Cyber-insurance survey

Abstract Cyber insurance is a rapidly developing area which draws more and more attention of practitioners and researchers. Insurance, an alternative way to deal with residual risks, was only recently applied to the cyber world. The immature cyber insurance market faces a number of unique challenges on the way of its development. In this paper we summarise the basic knowledge about cyber insurance available so far from both market and scientific perspectives. We provide a common background explaining basic terms and formalisation of the area. We discuss the issues which make this type of insurance unique and show how different technologies are affected by these issues. We compare the available scientific approaches to analysis of cyber insurance market and summarise their findings with a common view. Finally, we propose directions for further advances in the research on cyber insurance.

[1]  Hemantha S. B. Herath,et al.  Cyber-Insurance: Copula Pricing Framework and Implication for Risk Management , 2007, WEIS.

[2]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[3]  Baruch Berliner,et al.  Large Risks and Limits of Insurability , 1985 .

[4]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[5]  J. Walrand,et al.  Cyber-Insurance: Missing Market Driven by User Heterogeneity , 2010 .

[6]  Shamkant B. Navathe,et al.  Managing vulnerabilities of information systems to security incidents , 2003, ICEC '03.

[7]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[8]  Fabio Martinelli,et al.  Towards Modelling Adaptive Attacker's Behaviour , 2012, FPS.

[9]  Radu Sion Financial Cryptography and Data Security, 14th International Conference, FC 2010, Tenerife, Canary Islands, Spain, January 25-28, 2010, Revised Selected Papers , 2010, Financial Cryptography.

[10]  Leana Golubchik,et al.  Pricing and Investments in Internet Security: A Cyber-Insurance Perspective , 2011, ArXiv.

[11]  Tridib Bandyopadhyay,et al.  Towards a Managerial Decision Framework for Utilization of Cyber Insurance Instruments in IT security , 2011, AMCIS.

[12]  Jean C. Walrand,et al.  Why cyber-insurance contracts fail to reflect cyber-risks , 2013, 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[13]  Dusit Niyato,et al.  A Joint Optimization Approach to Security-as-a-Service Allocation and Cyber Insurance Management , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[14]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[15]  Arunabha Mukhopadhyay,et al.  Quantifying e-risk for Cyber-insurance Using Logit and Probit Models , 2013 .

[16]  Perry Luzwick,et al.  If Most Of Your Revenue Is From E-Commerce, Then Cyber-Insurance Makes Sense , 2001 .

[17]  Billie Ann Brotman,et al.  Principles of Insurance , 1973 .

[18]  Muninder P. Kailay,et al.  An application of qualitative risk analysis to computer security for the commercial sector , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[19]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[20]  J. Harold Pardue,et al.  THREATS TO HEALTHCARE DATA: A THREAT TREE FOR RISK ASSESSMENT , 2011 .

[21]  Stefano Bistarelli,et al.  Strategic Games on Defense Trees , 2006, Formal Aspects in Security and Trust.

[22]  Woohyun Shim,et al.  An Analysis of Information Security Management Strategies in the Presence of Interdependent Security Risk , 2011 .

[23]  Fabio Martinelli,et al.  Formal Analysis of Security Metrics and Risk , 2011, WISTP.

[24]  John C. S. Lui,et al.  Security adoption and influence of cyber-insurance markets in heterogeneous networks , 2014, Perform. Evaluation.

[25]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[26]  Tridib Bandyopadhyay,et al.  A Model to Analyze the Unfulfilled Promise of Cyber Insurance : The Impact of Secondary Loss , 2008 .

[27]  Alvaro A. Cárdenas,et al.  Nudge: Intermediaries' Role in Interdependent Network Security , 2010, TRUST.

[28]  Bruce Schneier,et al.  MODELING SECURITY THREATS , 1999 .

[29]  Amy R. Willis Business Insurance: First-Party Commercial Property Insurance and the Physical Damage Requirement in a Computer-Dominated World , 2010 .

[30]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[31]  Keith Kirkpatrick Cyber policies on the rise , 2015, Commun. ACM.

