Skip to main content
main-content

Tipp

Weitere Artikel dieser Ausgabe durch Wischen aufrufen

Erschienen in: Zeitschrift für die gesamte Versicherungswissenschaft 4/2018

03.01.2019 | Abhandlung

Herausforderungen und Implikationen für das Cyber-Risikomanagement sowie die Versicherung von Cyberrisiken – Eine empirische Analyse

verfasst von: Dirk Wrede, Thorben Freers, Johann-Matthias Graf von der Schulenburg

Erschienen in: Zeitschrift für die gesamte Versicherungswissenschaft | Ausgabe 4/2018

Einloggen, um Zugang zu erhalten
share
TEILEN

Zusammenfassung

Der Beitrag untersucht vor dem Hintergrund einer hochdynamischen, extrem wandlungsfähigen Risikolandschaft in den Unternehmen den Status quo der Versicherung von Cyberrisiken sowie den Umgang mit solchen Gefahren im Risikomanagement. Angesichts der Neuartigkeit und Komplexität des Themas sowie der bisherigen unzureichenden Betrachtung im Schrifttum werden Interviews mit Experten aus Versicherungs- und Beratungsunternehmen sowie Interessenverbänden geführt. Die Untersuchungsergebnisse zeigen, dass in der Unternehmenspraxis ein mangelndes Risikobewusstsein für Cyberbedrohungen einen bedeutenden Einflussfaktor für die IT-Sicherheit darstellt und Cyberrisiken im Risikomanagement häufig unzureichend berücksichtigt werden. Zudem bieten Cyber-Policen aktuell keine Allgefahrendeckung für Cyberschäden und der deutsche Cyber-Versicherungsmarkt ist bislang wenig erschlossen.
Fußnoten
1
Siehe zu den unterschiedlichen mit der Nutzung des WWW verknüpften Risiken Kim et al. (2011).
 
2
Siehe zur Klassifizierung von Sicherheitsbedrohungen für IT-Systeme Jouini et al. (2014).
 
3
So beläuft sich in der Gesamtschaden für Unternehmen in Deutschland als Folge digitaler Wirtschaftsspionage, Sabotage und Datendiebstahl laut einer repräsentativen Umfrage des Bundesverbandes Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) nach konservativen Berechnungen auf ca. 43,4 Mrd. € in den letzten beiden Jahren (Bitkom 2018). Im Jahr 2017 betrugen die durchschnittlichen Kosten eines einzelnen Datenverlustereignisses für deutsche Unternehmen ca. 3,42 Mio. € (Ponemon Institute, LLC 2017). Zur Problematik der Schätzung wirtschaftlicher Kosten von Cyberkriminalität siehe insbesondere Anderson et al. (2013) sowie Hyman (2013).
 
