Cyber Insurance of Information Systems: Security and Privacy Cyber Insurance Contracts for ICT and Helathcare Organizations

Nowadays, more-and-more aspects of our daily activities are digitalized. Data and assets in the cyber-space, both for individuals and organizations, must be safeguarded. Thus, the insurance sector must face the challenge of digital transformation in the 5G era with the right set of tools. In this paper, we present CyberSure — an insurance framework for information systems. CyberSure investigates the interplay between certification, risk management, and insurance of cyber processes. It promotes continuous monitoring as the new building block for cyber insurance in order to overcome the current obstacles of identifying in real-time contractual violations by the insured party and receiving early warning notifications prior the violation. Lightweight monitoring modules capture the status of the operating components and send data to the CyberSure backend system which performs the core decision making. Therefore, an insured system is certified dynamically, with the risk and insurance perspectives being evaluated at runtime as the system operation evolves. As new data become available, the risk management and the insurance policies are adjusted and fine-tuned. When an incident occurs, the insurance company possesses adequate information to assess the situation fast, estimate accurately the level of a potential loss, and decrease the required period for compensating the insured customer. The framework is applied in the ICT and healthcare domains, assessing the system of medium-size organizations. GDPR implications are also considered with the overall setting being effective and scalable.

[1]  Therese Jones,et al.  Content analysis of cyber insurance policies: how do carriers price cyber risk? , 2019, J. Cybersecur..

[2]  Fabio Martinelli,et al.  Cyber-insurance survey , 2017, Comput. Sci. Rev..

[3]  Leandros Tassiulas,et al.  Economics of mobile data offloading , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[4]  Ioannis Papaefstathiou,et al.  AmbISPDM - Managing embedded systems in ambient environments and disaster mitigation planning , 2018, Applied intelligence (Boston).

[5]  Erik T. Mueller,et al.  Commonsense Reasoning: An Event Calculus Based Approach , 2006 .

[6]  Ioannis Papaefstathiou,et al.  Real-time management of railway CPS secure administration of IoT and CPS infrastructure , 2017, 2017 6th Mediterranean Conference on Embedded Computing (MECO).

[7]  Fabio Roli,et al.  2020 Cybercrime Economic Costs: No Measure No Solution , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[8]  Sotiris Ioannidis,et al.  Review of Security and Privacy for the Internet of Medical Things (IoMT) , 2019, 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS).

[9]  Sotiris Ioannidis,et al.  The CE-IoT Framework for Green ICT Organizations: The interplay of CE-IoT as an enabler for green innovation and e-waste management in ICT , 2019, 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS).

[10]  Martin Eling,et al.  Cyber Risk: Too Big to Insure? Risk Transfer Options for a Mercurial Risk Class , 2016 .

[11]  Rahul Telang,et al.  Economics of software vulnerability disclosure , 2005, IEEE Security & Privacy.

[12]  George Spanoudakis,et al.  Monitoring-Based Certification of Cloud Service Security , 2015, OTM Conferences.

[13]  Inger Anne Tøndel,et al.  Mitigating Risk with Cyberinsurance , 2015, IEEE Security & Privacy.

[14]  Daniel W. Woods,et al.  Policy Measures and Cyber Insurance: A Framework , 2017 .

[15]  George Spanoudakis,et al.  Cloud Certification Process Validation Using Formal Methods , 2017, ICSOC.

[16]  Per Håkon Meland,et al.  When to Treat Security Risks with Cyber Insurance , 2018, 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[17]  Fabio Martinelli,et al.  Preventing the Drop in Security Investments for Non-competitive Cyber-Insurance Market , 2017, CRiSIS.

[18]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.