[32]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[33]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[34]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[35]  Aron Laszka,et al.  Should Cyber-Insurance Providers Invest in Software Security? , 2015, ESORICS.

[36]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[37]  Konstantinos Psounis,et al.  On a way to improve cyber-insurer profits when a security vendor becomes the cyber-insurer , 2013, 2013 IFIP Networking Conference.

[38]  Matthew Crane,et al.  International Liability in Cyberspace , 2001 .

[39]  Rainer Böhme,et al.  Security Metrics and Security Investment Models , 2010, IWSEC.

[40]  Pan Hui,et al.  CyberInsurance for cybersecurity a topological take on modulating insurance premiums , 2012, PERV.

[41]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[42]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[43]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[44]  Aron Laszka,et al.  Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[45]  Ross J. Anderson,et al.  Incentives and Information Security 25.1 Introduction , 2022 .

[46]  Kouichi Sakurai,et al.  A Study of Security Management with Cyber Insurance , 2016, IMCOM.

[47]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[48]  S. Shankar Sastry,et al.  Cyber-insurance framework for large scale interdependent networks , 2014, HiCoNS.

[49]  Carla Barracchini,et al.  Cyber Risk and Insurance Coverage : An Actuarial Multistate Approach , 2014 .

[50]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[51]  Costas Lambrinoudakis,et al.  A formal model for pricing information systems insurance contracts , 2005, Comput. Stand. Interfaces.

[52]  Scott J. Shackelford Should Your Firm Invest in Cyber Risk Insurance , 2012 .

[53]  Konstantinos Psounis,et al.  Aegis A Novel Cyber-Insurance Model , 2011, GameSec.

[54]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[55]  Walter S. Baer,et al.  Rewarding IT Security in the Marketplace , 2003 .

[56]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[57]  Gary McGraw,et al.  Risk Analysis in Software Design , 2004, IEEE Secur. Priv..

[58]  Martin Eling,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[59]  Nicolas Christin,et al.  Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information , 2010, ESORICS.

[60]  Fabio Martinelli,et al.  Formal Analysis of Security Metrics with Defensive Actions , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[61]  J. Bolot Cyber Insurance as an Incentive for Internet Security , 2008 .

[62]  Chia-Chien Hsu,et al.  The Delphi Technique: Making Sense of Consensus , 2007 .

[63]  J. Neumann,et al.  Theory of games and economic behavior , 1945, 100 Years of Math Milestones.

[64]  Tyler Moore,et al.  The economics of cybersecurity: Principles and policy options , 2010, Int. J. Crit. Infrastructure Prot..

[65]  Jean C. Walrand,et al.  Can Competitive Insurers Improve Network Security? , 2010, TRUST.

[66]  Alison Hedrick Cyberinsurance: a risk management tool? , 2007, InfoSecCD '07.

[67]  Inger Anne Tøndel,et al.  Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research , 2015 .

[68]  Benjamin Johnson,et al.  Uncertainty in the weakest-link security game , 2009, 2009 International Conference on Game Theory for Networks.

[69]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[70]  Quanyan Zhu,et al.  Attack-Aware Cyber Insurance for Risk Sharing in Computer Networks , 2015, GameSec.

[71]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[72]  Barbara Filkins Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance , 2018 .

[73]  J. Kesan,et al.  The Economic Case for Cyberinsurance , 2004 .

[74]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[75]  Fabio Martinelli,et al.  Formal approach to security metrics.: what does "more secure" mean for you? , 2010, ECSA '10.

[76]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[77]  Nicolas Christin,et al.  Security and insurance management in networks with heterogeneous agents , 2008, EC '08.

[78]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[79]  Andrew B. Whinston,et al.  Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling , 2009, ICIS.

[80]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[81]  Ranjan Pal,et al.  Cyber-Insurance in Internet Security: A Dig into the Information Asymmetry Problem , 2012, ArXiv.

[82]  Pan Hui,et al.  The Impact of Secure OSs on Internet Security: What Cyber-Insurers Need to Know , 2012, ArXiv.

[83]  Bjørn Axel Gran,et al.  An Approach for Model-Based Risk Assessment , 2004, SAFECOMP.