Literatur
Zurück zum Zitat Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014) Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)
Zurück zum Zitat Adler, S.B., Sand, R.A.: Internet insurance whitepaper how to build insurable Internet business. Geneva Pap. Risk Insur. Issues Pract. 23(1), 81–102 (1998) Adler, S.B., Sand, R.A.: Internet insurance whitepaper how to build insurable Internet business. Geneva Pap. Risk Insur. Issues Pract. 23(1), 81–102 (1998)
Zurück zum Zitat Albrechtsen, E.: A qualitative study of users’ view on information security. Comput. Secur. 26(4), 276–289 (2007) Albrechtsen, E.: A qualitative study of users’ view on information security. Comput. Secur. 26(4), 276–289 (2007)
Zurück zum Zitat Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput. Secur. 29(4), 432–445 (2010) Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput. Secur. 29(4), 432–445 (2010)
Zurück zum Zitat Anderson, R.J.: Liability and computer security: nine principles. In: Gollmann, D. (Hrsg.) Computer Security ESORICS 94: Third European Symposium on Research in Computer Security, Brighton, United Kingdom, November 7–9, 1994. Proceedings, S. 231–245. Springer, Berlin, Heidelberg (1994) Anderson, R.J.: Liability and computer security: nine principles. In: Gollmann, D. (Hrsg.) Computer Security ESORICS 94: Third European Symposium on Research in Computer Security, Brighton, United Kingdom, November 7–9, 1994. Proceedings, S. 231–245. Springer, Berlin, Heidelberg (1994)
Zurück zum Zitat Anderson, R.J., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006) Anderson, R.J., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)
Zurück zum Zitat Anderson, R.J., Barton, C., Böhme, R., Clayton, R., Van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Böhme, R. (Hrsg.) The Economics of Information Security and Privacy, S. 265–300. Springer, Heidelberg, New York, Dordrecht, London (2013) Anderson, R.J., Barton, C., Böhme, R., Clayton, R., Van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Böhme, R. (Hrsg.) The Economics of Information Security and Privacy, S. 265–300. Springer, Heidelberg, New York, Dordrecht, London (2013)
Zurück zum Zitat Ashby, S.G., Buck, T., Nöth-Zahn, S., Peisl, T.: Emerging IT risks: insights from German banking. Geneva Pap. Risk Insur. Issues Pract. 43(2), 180–207 (2018) Ashby, S.G., Buck, T., Nöth-Zahn, S., Peisl, T.: Emerging IT risks: insights from German banking. Geneva Pap. Risk Insur. Issues Pract. 43(2), 180–207 (2018)
Zurück zum Zitat Aytes, K., Connolly, T.: Computer security and risky computing practices: a rational choice perspective. J. Organ. End User Comput. 16(3), 22–40 (2004) Aytes, K., Connolly, T.: Computer security and risky computing practices: a rational choice perspective. J. Organ. End User Comput. 16(3), 22–40 (2004)
Zurück zum Zitat Baer, W.S.: Rewarding IT security in the marketplace. Contemp. Secur. Policy 24(1), 190–208 (2003) Baer, W.S.: Rewarding IT security in the marketplace. Contemp. Secur. Policy 24(1), 190–208 (2003)
Zurück zum Zitat Baer, W.S., Parkinson, A.: Cyberinsurance in IT security management. IEEE. Secur. Priv. 5(3), 50–56 (2007) Baer, W.S., Parkinson, A.: Cyberinsurance in IT security management. IEEE. Secur. Priv. 5(3), 50–56 (2007)
Zurück zum Zitat Bandyopadhyay, T., Jacob, V., Raghunathan, S.: Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Inf. Technol. Manage. 11(1), 7–23 (2010) Bandyopadhyay, T., Jacob, V., Raghunathan, S.: Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Inf. Technol. Manage. 11(1), 7–23 (2010)
Zurück zum Zitat Bandyopadhyay, T., Shidore, S.: Towards a Managerial Decision Framework for Utilization of Cyber Insurance Instruments in IT security. In: Proceedings of the 17th Americas Conference on Information Systems (AMCIS), Detroit, August 4–7, 2011 (2011) Bandyopadhyay, T., Shidore, S.: Towards a Managerial Decision Framework for Utilization of Cyber Insurance Instruments in IT security. In: Proceedings of the 17th Americas Conference on Information Systems (AMCIS), Detroit, August 4–7, 2011 (2011)
Zurück zum Zitat Bandyopadhyay, T.: Organizational Adoption of Cyber Insurance Instruments in IT Security Risk Management—A Modeling Approach. In: Proceedings of the 15th Annual Conference of the Southern Association for Information Systems (SAIS), Atlanta, March 23–24, 2012 (2012) Bandyopadhyay, T.: Organizational Adoption of Cyber Insurance Instruments in IT Security Risk Management—A Modeling Approach. In: Proceedings of the 15th Annual Conference of the Southern Association for Information Systems (SAIS), Atlanta, March 23–24, 2012 (2012)
Zurück zum Zitat Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009) Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)
Zurück zum Zitat Bauer, J.M., Van Eeten, M.J.G.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecomm. Policy 33(10–11), 706–719 (2009) Bauer, J.M., Van Eeten, M.J.G.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecomm. Policy 33(10–11), 706–719 (2009)
Zurück zum Zitat Bendovschi, A.: Cyber-attacks—trends, patterns and security countermeasures. Procedia Econ. Financ. 28, 24–31 (2015) Bendovschi, A.: Cyber-attacks—trends, patterns and security countermeasures. Procedia Econ. Financ. 28, 24–31 (2015)
Zurück zum Zitat Biener, C., Eling, M., Matt, A., Wirfs, J.H.: Cyber Risk: Risikomanagement und Versicherbarkeit. I•VW HSG Schriftenreihe, Bd. 54. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2015a) Biener, C., Eling, M., Matt, A., Wirfs, J.H.: Cyber Risk: Risikomanagement und Versicherbarkeit. I•VW HSG Schriftenreihe, Bd. 54. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2015a)
Zurück zum Zitat Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131–158 (2015b) Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131–158 (2015b)
Zurück zum Zitat Blakley, B., McDermott, E., Geer, D.: Information Security is Information Risk Management. In: Proceedings of the New Security Paradigms Workshop (NSPW), Cloudcroft, September 10–13, 2001 (2001) Blakley, B., McDermott, E., Geer, D.: Information Security is Information Risk Management. In: Proceedings of the New Security Paradigms Workshop (NSPW), Cloudcroft, September 10–13, 2001 (2001)
Zurück zum Zitat Bley, K., Leyh, C., Schäffer, T.: Digitization of German Enterprises in the Production Sector—Do they know how “digitized” they are?. In: Proceedings of the 22nd Americas Conference on Information Systems (AMCIS), San Diego, August 11–14, 2016 (2016) Bley, K., Leyh, C., Schäffer, T.: Digitization of German Enterprises in the Production Sector—Do they know how “digitized” they are?. In: Proceedings of the 22nd Americas Conference on Information Systems (AMCIS), San Diego, August 11–14, 2016 (2016)
Zurück zum Zitat Blind, K.: Eine Analyse der Versicherung von Risiken der Informationssicherheit in Kommunikationsnetzen. Z. Ges. Versicherungswiss. 85(1), 81–101 (1996) Blind, K.: Eine Analyse der Versicherung von Risiken der Informationssicherheit in Kommunikationsnetzen. Z. Ges. Versicherungswiss. 85(1), 81–101 (1996)
Zurück zum Zitat Blind, K.: Insuring risks to information safety in communication systems in Germany. J. Insur. Regul. 19(3), 466–490 (2001) Blind, K.: Insuring risks to information safety in communication systems in Germany. J. Insur. Regul. 19(3), 466–490 (2001)
