cyber-risk decision models: To insure IT or not? Decis. Support. Syst. (2013) (forthcoming)

Munich Re: (2012): Cyberrisiken. Herausforderungen, Strategien und Lösungen für Versicherer, Knowledge Series. Technology, Engineering and Risks

National Institute of Standards and Technology (NIST): Glossary of key information security terms. http://www.nist.gov (2013). Accessed 05 July 2014

Öğüt, H., Raghunathan, S., Menon, N.: Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk. Anal. 31(3), 497–512 (2011)CrossRefPubMed

Posthumus, S., von Solms, R.: A Framework for the governance of information security. Comput. Secur.. 23, 638–646 (2004)CrossRef

Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding, and analyzing critical infrastructure interdependencies. Control. Syst. IEEE. 21(6), 11–25 (2001)CrossRef

Romeike, F., Hager, P.: Erfolgsfaktor Risiko-Management 2.0, 2nd edn. Gabler Verlag, Wiesbaden (2009)

Shackelford, S.J.: Should your firm invest in cyber risk insurance? Bus. Horiz. (2012) (forthcoming)

Siegel, C.A., Sagalow, T.R., Serritella, P.: Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security. Information Systems Security - Security Management Practices (2002)

Sinanaj, G., Muntermann, J.: Assessing Corporate Reputational Damage of Data Breaches: An Empirical Analysis, in: Proceedings of the 26th International Bled eConference, pp. 78–89. Bled, Slovenia, June 9–13 2013

Slay, J., Miller, M.: Lessons learned from the maroochy water breach. In: Goetz, E., Shenoi, S. (eds.) IFIP International Federation for Information Processing, vol. 253, Critical Infrastructure Protection, pp. 73–82. Springer, Boston (2008)

Smith, G.S.: Recognizing and preparing loss estimates from cyber-attacks. Inf. Syst. Secur. 12(6), 46–58 (2004)CrossRef

Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for Information Technology systems, National Institute of Standards and Technology. Special Publication 800(30) (2002)

Von Solms, R., van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013)CrossRef

Wang, J., Chaudhury, A., Rao, H.R.: A value-at-risk approach to information security investments. Inf. Syst. Res. 19(1), 106–120 (2008)CrossRef

Wang, Q.-H., Kim, S.-H.: Cyber Attacks: Cross-Country Interdependence and Enforcement, Working Paper. National University of Singapore, 2009

Zurich: (2014): Risk Nexus, Beyond Data Breaches: Global Interconnections of Cyber Risk. www.zurich.com. Accessed 21 Nov 2014

Titel: Components and challenges of integrated cyber risk management
verfasst von: Thomas Kosub
Publikationsdatum: 01.12.2015
Verlag: Springer Berlin Heidelberg
Erschienen in: Zeitschrift für die gesamte Versicherungswissenschaft / Ausgabe 5/2015
Print ISSN: 0044-2585
Elektronische ISSN: 1865-9748
DOI: https://doi.org/10.1007/s12297-015-0316-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 5/2015

Fragmentierung der Kollektive in der Privatversicherung – juristische Implikationen

Die Zurechnung von Gesellschafterverhalten im Versicherungsrecht

Unternehmensnachfolge bei Versicherungsvermittlern – Typologie und Handlungsanforderungen

Typologie der Versicherungsgruppenstrukturen in Deutschland im Hinblick auf die Solvency II-Gruppenaufsicht: Aspekte struktureller Finanzstabilität im Versicherungssektor

From research to purchase: an empirical analysis of research-shopping behaviour in the insurance sector

Aktuarielle Besonderheiten bei der Kalkulation von Telematik-Tarifen in der Kfz-Versicherung