[84]  Fabio Martinelli,et al.  Security by Insurance for Services , 2016, 2016 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[85]  Costas Lambrinoudakis,et al.  Modeling Privacy Insurance Contracts and Their Utilization in Risk Management for ICT Firms , 2008, ESORICS.

[86]  Ross J. Anderson,et al.  The Economics of Information Security : A Survey and Open Questions , 2006 .

[87]  Konstantinos Psounis,et al.  Realizing Efficient Cyber-Insurance Markets Via Price Discriminating Security Products , 2015 .

[88]  Marc Lelarge,et al.  Cyber Insurance as an Incentivefor Internet Security , 2009, Managing Information Risk and the Economics of Security.

[89]  Aron Laszka,et al.  How many down?: toward understanding systematic risk in networks , 2014, AsiaCCS.

[90]  Ulas C. Kozat,et al.  Using insurance to increase internet security , 2008, NetEcon '08.

[91]  Konstantinos Psounis,et al.  Will cyber-insurance improve network security? A market analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[92]  W. Rudin Real and complex analysis , 1968 .

[93]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[94]  Martin Eling,et al.  Insurability of Cyber Risk , 2014 .

[95]  Anand Shah,et al.  Valuing data security and privacy using cyber insurance , 2015, CSOC.

[96]  S. Shavell On Moral Hazard and Insurance , 1979 .

[97]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[98]  Emmett J. Vaughan Fundamentals of Risk and Insurance , 1982 .

[99]  Jean C. Walrand,et al.  Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[100]  Dan Geer,et al.  Risk Management Is Still Where the Money Is , 2003, Computer.

[101]  Nicolas Christin,et al.  The Price of Uncertainty in Security Games , 2009, WEIS.

[102]  C. Toregas,et al.  Insurance for Cyber Attacks: The Issue of Setting Premiums in Context , 2014 .

[103]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[104]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[105]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[106]  Tridib Bandyopadhyay Organizational Adoption of Cyber Insurance Instruments in IT Security Risk Management– A Modeling Approach , 2012 .

[107]  Pan Hui,et al.  On differentiating cyber-insurance contracts a topological perspective , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[108]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[109]  Yannis C. Stamatiou,et al.  Model-based risk assessment – the CORAS approach , 2002 .

[110]  Ranjan Pal,et al.  Cyber-Insurance for Cyber-Security A Solution to the Information Asymmetry Problem , 2012 .

[111]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[112]  Aron Laszka,et al.  The Complexity of Estimating Systematic Risk in Networks , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[113]  Samir Chatterjee,et al.  Cyber-risk decision models: To insure IT or not? , 2013, Decis. Support Syst..

[114]  Thomas Mikosch,et al.  Non-Life Insurance Mathematics , 2004 .

[115]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[116]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[117]  Inger Anne Tøndel,et al.  Mitigating Risk with Cyberinsurance , 2015, IEEE Security & Privacy.

[118]  Daoud Ait Kadi,et al.  A STATE-OF-THE-ART REVIEW OF FMEA/FMECA , 1994 .

[119]  Vicenç Torra,et al.  Data privacy , 2014, Advanced Research in Data Privacy.

[120]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[121]  Leana Golubchik,et al.  On the economics of information security: the problem of designing optimal cyber-insurance contracts , 2010, PERV.

[122]  Mingyan Liu,et al.  Voluntary Participation in Cyber-insurance Markets , 2014 .

[123]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[124]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[125]  Nicolas Christin,et al.  Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents , 2011, GAMENETS.

[126]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[127]  Costas Lambrinoudakis,et al.  A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments , 2007, International Journal of Information Security.

[128]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.

[129]  Steve Mansfield-Devine Security guarantees: building credibility for security vendors , 2016, Netw. Secur..

[130]  Kristian Beckers,et al.  Analysis of Social Engineering Threats with Attack Graphs , 2014, DPM/SETOP/QASA.

[131]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[132]  Edwin S. Mills The Benefit and Cost Analysis of Torturing Prisoners , 2014 .