Zurück zum Zitat Bogner, A., Littig, B., Menz, W.: Interviews mit Experten: Eine praxisorientierte Einführung. Springer VS, Wiesbaden (2014) Bogner, A., Littig, B., Menz, W.: Interviews mit Experten: Eine praxisorientierte Einführung. Springer VS, Wiesbaden (2014)
Zurück zum Zitat Böhme, R.: Cyber-Insurance Revisited. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005a) Böhme, R.: Cyber-Insurance Revisited. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005a)
Zurück zum Zitat Böhme, R.: IT-Risiken im Schadenversicherungsmodell: Implikationen der Marktstruktur. In: Federrath, H. (Hrsg.) Sicherheit 2005: Sicherheit – Schutz und Zuverlässigkeit, Beiträge der 2. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), Regensburg, 5.–8. April 2005, S. 27–40. Köllen, Bonn (2005b) Böhme, R.: IT-Risiken im Schadenversicherungsmodell: Implikationen der Marktstruktur. In: Federrath, H. (Hrsg.) Sicherheit 2005: Sicherheit – Schutz und Zuverlässigkeit, Beiträge der 2. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), Regensburg, 5.–8. April 2005, S. 27–40. Köllen, Bonn (2005b)
Zurück zum Zitat Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS), Cambridge, June 26–28, 2006 (2006a) Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS), Cambridge, June 26–28, 2006 (2006a)
Zurück zum Zitat Böhme, R., Kataria, G.: On the limits of cyber-insurance. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (Hrsg.) Trust and Privacy in Digital Business: Third International Conference, TrustBus 2006, Kraków, Poland, September 4–8, 2006. Proceedings, S. 31–40. Springer, Berlin, Heidelberg (2006b)   Böhme, R., Kataria, G.: On the limits of cyber-insurance. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (Hrsg.) Trust and Privacy in Digital Business: Third International Conference, TrustBus 2006, Kraków, Poland, September 4–8, 2006. Proceedings, S. 31–40. Springer, Berlin, Heidelberg (2006b)  
Zurück zum Zitat Böhme, R., Schwartz, G.: Modeling Cyber-Insurance: Towards A Unifying Framework. In: Proceedings of the 9th Workshop on the Economics of Information Security (WEIS), Cambridge, June 7–8, 2010 (2010) Böhme, R., Schwartz, G.: Modeling Cyber-Insurance: Towards A Unifying Framework. In: Proceedings of the 9th Workshop on the Economics of Information Security (WEIS), Cambridge, June 7–8, 2010 (2010)
Zurück zum Zitat Bolot, J., Lelarge, M.: Cyber insurance as an incentive for Internet security. In: Johnson, M.E. (Hrsg.) Managing Information Risk and the Economics of Security, S. 269–290. Springer, Boston (2009) Bolot, J., Lelarge, M.: Cyber insurance as an incentive for Internet security. In: Johnson, M.E. (Hrsg.) Managing Information Risk and the Economics of Security, S. 269–290. Springer, Boston (2009)
Zurück zum Zitat Brancheau, J.C., Janz, B.D., Wetherbe, J.C.: Key issues in information systems management: 1994–95 SIM Delphi results. MIS Q. 20(2), 225–242 (1996) Brancheau, J.C., Janz, B.D., Wetherbe, J.C.: Key issues in information systems management: 1994–95 SIM Delphi results. MIS Q. 20(2), 225–242 (1996)
Zurück zum Zitat Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010) Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Zurück zum Zitat Cachia, M., Millward, L.: The telephone medium and semi-structured interviews: a complementary fit. Qual. Res. Organ. Manage. Int. J. 6(3), 265–277 (2011) Cachia, M., Millward, L.: The telephone medium and semi-structured interviews: a complementary fit. Qual. Res. Organ. Manage. Int. J. 6(3), 265–277 (2011)
Zurück zum Zitat Camillo, M.: Cyber risk and the changing role of insurance. J. Cyber Policy 2(1), 53–63 (2017) Camillo, M.: Cyber risk and the changing role of insurance. J. Cyber Policy 2(1), 53–63 (2017)
Zurück zum Zitat Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT security management: four improvements to current security practices. Commun. AIS 14, 65–75 (2004) Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT security management: four improvements to current security practices. Commun. AIS 14, 65–75 (2004)
Zurück zum Zitat Cavusoglu, H., Cavusoglu, H., Son, J.-Y., Benbasat, I.: Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Inf. Manage. 52(4), 385–400 (2015) Cavusoglu, H., Cavusoglu, H., Son, J.-Y., Benbasat, I.: Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Inf. Manage. 52(4), 385–400 (2015)
Zurück zum Zitat Cepeda, G., Martin, D.: A review of case studies publishing in Management Decision 2003–2004: guides and criteria for achieving quality in qualitative research. Manage. Decis. 43(6), 851–876 (2005) Cepeda, G., Martin, D.: A review of case studies publishing in Management Decision 2003–2004: guides and criteria for achieving quality in qualitative research. Manage. Decis. 43(6), 851–876 (2005)
Zurück zum Zitat Chertoff, M.: The cybersecurity challenge. Regul. Gov. 2(4), 480–484 (2008) Chertoff, M.: The cybersecurity challenge. Regul. Gov. 2(4), 480–484 (2008)
Zurück zum Zitat Choi, N., Kim, D., Goo, J., Whitmore, A.: Knowing is doing: an empirical validation of the relationship between managerial information security awareness and action. Inf. Manage. Comput. Secur. 16(5), 484–501 (2008) Choi, N., Kim, D., Goo, J., Whitmore, A.: Knowing is doing: an empirical validation of the relationship between managerial information security awareness and action. Inf. Manage. Comput. Secur. 16(5), 484–501 (2008)
Zurück zum Zitat Choo, K.-K.R.: The cyber threat landscape: challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011) Choo, K.-K.R.: The cyber threat landscape: challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011)
Zurück zum Zitat Choudhry, U.: Der Cyber-Versicherungsmarkt in Deutschland: Eine Einführung. Springer Gabler, Wiesbaden (2014) Choudhry, U.: Der Cyber-Versicherungsmarkt in Deutschland: Eine Einführung. Springer Gabler, Wiesbaden (2014)
Zurück zum Zitat Christmann, G.B.: Expert interviews on the telephone: a difficult undertaking. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 157–183. Palgrave Macmillan, London (2009) Christmann, G.B.: Expert interviews on the telephone: a difficult undertaking. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 157–183. Palgrave Macmillan, London (2009)
Zurück zum Zitat Cox, J.: Information systems user security: a structured model of the knowing–doing gap. Comput. Hum. Behav. 28(5), 1849–1858 (2012) Cox, J.: Information systems user security: a structured model of the knowing–doing gap. Comput. Hum. Behav. 28(5), 1849–1858 (2012)
Zurück zum Zitat Deane, J.K., Ragsdale, C.T., Rakes, T.R., Rees, L.R.: Managing supply chain risk and disruption from IT security incidents. Oper. Manage. Res. 2(1–4), 4–12 (2009) Deane, J.K., Ragsdale, C.T., Rakes, T.R., Rees, L.R.: Managing supply chain risk and disruption from IT security incidents. Oper. Manage. Res. 2(1–4), 4–12 (2009)
Zurück zum Zitat De Smidt, G.A., Botzen, W.J.W.: Perceptions of corporate cyber risks and insurance decision-making. Geneva Pap. Risk Insur. Issues Pract. 43(2), 239–274 (2018) De Smidt, G.A., Botzen, W.J.W.: Perceptions of corporate cyber risks and insurance decision-making. Geneva Pap. Risk Insur. Issues Pract. 43(2), 239–274 (2018)
Zurück zum Zitat Diekmann, A.: Empirische Sozialforschung: Grundlagen, Methoden, Anwendungen, 18. Aufl. Rowohlt, Reinbek (2007) Diekmann, A.: Empirische Sozialforschung: Grundlagen, Methoden, Anwendungen, 18. Aufl. Rowohlt, Reinbek (2007)
