Some Risk Analysis Problems in Cyber Insurance Economics
DOI:
https://doi.org/10.25115/eea.v36i1.2523Keywords:
Cyber insurance, Risk analysis, Adversarial risk analysis, Security Economics.Abstract
Cyber threats affect all kinds of organisations with frequent and costly impacts worldwide. Cyber insurance products have recently emerged with the potential of lowering the impact of cyberspace risks. However, they have yet to mature. In this paper we present several risk analysis models that may facilitate the implementation and adoption of cyber insurance. These models, described in terms of influence diagrams and bi-agent influence diagrams, provide a framework for estimating the economic impact of cyber risks that may face insurers and insurees as well as calculating their optimal risk mitigation and transfer strategies.Downloads
References
ANDERSON, R. and FULORIA, S. (2010). “Security Economics and Critical National Infrastructure”. In MOORE, T., PYM, D. and IONNIADIS, C. (ed.): Economics of Information Security and Privacy (pp. 55-56). Boston (MA, USA): Springer.
ANDRESS, J. AND WINTERFELD, S., (2013). Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. Waltham, MA (USA): Syngress.
BALCHANOS, M.G. (2012). A Probabilistic Technique for the Assessment of Complex Dynamic System Resilience. Ph.D. Thesis, Georgia Institute of Technology (USA).
BANKS, D., RÍOS INSUA, D. and RÍOS, J. (2015). Adversarial Risk Analysis. New York (USA): Chapman and Hall/CRC.
BRENNER, J.F. (2013). “Eyes Wide Shut: The Growing Threat of Cyber Attacks on Industrial Control Systems”. Bulletin of the Atomic Scientists, Vol. 69, No. 5, pp. 15-20.
CARDENAS, A., AMIN, S., SINOPOLI, B., GIANI, A., PERRIG, A. and SASTRY, S. (2009). “Challenges for Securing Cyber Physical Systems”. Workshop on Future Directions in Cyber-Physical Systems Security.
CLEMEN, R. T. and REILLY, T. (2013). Making Hard Decisions with Decision Tools. Independence. KY (USA): Cengage Learning.
COMMAND FIVE PTY LTD, Australia (2011). Advanced Persistent Threats: A Decade in Review.
COOKE, R. and BEDFORD., T. (2001). Probabilistic Risk Analysis: Foundations and Methods. Cambridge (UK): Cambridge University Press.
COX, L. A. (2008). “What’s Wrong with Risk Matrices?”. Risk Analysis, Vol. 28, No. 2, pp. 497–512.
DANTU, R., KOLAN, P., AKL, R. and LOPER, K. (2007). “Classification of Attributes and Behavior in Risk Management Using Bayesian Networks”. IEEE Intelligence and Security Informatics, 2007, pp. 71-74.
DENARDIS, L. (2015). “Five Destabilizing Trends in Internet Governance”. I/S: A Journal of Law and Policy for the Information Society, Vol. 12, No. 1, pp. 113-133.
DEFENSE SCIENCE BOARD, DEPARTMENT OF DEFENSE, USA (2013). Task Force Report: Resilient Military Systems and the Advanced Cyber Threat.
HERLEY, C. and FLORÊNCIO, D. (2010). “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy”. In MOORE, T., PYM, D. and IONNIADIS, C. (ed.): Economics of Information Security and Privacy (pp. 33- 53). Boston (MA, USA): Springer.
NATIONAL TECHNICAL AUTHORITY FOR INFORMATION ASSURANCE, UK (2012). HMG IA Standard Number 1.
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (2013). ISO/IEC 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements.
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (2011). ISO/IEC 27005:2011, Information Technology - Security Techniques - Information Security Risk Management.
LEE, R. M., ASSANTE, J. and CONWAY, T. (2014). ICS Defense Use Case Dec 301, 2014 - German Steel Mill Cyber Attack. SANS Institute, USA.
LI, Z., LIAO, Q. and STRIEGEL, A. (2009). “Botnet Economics: Uncertainty Matters”. In Johnson, M.E. (ed.): Managing Information Risk and the Economics of Security (pp. 245-267). Boston (MA, USA): Springer.
LOW, P. (2017). “Insuring Against Cyber-Attacks”. Computer Fraud & Security, Vol. 2017, No. 4, pp. 18-20.
LLOYD’S, UK (2017). Counting the Cost - Cyber Exposure Decoded.
LUND, M.S., SOLHAUG, B. and STØLEN, K. (2010). Model-Driven Risk Analysis: The CORAS Approach. Heidelberg (Germany): Springer.
MANIMARAN, C.-C., TEN, G., and LIU, C.-W. (2008). “Vulnerability Assessment of Cybersecurity for SCADA Systems”. IEEE Transactions on Power Systems, Vol. 23, No. 4, pp. 1836-1846.
MAROTTA, A., MARTINELLY, F., NANNI, S., ORLANDO, A., and YAUTSIUKHIN, A. (2017). “Cyber-Insurance Survey”. Computer Science Review, Vol. 24, pp. 35-61.
MCAFFE (USA) (2014). Net Losses: Estimating the Global Cost of Cybercrime.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, USA (2012). NIST Special Publication 800-30 Rev. 1 - Guide for Conducting Risk Assessments.
ORTEGA, J., RIOS INSUA, D., and CANO, J. (2017). “Adversarial Risk Analysis for Bi-agent Influence Diagrams”. XXXVI Congreso Nacional de Estadística e Investigación Operativa.
SASTRY, S., CARDENAS, S., and AMIN, A.A. (2008). “Research Challenges for the Security of Control Systems”. Proceedings of the 3rd Conference on Hot Topics in Security: pp. 6:1-6:6.
SHACHTER, R.D. (1986). “Evaluating Influence Diagrams”. Operations Research Vol. 34, No. 6, pp 871-882.
THE COMMON CRITERIA RECOGNITION AGREEMENT MEMBERS (2009). Common Criteria for Information Technology Security Evaluation, Version 3.1 Release 4.
ZHUGE, J., HOLZ, T., SONG, C., GUO, J., HAN, X., and ZOU, W. (2009). “Studying Malicious Websites and the Underground Economy on the Chinese Web”. In Johnson, M.E. (ed.): Managing Information Risk and the Economics of Security (pp. 225-244). Boston (MA, USA): Springer.
YAQOOB, I., AHMED, E., UR REHMAN, M.H., AHMED, A.I.A., AL-GARADI, M.A., IMRAN, M., and GUIZANI, M. (2017). “The Rise of Ransomware and Emerging Security Challenges in the Internet of Things”. Computer Networks, [In Press].
WORLD ECONOMIC FORUM (2017). The Global Risks Report 2017. Geneva (Switzerland): World Economic Forum.
