Security Risk Models for Cyber Insurance

David Ríos Insua is AXA-ICMAT Chair in Adversarial Risk Analysis and a Member of the Spanish Royal Academy of Sciences.

Caroline Baylon is Security Research and Innovation Lead at AXA and a Research Affiliate at the Centre for the Study of Existential Risk, University of Cambridge.

Jose Vila is Scientific Director at DevStat and Associate Professor of Behavioural Economics at the University of Valencia.

Tackling the cybersecurity challenge is a matter of survival for society at large. Cyber attacks are rapidly increasing in sophistication and magnitude-and in their destructive potential. New threats emerge regularly, the last few years having seen a ransomware boom and distributed denial-of-service attacks leveraging the Internet of Things.

For organisations, the use of cybersecurity risk management is essential in order to manage these threats. Yet current frameworks have drawbacks which can lead to the suboptimal allocation of cybersecurity resources. Cyber insurance has been touted as part of the solution - based on the idea that insurers can incentivize companies to improve their cybersecurity by offering premium discounts - but cyber insurance levels remain limited. This is because companies have difficulty determining which cyber insurance products to purchase, and insurance companies struggle to accurately assess cyber risk and thus develop cyber insurance products.

To deal with these challenges, this volume presents new models for cybersecurity risk management, partly based on the use of cyber insurance. It contains:

• A set of mathematical models for cybersecurity risk management, including (i) a model to assist companies in determining their optimal budget allocation between security products and cyber insurance and (ii) a model to assist insurers in designing cyber insurance products.
• The models use adversarial risk analysis to account for the behavior of threat actors (as well as the behavior of companies and insurers).
• To inform these models, we draw on psychological and behavioural economics studies of decision-making by individuals regarding cybersecurity and cyber insurance.
• We also draw on organizational decision-making studies involving cybersecurity and cyber insurance.

Its theoretical and methodological findings will appeal to researchers across a wide range of cybersecurity-related disciplines including risk and decision analysis, analytics, technology management, actuarial sciences, behavioural sciences, and economics. The practical findings will help cybersecurity professionals and insurers enhance cybersecurity and cyber insurance, thus benefiting society as a whole.

Cyber attacks are rapidly increasing in sophistication and magnitude. The last few years having seen a ransomware boom and distributed denial-of-service attacks leveraging the Internet of Things. To deal with these challenges, this volume presents new models for cybersecurity risk management, partly based on the use of cyber insurance.