Zurück zum Zitat Dong, L., Tomlin, B.: Managing disruption risk: the interplay between operations and insurance. Manage. Sci. 58(10), 1898–1915 (2012) Dong, L., Tomlin, B.: Managing disruption risk: the interplay between operations and insurance. Manage. Sci. 58(10), 1898–1915 (2012)
Zurück zum Zitat Eisenhardt, K.M.: Building theories from case study research. Acad. Manage. Rev. 14(4), 532–550 (1989) Eisenhardt, K.M.: Building theories from case study research. Acad. Manage. Rev. 14(4), 532–550 (1989)
Zurück zum Zitat Eisenhardt, K.M., Graebner, M.E.: Theory building from cases: opportunities and challenges. Acad. Manage. J. 50(1), 25–32 (2007) Eisenhardt, K.M., Graebner, M.E.: Theory building from cases: opportunities and challenges. Acad. Manage. J. 50(1), 25–32 (2007)
Zurück zum Zitat Eling, M.: Cyber risk and cyber risk insurance: status quo and future research. Geneva Pap. Risk Insur. Issues Pract. 43(2), 175–179 (2018) Eling, M.: Cyber risk and cyber risk insurance: status quo and future research. Geneva Pap. Risk Insur. Issues Pract. 43(2), 175–179 (2018)
Zurück zum Zitat Eling, M., Schnell, W.: What do we know about cyber risk and cyber risk insurance?. J. Risk Financ. 17(5), 474–491 (2016b) Eling, M., Schnell, W.: What do we know about cyber risk and cyber risk insurance?. J. Risk Financ. 17(5), 474–491 (2016b)
Zurück zum Zitat Eling, M., Wirfs, J.H.: What are the actual costs of cyber risk events?. Eur. J. Oper. Res. 272(3), 1109–1119 (2019) Eling, M., Wirfs, J.H.: What are the actual costs of cyber risk events?. Eur. J. Oper. Res. 272(3), 1109–1119 (2019)
Zurück zum Zitat Faisst, U., Prokein, O., Wegmann, N.: Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Z. Betriebswirtsch. 77(5), 511–538 (2007) Faisst, U., Prokein, O., Wegmann, N.: Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Z. Betriebswirtsch. 77(5), 511–538 (2007)
Zurück zum Zitat Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Support. Syst. 86, 13–23 (2016) Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Support. Syst. 86, 13–23 (2016)
Zurück zum Zitat Finfgeld-Connett, D.: Use of content analysis to conduct knowledge-building and theory-generating qualitative systematic reviews. Qual. Res. 14(3), 341–352 (2014) Finfgeld-Connett, D.: Use of content analysis to conduct knowledge-building and theory-generating qualitative systematic reviews. Qual. Res. 14(3), 341–352 (2014)
Zurück zum Zitat Firestone, W.A.: Alternative arguments for generalizing from data as applied to qualitative research. Educ. Researcher 22(4), 16–23 (1993) Firestone, W.A.: Alternative arguments for generalizing from data as applied to qualitative research. Educ. Researcher 22(4), 16–23 (1993)
Zurück zum Zitat Flagmeier, W., Heidemann, J.: Sonderheft: Cyber-Versicherungen, 4. Aufl. Wolters Kluwer, Münster (2018) Flagmeier, W., Heidemann, J.: Sonderheft: Cyber-Versicherungen, 4. Aufl. Wolters Kluwer, Münster (2018)
Zurück zum Zitat Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130–144 (2017) Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130–144 (2017)
Zurück zum Zitat Gaudenzi, B., Siciliano, G.: Just do it: managing IT and cyber risks to protect the value creation. J. Promot. Manage. 23(3), 372–385 (2017) Gaudenzi, B., Siciliano, G.: Just do it: managing IT and cyber risks to protect the value creation. J. Promot. Manage. 23(3), 372–385 (2017)
Zurück zum Zitat Gläser, J., Laudel, G.: Experteninterviews und qualitative Inhaltsanalyse als Instrumente rekonstruierender Untersuchungen, 4. Aufl. VS, Wiesbaden (2010) Gläser, J., Laudel, G.: Experteninterviews und qualitative Inhaltsanalyse als Instrumente rekonstruierender Untersuchungen, 4. Aufl. VS, Wiesbaden (2010)
Zurück zum Zitat Goodhue, D.L., Straub, D.W.: Security concerns of system users: a study of perceptions of the adequacy of security. Inf. Manage. 20(1), 13–27 (1991) Goodhue, D.L., Straub, D.W.: Security concerns of system users: a study of perceptions of the adequacy of security. Inf. Manage. 20(1), 13–27 (1991)
Zurück zum Zitat Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002) Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
Zurück zum Zitat Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81–85 (2003) Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81–85 (2003)
Zurück zum Zitat Grace, M.F., Leverty, J.T., Phillips, R.D., Shimpi, P.: The value of investing in enterprise risk management. J. Risk Insur. 82(2), 289–316 (2015) Grace, M.F., Leverty, J.T., Phillips, R.D., Shimpi, P.: The value of investing in enterprise risk management. J. Risk Insur. 82(2), 289–316 (2015)
Zurück zum Zitat Groleau, D., Zelkowitz, P., Cabral, I.E.: Enhancing generalizability: moving from an intimate to a political voice. Qual. Health Res. 19(3), 416–426 (2009) Groleau, D., Zelkowitz, P., Cabral, I.E.: Enhancing generalizability: moving from an intimate to a political voice. Qual. Health Res. 19(3), 416–426 (2009)
Zurück zum Zitat Grzebiela, T.: Versicherbarkeit von Risiken des E‑Commerce. In: Buhl, H.U., Huther, A., Reitwiesner, B. (Hrsg.) Information Age Economy: 5. Internationale Tagung Wirtschaftsinformatik 2001, S. 409–423. Physica, Heidelberg (2001) Grzebiela, T.: Versicherbarkeit von Risiken des E‑Commerce. In: Buhl, H.U., Huther, A., Reitwiesner, B. (Hrsg.) Information Age Economy: 5. Internationale Tagung Wirtschaftsinformatik 2001, S. 409–423. Physica, Heidelberg (2001)
Zurück zum Zitat Grzebiela, T.: Insurability of Electronic Commerce Risks. In: Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), Big Island, January 7–10, 2002 (2002a) Grzebiela, T.: Insurability of Electronic Commerce Risks. In: Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), Big Island, January 7–10, 2002 (2002a)
Zurück zum Zitat Grzebiela, T.: Internet-Risiken: Versicherbarkeit und Alternativer Risikotransfer, 1. Aufl. Deutscher Universitäts-Verlag, Wiesbaden (2002b) Grzebiela, T.: Internet-Risiken: Versicherbarkeit und Alternativer Risikotransfer, 1. Aufl. Deutscher Universitäts-Verlag, Wiesbaden (2002b)
Zurück zum Zitat Haas, A., Hofmann, A.: Risiken aus der Nutzung von Cloud-Computing-Diensten: Fragen des Risikomanagements und Aspekte der Versicherbarkeit. Z. Ges. Versicherungswiss. 103(4), 377–407 (2014) Haas, A., Hofmann, A.: Risiken aus der Nutzung von Cloud-Computing-Diensten: Fragen des Risikomanagements und Aspekte der Versicherbarkeit. Z. Ges. Versicherungswiss. 103(4), 377–407 (2014)
Zurück zum Zitat Hartley, J.F.: Case studies in organizational research. In: Cassell, C., Symon, G. (Hrsg.) Qualitative Methods in Organizational Research: A Practical Guide, S. 209–229. SAGE, London (1994) Hartley, J.F.: Case studies in organizational research. In: Cassell, C., Symon, G. (Hrsg.) Qualitative Methods in Organizational Research: A Practical Guide, S. 209–229. SAGE, London (1994)
Zurück zum Zitat Harvey, C.D.H.: Telephone survey techniques. Can. Home Econ. J. 38(1), 30–35 (1988) Harvey, C.D.H.: Telephone survey techniques. Can. Home Econ. J. 38(1), 30–35 (1988)
Zurück zum Zitat Herath, H.S.B., Herath, T.C.: Copula-based actuarial model for pricing cyber-insurance policies. Insur. Mark. Co. Anal. Actuar. Comput. 2(1), 7–20 (2011) Herath, H.S.B., Herath, T.C.: Copula-based actuarial model for pricing cyber-insurance policies. Insur. Mark. Co. Anal. Actuar. Comput. 2(1), 7–20 (2011)
Zurück zum Zitat Hiller, J.S., Russell, R.S.: The challenge and imperative of private sector cybersecurity: an international comparison. Comput. Law Secur. Rev. 29(3), 236–245 (2013) Hiller, J.S., Russell, R.S.: The challenge and imperative of private sector cybersecurity: an international comparison. Comput. Law Secur. Rev. 29(3), 236–245 (2013)
Zurück zum Zitat Hopf, C.: Qualitative Interviews – Ein Überblick. In: Flick, U., Von Kardorff, E., Steinke, I. (Hrsg.) Qualitative Forschung: Ein Handbuch, 10. Aufl., S. 349–360. Rowohlt, Reinbek (2013) Hopf, C.: Qualitative Interviews – Ein Überblick. In: Flick, U., Von Kardorff, E., Steinke, I. (Hrsg.) Qualitative Forschung: Ein Handbuch, 10. Aufl., S. 349–360. Rowohlt, Reinbek (2013)
Zurück zum Zitat Hoyt, R.E., Liebenberg, A.P.: The value of enterprise risk management. J. Risk Insur. 78(4), 795–822 (2011) Hoyt, R.E., Liebenberg, A.P.: The value of enterprise risk management. J. Risk Insur. 78(4), 795–822 (2011)
Zurück zum Zitat Hsieh, H.-F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005) Hsieh, H.-F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005)
Zurück zum Zitat Hu, Q., Hart, P., Cooke, D.: The role of external and internal influences on information systems security—a neo-institutional perspective. J. Strateg. Inf. Syst. 16(2), 153–172 (2007) Hu, Q., Hart, P., Cooke, D.: The role of external and internal influences on information systems security—a neo-institutional perspective. J. Strateg. Inf. Syst. 16(2), 153–172 (2007)
Zurück zum Zitat Hyman, P.: Cybercrime: it’s serious, but exactly how serious?. Commun. ACM 56(3), 18–20 (2013) Hyman, P.: Cybercrime: it’s serious, but exactly how serious?. Commun. ACM 56(3), 18–20 (2013)
Zurück zum Zitat Innerhofer-Oberperfler, F., Breu, R.: Potential rating indicators for cyberinsurance: an exploratory qualitative study. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 249–278. Springer, Boston (2010) Innerhofer-Oberperfler, F., Breu, R.: Potential rating indicators for cyberinsurance: an exploratory qualitative study. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 249–278. Springer, Boston (2010)
Zurück zum Zitat Järveläinen, J.: IT incidents and business impacts: validating a framework for continuity management in information systems. Int. J. Inf. Manage. 33(3), 583–590 (2013) Järveläinen, J.: IT incidents and business impacts: validating a framework for continuity management in information systems. Int. J. Inf. Manage. 33(3), 583–590 (2013)
Zurück zum Zitat Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014) Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)
Zurück zum Zitat Kaiser, R.: Qualitative Experteninterviews: Konzeptionelle Grundlagen und praktische Durchführung. Springer VS, Wiesbaden (2014) Kaiser, R.: Qualitative Experteninterviews: Konzeptionelle Grundlagen und praktische Durchführung. Springer VS, Wiesbaden (2014)
Zurück zum Zitat Kankanhalli, A., Teo, H.-H., Tan, B.C.Y., Wei, K.-K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manage. 23(2), 139–154 (2003) Kankanhalli, A., Teo, H.-H., Tan, B.C.Y., Wei, K.-K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manage. 23(2), 139–154 (2003)
Zurück zum Zitat Kayworth, T., Whitten, D.: Effective information security requires a balance of social and technology factors. MIS Q. Exec. 9(3), 163–175 (2010) Kayworth, T., Whitten, D.: Effective information security requires a balance of social and technology factors. MIS Q. Exec. 9(3), 163–175 (2010)
Zurück zum Zitat Keegan, C.: Cyber security in the supply chain: a perspective from the insurance industry. Technovation 34(7), 380–381 (2014) Keegan, C.: Cyber security in the supply chain: a perspective from the insurance industry. Technovation 34(7), 380–381 (2014)
Zurück zum Zitat Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity—A case study. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005) Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity—A case study. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005)
Zurück zum Zitat Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Three economic arguments for cyberinsurance. In: Chander, A., Gelman, L., Radin, M.J. (Hrsg.) Securing Privacy in the Internet Age, S. 345–366. Stanford University Press, Stanford (2008) Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Three economic arguments for cyberinsurance. In: Chander, A., Gelman, L., Radin, M.J. (Hrsg.) Securing Privacy in the Internet Age, S. 345–366. Stanford University Press, Stanford (2008)
Zurück zum Zitat Kim, W., Jeong, O.-R., Kim, C., So, J.: The dark side of the Internet: attacks, costs and responses. Inf. Syst. 36(3), 675–705 (2011) Kim, W., Jeong, O.-R., Kim, C., So, J.: The dark side of the Internet: attacks, costs and responses. Inf. Syst. 36(3), 675–705 (2011)
Zurück zum Zitat Kirkpatrick, K.: Cyber policies on the rise. Commun. ACM 58(10), 21–23 (2015) Kirkpatrick, K.: Cyber policies on the rise. Commun. ACM 58(10), 21–23 (2015)
Zurück zum Zitat Königs, H.-P.: IT-Risikomanagement mit System: Praxisorientiertes Management von Informationssicherheits‑, IT- und Cyberrisiken, 5. Aufl. Springer Vieweg, Wiesbaden (2017) Königs, H.-P.: IT-Risikomanagement mit System: Praxisorientiertes Management von Informationssicherheits‑, IT- und Cyberrisiken, 5. Aufl. Springer Vieweg, Wiesbaden (2017)
Zurück zum Zitat Kosub, T.: Components and challenges of integrated cyber risk management. Z. Ges. Versicherungswiss. 104(5), 615–634 (2015) Kosub, T.: Components and challenges of integrated cyber risk management. Z. Ges. Versicherungswiss. 104(5), 615–634 (2015)
Zurück zum Zitat Kritzinger, E., Smith, E.: Information security management: an information security retrieval and awareness model for industry. Comput. Secur. 27(5–6), 224–231 (2008) Kritzinger, E., Smith, E.: Information security management: an information security retrieval and awareness model for industry. Comput. Secur. 27(5–6), 224–231 (2008)
Zurück zum Zitat Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006) Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006)
Zurück zum Zitat Krummaker, S., Graf von der Schulenburg, J.-M.: Die Versicherungsnachfrage von Unternehmen: Eine Empirische Untersuchung der Sachversicherungsnachfrage deutscher Unternehmen. Z. Ges. Versicherungswiss. 97(1), 79–97 (2008) Krummaker, S., Graf von der Schulenburg, J.-M.: Die Versicherungsnachfrage von Unternehmen: Eine Empirische Untersuchung der Sachversicherungsnachfrage deutscher Unternehmen. Z. Ges. Versicherungswiss. 97(1), 79–97 (2008)
Zurück zum Zitat Kuckartz, U.: Qualitative Inhaltsanalyse. Methoden, Praxis, Computerunterstützung, 3. Aufl. Beltz Juventa, Weinheim, Basel (2016) Kuckartz, U.: Qualitative Inhaltsanalyse. Methoden, Praxis, Computerunterstützung, 3. Aufl. Beltz Juventa, Weinheim, Basel (2016)
Zurück zum Zitat Lai, C., Medvinsky, G., Neuman, C.B.: Endorsements, Licensing, and Insurance for Distributed System Services. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS), Fairfax, November 2–4, 1994 (1994) Lai, C., Medvinsky, G., Neuman, C.B.: Endorsements, Licensing, and Insurance for Distributed System Services. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS), Fairfax, November 2–4, 1994 (1994)
Zurück zum Zitat Lambrinoudakis, C., Gritzalis, S., Hatzopoulos, P., Yannacopoulos, A.N., Katsikas, S.: A formal model for pricing information systems insurance contracts. Comput. Stand. Interf. 27(5), 521–532 (2005) Lambrinoudakis, C., Gritzalis, S., Hatzopoulos, P., Yannacopoulos, A.N., Katsikas, S.: A formal model for pricing information systems insurance contracts. Comput. Stand. Interf. 27(5), 521–532 (2005)
Zurück zum Zitat Lamnek, S.: Qualitative Sozialforschung: Lehrbuch, 4. Aufl. Beltz, Weinheim, Basel (2005) Lamnek, S.: Qualitative Sozialforschung: Lehrbuch, 4. Aufl. Beltz, Weinheim, Basel (2005)
Zurück zum Zitat Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manage. Res. Rev. 37(12), 1049–1092 (2014) Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manage. Res. Rev. 37(12), 1049–1092 (2014)
Zurück zum Zitat Legner, C., Eymann, T., Hess, T., Matt, C., Böhmann, T., Drews, P., Mädche, A., Urbach, N., Ahlemann, F.: Digitalization: opportunity and challenge for the business and information systems engineering community. Bus. Inf. Syst. Eng. 59(4), 301–308 (2017) Legner, C., Eymann, T., Hess, T., Matt, C., Böhmann, T., Drews, P., Mädche, A., Urbach, N., Ahlemann, F.: Digitalization: opportunity and challenge for the business and information systems engineering community. Bus. Inf. Syst. Eng. 59(4), 301–308 (2017)
Zurück zum Zitat Lesch, T., Richter, A.: Risiken aus kommerzieller Nutzung des Internet – Möglichkeiten der Schadenverhütung und Versicherung. Z. Ges. Versicherungswiss. 89(4), 605–633 (2000) Lesch, T., Richter, A.: Risiken aus kommerzieller Nutzung des Internet – Möglichkeiten der Schadenverhütung und Versicherung. Z. Ges. Versicherungswiss. 89(4), 605–633 (2000)
Zurück zum Zitat Liebenberg, A.P., Hoyt, R.E.: The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Manage. Insur. Rev. 6(1), 37–52 (2003) Liebenberg, A.P., Hoyt, R.E.: The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Manage. Insur. Rev. 6(1), 37–52 (2003)
Zurück zum Zitat Luftman, J., Ben-Zvi, T.: Key issues for IT executives 2009: difficult economy’s impact on IT. MIS Q. Exec. 9(1), 49–59 (2010) Luftman, J., Ben-Zvi, T.: Key issues for IT executives 2009: difficult economy’s impact on IT. MIS Q. Exec. 9(1), 49–59 (2010)
Zurück zum Zitat Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017) Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)
Zurück zum Zitat Marshall, B., Cardon, P., Poddar, A., Fontenot, R.: Does sample size matter in qualitative research?: a review of qualitative interviews in is research. J. Comput. Inf. Syst. 54(1), 11–22 (2013) Marshall, B., Cardon, P., Poddar, A., Fontenot, R.: Does sample size matter in qualitative research?: a review of qualitative interviews in is research. J. Comput. Inf. Syst. 54(1), 11–22 (2013)
Zurück zum Zitat Mayring, P.: Qualitative Inhaltsanalyse: Grundlagen und Techniken, 12. Aufl. Beltz, Weinheim, Basel (2015) Mayring, P.: Qualitative Inhaltsanalyse: Grundlagen und Techniken, 12. Aufl. Beltz, Weinheim, Basel (2015)
Zurück zum Zitat Mayring, P.: Einführung in die qualitative Sozialforschung: Eine Anleitung zu qualitativem Denken, 6. Aufl. Beltz, Weinheim, Basel (2016) Mayring, P.: Einführung in die qualitative Sozialforschung: Eine Anleitung zu qualitativem Denken, 6. Aufl. Beltz, Weinheim, Basel (2016)
Zurück zum Zitat McLellan, E., MacQueen, K.M., Neidig, J.L.: Beyond the qualitative interview: data preparation and transcription. Field Methods 15(1), 63–84 (2003) McLellan, E., MacQueen, K.M., Neidig, J.L.: Beyond the qualitative interview: data preparation and transcription. Field Methods 15(1), 63–84 (2003)
Zurück zum Zitat Mehl, C.: Insurability of risks on the information highway, from the user’s point of view. Geneva Pap. Risk Insur. Issues Pract. 23(1), 103–111 (1998) Mehl, C.: Insurability of risks on the information highway, from the user’s point of view. Geneva Pap. Risk Insur. Issues Pract. 23(1), 103–111 (1998)
Zurück zum Zitat Meland, P.H., Tøndel, I.A., Moe, M.E.G., Seehusen, F.: Facing uncertainty in cyber insurance policies. In: Livraga, G., Mitchell, C. (Hrsg.) Security and Trust Management: 13th International Workshop, STM 2017, Oslo, Norway, September 14–15, 2017. Proceedings, S. 89–100. Springer, Cham (2017) Meland, P.H., Tøndel, I.A., Moe, M.E.G., Seehusen, F.: Facing uncertainty in cyber insurance policies. In: Livraga, G., Mitchell, C. (Hrsg.) Security and Trust Management: 13th International Workshop, STM 2017, Oslo, Norway, September 14–15, 2017. Proceedings, S. 89–100. Springer, Cham (2017)
Zurück zum Zitat Meland, P.H., Tøndel, I.A., Solhaug, B.: Mitigating risk with cyberinsurance. IEEE. Secur. Priv. 13(6), 38–43 (2015) Meland, P.H., Tøndel, I.A., Solhaug, B.: Mitigating risk with cyberinsurance. IEEE. Secur. Priv. 13(6), 38–43 (2015)
Zurück zum Zitat Merkens, H.: Stichproben bei qualitativen Studien. In: Friebertshäuser, B., Prengel, A. (Hrsg.) Handbuch Qualitative Forschungsmethoden in der Erziehungswissenschaft, S. 97–106. Juventa, Weinheim, München (1997) Merkens, H.: Stichproben bei qualitativen Studien. In: Friebertshäuser, B., Prengel, A. (Hrsg.) Handbuch Qualitative Forschungsmethoden in der Erziehungswissenschaft, S. 97–106. Juventa, Weinheim, München (1997)
Zurück zum Zitat Meuser, M., Nagel, U.: The expert interview and changes in knowledge production. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 17–42. Palgrave Macmillan, London (2009) Meuser, M., Nagel, U.: The expert interview and changes in knowledge production. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 17–42. Palgrave Macmillan, London (2009)
Zurück zum Zitat Modrow-Thiel, B.: Qualitative Interviews – Vorgehen und Probleme. Z. Personalforsch. Sonderheft: EMPIRISCHE PERSONALFORSCHUNG, 129–146 (1993) Modrow-Thiel, B.: Qualitative Interviews – Vorgehen und Probleme. Z. Personalforsch. Sonderheft: EMPIRISCHE PERSONALFORSCHUNG, 129–146 (1993)
Zurück zum Zitat Moore, T.: The economics of cybersecurity: principles and policy options. Int. J. Crit. Infrastruct. Prot. 3(3–4), 103–117 (2010) Moore, T.: The economics of cybersecurity: principles and policy options. Int. J. Crit. Infrastruct. Prot. 3(3–4), 103–117 (2010)
Zurück zum Zitat Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e‑Risk Management with Insurance: A framework using Copula aided Bayesian Belief Networks. In: Proceedings of the 39th Hawaii International Conference on System Sciences (HICSS), Kauai, January 4–7, 2006 (2006) Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e‑Risk Management with Insurance: A framework using Copula aided Bayesian Belief Networks. In: Proceedings of the 39th Hawaii International Conference on System Sciences (HICSS), Kauai, January 4–7, 2006 (2006)
Zurück zum Zitat Mukhopadhyay, A., Chakrabarti, B.B., Saha, D., Mahanti, A.: E‑Risk Management through Self Insurance: An Option Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007a) Mukhopadhyay, A., Chakrabarti, B.B., Saha, D., Mahanti, A.: E‑Risk Management through Self Insurance: An Option Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007a)
Zurück zum Zitat Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan, S.K.: Insuring Big Losses Due to Security Breaches through Insurance: A Business Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007b) Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan, S.K.: Insuring Big Losses Due to Security Breaches through Insurance: A Business Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007b)
Zurück zum Zitat Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: Cyber-risk decision models: to insure IT or not?. Decis. Support. Syst. 56, 11–26 (2013) Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: Cyber-risk decision models: to insure IT or not?. Decis. Support. Syst. 56, 11–26 (2013)
Zurück zum Zitat Mukhopadhyay, A., Saha, D., Chakrabarti, B.B., Mahanti, A., Podder, A.: Insurance for cyber-risk: a utility model. Decision 32(1), 153–169 (2005) Mukhopadhyay, A., Saha, D., Chakrabarti, B.B., Mahanti, A., Podder, A.: Insurance for cyber-risk: a utility model. Decision 32(1), 153–169 (2005)
Zurück zum Zitat Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17(1), 2–26 (2007) Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17(1), 2–26 (2007)
Zurück zum Zitat Ng, B.-Y., Kankanhalli, A., Xu, Y.(C.): Studying users’ computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4), 815–825 (2009) Ng, B.-Y., Kankanhalli, A., Xu, Y.(C.): Studying users’ computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4), 815–825 (2009)
Zurück zum Zitat Njegomir, V., Marović, B.: Contemporary trends in the global insurance industry. Procedia Soc. Behav. Sci. 44, 134–142 (2012) Njegomir, V., Marović, B.: Contemporary trends in the global insurance industry. Procedia Soc. Behav. Sci. 44, 134–142 (2012)
Zurück zum Zitat Nosworthy, J.D.: Implementing information security in the 21st century—Do you have the balancing factors?. Comput. Secur. 19(4), 337–347 (2000) Nosworthy, J.D.: Implementing information security in the 21st century—Do you have the balancing factors?. Comput. Secur. 19(4), 337–347 (2000)
Zurück zum Zitat Osborn, E., Simpson, A.: On small-scale IT users’ system architectures and cyber security: a UK case study. Comput. Sci. 70, 27–50 (2017) Osborn, E., Simpson, A.: On small-scale IT users’ system architectures and cyber security: a UK case study. Comput. Sci. 70, 27–50 (2017)
Zurück zum Zitat Öğüt, H., Raghunathan, S., Menon, N.: Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Anal. 31(3), 497–512 (2011) Öğüt, H., Raghunathan, S., Menon, N.: Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Anal. 31(3), 497–512 (2011)
Zurück zum Zitat Pooser, D.M., Browne, M.J., Arkhangelska, O.: Growth in the perception of cyber risk: evidence from U.S. P&C insurers. Geneva Pap. Risk Insur. Issues Pract. 43(2), 208–223 (2018) Pooser, D.M., Browne, M.J., Arkhangelska, O.: Growth in the perception of cyber risk: evidence from U.S. P&C insurers. Geneva Pap. Risk Insur. Issues Pract. 43(2), 208–223 (2018)
Zurück zum Zitat Porro, B., Epprecht, T.: From producing safety to managing risks. Geneva Pap. Risk Insur. Issues Pract. 26(2), 259–267 (2001) Porro, B., Epprecht, T.: From producing safety to managing risks. Geneva Pap. Risk Insur. Issues Pract. 26(2), 259–267 (2001)
Zurück zum Zitat Rakes, T.R., Deane, J.K., Rees, L.P.: IT security planning under uncertainty for high-impact events. Omega 40(1), 79–88 (2012) Rakes, T.R., Deane, J.K., Rees, L.P.: IT security planning under uncertainty for high-impact events. Omega 40(1), 79–88 (2012)
Zurück zum Zitat Ransbotham, S., Mitra, S.: Choice and chance: a conceptual model of paths to information security compromise. Inf. Syst. Res. 20(1), 121–139 (2009) Ransbotham, S., Mitra, S.: Choice and chance: a conceptual model of paths to information security compromise. Inf. Syst. Res. 20(1), 121–139 (2009)
Zurück zum Zitat Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer, Cham, Heidelberg, New York, Dordrecht, London (2015) Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer, Cham, Heidelberg, New York, Dordrecht, London (2015)
Zurück zum Zitat Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?. In: Proceedings of the 16th Workshop on the Economics of Information Security (WEIS), La Jolla, June 26–27, 2017 (2017) Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?. In: Proceedings of the 16th Workshop on the Economics of Information Security (WEIS), La Jolla, June 26–27, 2017 (2017)
Zurück zum Zitat Ruan, K.: Introducing cybernomics: a unifying economic framework for measuring cyber risk. Comput. Secur. 65, 77–89 (2017) Ruan, K.: Introducing cybernomics: a unifying economic framework for measuring cyber risk. Comput. Secur. 65, 77–89 (2017)
Zurück zum Zitat Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach. J. Inf. Technol. 23(3), 185–202 (2008) Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach. J. Inf. Technol. 23(3), 185–202 (2008)
Zurück zum Zitat Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–115 (2001) Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–115 (2001)
Zurück zum Zitat Schnell, R., Hill, P.B., Esser, E.: Methoden der empirischen Sozialforschung, 9. Aufl. Oldenbourg, München (2011) Schnell, R., Hill, P.B., Esser, E.: Methoden der empirischen Sozialforschung, 9. Aufl. Oldenbourg, München (2011)
Zurück zum Zitat Seibold, H.: IT-Risikomanagement. Oldenbourg, München (2006) Seibold, H.: IT-Risikomanagement. Oldenbourg, München (2006)
Zurück zum Zitat Shackelford, S.J.: Should your firm invest in cyber risk insurance?. Bus. Horiz. 55(4), 349–356 (2012) Shackelford, S.J.: Should your firm invest in cyber risk insurance?. Bus. Horiz. 55(4), 349–356 (2012)
Zurück zum Zitat Shetty, N., Schwarz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and Internet security. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 229–247. Springer, Boston (2010) Shetty, N., Schwarz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and Internet security. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 229–247. Springer, Boston (2010)
Zurück zum Zitat Shetty, S., McShane, M., Zhang, L., Kesan, J.P., Kamhoua, C.A., Kwiat, K., Njilla, L.L.: Reducing informational disadvantages to improve cyber risk management. Geneva Pap. Risk Insur. Issues Pract. 43(2), 224–238 (2018) Shetty, S., McShane, M., Zhang, L., Kesan, J.P., Kamhoua, C.A., Kwiat, K., Njilla, L.L.: Reducing informational disadvantages to improve cyber risk management. Geneva Pap. Risk Insur. Issues Pract. 43(2), 224–238 (2018)
Zurück zum Zitat Siegel, C., Sagalow, T.R., Serritella, P.: Cyber-risk management: technical and insurance controls for enterprise-level security. Inf. Syst. Secur. 11(5), 33–49 (2002) Siegel, C., Sagalow, T.R., Serritella, P.: Cyber-risk management: technical and insurance controls for enterprise-level security. Inf. Syst. Secur. 11(5), 33–49 (2002)
Zurück zum Zitat Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manage. Comput. Secur. 8(1), 31–41 (2000a) Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manage. Comput. Secur. 8(1), 31–41 (2000a)
Zurück zum Zitat Siponen, M.T.: Critical analysis of different approaches to minimizing user‐related faults in information systems security: implications for research and practice. Inf. Manage. Comput. Secur. 8(5), 197–209 (2000b) Siponen, M.T.: Critical analysis of different approaches to minimizing user‐related faults in information systems security: implications for research and practice. Inf. Manage. Comput. Secur. 8(5), 197–209 (2000b)
Zurück zum Zitat Siponen, M.T.: Five dimensions of information security awareness. ACM SIGCAS Comput. Soc. 31(2), 24–29 (2001) Siponen, M.T.: Five dimensions of information security awareness. ACM SIGCAS Comput. Soc. 31(2), 24–29 (2001)
Zurück zum Zitat Smith, G.S.: Recognizing and preparing loss estimates from cyber-attacks. Inf. Syst. Secur. 12(6), 46–57 (2004) Smith, G.S.: Recognizing and preparing loss estimates from cyber-attacks. Inf. Syst. Secur. 12(6), 46–57 (2004)
Zurück zum Zitat Smith, G.E., Watson, K.J., Baker, W.H., Pokorski II, J.A.: A critical balance: collaboration and security in the IT-enabled supply chain. Int. J. Prod. Res. 45(11), 2595–2613 (2007) Smith, G.E., Watson, K.J., Baker, W.H., Pokorski II, J.A.: A critical balance: collaboration and security in the IT-enabled supply chain. Int. J. Prod. Res. 45(11), 2595–2613 (2007)
Zurück zum Zitat Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI)—a practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45–56 (2006) Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI)—a practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45–56 (2006)
Zurück zum Zitat Spears, J.L., Barki, H.: User participation in information systems security risk management. MIS Q. 34(3), 503–522 (2010) Spears, J.L., Barki, H.: User participation in information systems security risk management. MIS Q. 34(3), 503–522 (2010)
Zurück zum Zitat Srinidhi, B., Yan, J., Tayi, G.K.: Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decis. Support. Syst. 75, 49–62 (2015) Srinidhi, B., Yan, J., Tayi, G.K.: Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decis. Support. Syst. 75, 49–62 (2015)
Zurück zum Zitat Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017) Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017)
Zurück zum Zitat Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998) Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)
Zurück zum Zitat Strupczewski, G.: The cyber insurance market in Poland and determinants of its development from the insurance broker’s perspective. Econ. Bus. Rev. 3(2), 33–50 (2017) Strupczewski, G.: The cyber insurance market in Poland and determinants of its development from the insurance broker’s perspective. Econ. Bus. Rev. 3(2), 33–50 (2017)
Zurück zum Zitat Sturges, J.E., Hanrahan, K.J.: Comparing telephone and face-to-face qualitative interviewing: a research note. Qual. Res. 4(1), 107–118 (2004) Sturges, J.E., Hanrahan, K.J.: Comparing telephone and face-to-face qualitative interviewing: a research note. Qual. Res. 4(1), 107–118 (2004)
Zurück zum Zitat Thomson, M.E., Von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6(4), 167–173 (1998) Thomson, M.E., Von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6(4), 167–173 (1998)
Zurück zum Zitat Tøndel, I.A., Seehusen, F., Gjære, E.A., Moe, M.E.G.: Differentiating cyber risk of insurance customers: the insurance company perspective. In: Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A.M., Weippl, E. (Hrsg.) Availability, Reliability, and Security in Information Systems: IFIP WG 8.4, 8.9, TC 5 International Cross-Domain Conference, CD-ARES 2016, and Workshop on Privacy Aware Machine Learning for Health Data Science, PAML 2016, Salzburg, Austria, August 31–September 2, 2016. Proceedings, S. 175–190. Springer, Cham (2016) Tøndel, I.A., Seehusen, F., Gjære, E.A., Moe, M.E.G.: Differentiating cyber risk of insurance customers: the insurance company perspective. In: Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A.M., Weippl, E. (Hrsg.) Availability, Reliability, and Security in Information Systems: IFIP WG 8.4, 8.9, TC 5 International Cross-Domain Conference, CD-ARES 2016, and Workshop on Privacy Aware Machine Learning for Health Data Science, PAML 2016, Salzburg, Austria, August 31–September 2, 2016. Proceedings, S. 175–190. Springer, Cham (2016)
Zurück zum Zitat Tosh, D.K., Shetty, S., Sengupta, S., Kesan, J.P., Kamhoua, C.A.: Risk management using cyber-threat information sharing and cyber-insurance. In: Duan, L., Sanjab, A., Li, H., Chen, X., Materassi, D., Elazouzi, R. (Hrsg.) Game Theory for Networks: 7th International EAI Conference, GameNets 2017, Knoxville, TN, USA, May 9, 2017. Proceedings, S. 154–164. Springer, Cham (2017) Tosh, D.K., Shetty, S., Sengupta, S., Kesan, J.P., Kamhoua, C.A.: Risk management using cyber-threat information sharing and cyber-insurance. In: Duan, L., Sanjab, A., Li, H., Chen, X., Materassi, D., Elazouzi, R. (Hrsg.) Game Theory for Networks: 7th International EAI Conference, GameNets 2017, Knoxville, TN, USA, May 9, 2017. Proceedings, S. 154–164. Springer, Cham (2017)
Zurück zum Zitat Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing trajectories of information security awareness. Inf. Technol. People 25(3), 327–352 (2012) Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing trajectories of information security awareness. Inf. Technol. People 25(3), 327–352 (2012)
Zurück zum Zitat Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organizations. Eur. J. Inf. Syst. 24(1), 38–58 (2015) Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organizations. Eur. J. Inf. Syst. 24(1), 38–58 (2015)
Zurück zum Zitat Veit, D., Clemons, E., Benlian, A., Buxmann, P., Hess, T., Kundisch, D., Leimeister, J.M., Loos, P., Spann, M.: Business models—an information systems research agenda. Bus. Inf. Syst. Eng. 6(1), 45–53 (2014) Veit, D., Clemons, E., Benlian, A., Buxmann, P., Hess, T., Kundisch, D., Leimeister, J.M., Loos, P., Spann, M.: Business models—an information systems research agenda. Bus. Inf. Syst. Eng. 6(1), 45–53 (2014)
Zurück zum Zitat Von Solms, R., Van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013) Von Solms, R., Van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013)
Zurück zum Zitat Whitman, M.E.: In defense of the realm: understanding the threats to information security. Int. J. Inf. Manage. 24(1), 43–57 (2004) Whitman, M.E.: In defense of the realm: understanding the threats to information security. Int. J. Inf. Manage. 24(1), 43–57 (2004)
Zurück zum Zitat Woods, D., Simpson, A.: Policy measures and cyber insurance: a framework. J. Cyber Policy 2(2), 209–226 (2017) Woods, D., Simpson, A.: Policy measures and cyber insurance: a framework. J. Cyber Policy 2(2), 209–226 (2017)
Zurück zum Zitat Wopperer, W.: Fraud risks in e‑commerce transactions. Geneva Pap. Risk Insur. Issues Pract. 27(3), 383–394 (2002) Wopperer, W.: Fraud risks in e‑commerce transactions. Geneva Pap. Risk Insur. Issues Pract. 27(3), 383–394 (2002)
Zurück zum Zitat Yin, R.K.: Case Study Research: Design and Methods, 5. Aufl. SAGE, Los Angeles, London, New Delhi, Singapore, Washington (2014) Yin, R.K.: Case Study Research: Design and Methods, 5. Aufl. SAGE, Los Angeles, London, New Delhi, Singapore, Washington (2014)
Zurück zum Zitat Young, D., Lopez Jr., J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Infrastruct. Prot. 14, 43–57 (2016) Young, D., Lopez Jr., J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Infrastruct. Prot. 14, 43–57 (2016)
Zurück zum Zitat Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements. J. Manage. Inf. Syst. 30(1), 123–152 (2013) Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements. J. Manage. Inf. Syst. 30(1), 123–152 (2013)
Metadaten
Titel
Herausforderungen und Implikationen für das Cyber-Risikomanagement sowie die Versicherung von Cyberrisiken – Eine empirische Analyse
verfasst von
Dirk Wrede
Thorben Freers
Johann-Matthias Graf von der Schulenburg
Publikationsdatum
03.01.2019
Verlag
Springer Berlin Heidelberg
Erschienen in
Zeitschrift für die gesamte Versicherungswissenschaft / Ausgabe 4/2018
Print ISSN: 0044-2585
Elektronische ISSN: 1865-9748
DOI
https://doi.org/10.1007/s12297-018-0425-2

Weitere Artikel der Ausgabe 4/2018

Zeitschrift für die gesamte Versicherungswissenschaft 4/2018 Zur Ausgabe