Relation between cyber insurance and security investments/controls.

Uuganbayar, Ganbayar

26 April 2021

Nowadays, organisations consider cyber security risk as one of the critical risks at organisations. Due to the increase of cyber-related attacks and more advanced technologies, organisations are forced to implement the proper cyber risk management and find the optimality of security expenditure distribution for treating those risks. About twenty years ago, cyber insurance has been introduced as one of the risk treatment methods backing up the security controls. The concept is further benefiting both organisations and the market, where the insurers globally expect 20$ billion in 2025 [1]. On the other hand, cyber insurance has been dealing with several hurdles on the way to maturing. One of the problematic challenges is the relation between cyber insurance and security investments (or controls). Several papers theoretically devoted the analyses on this issue where some highlighted that cyber insurance could be an incentive for security investments while others claim may lead to the fall of investments for self-protection. Since everything lies in a densely interconnected and risk-prone cyber environment, there are various factors on the relation, which effects should be thoroughly investigated. The overall goal of the thesis is to analyse the problems lying in the risk treatment phase and propose an applicable solution to deal with. In particular, we would like to take into account the following factors to address the relation between cyber insurance and security investments. We first analyse different market models to study possible ways to keep both cyber insurance and security investments in both competitive and non-competitive insurance markets. Some studies showed that security investments fall in the non-competitive insurance market. In this regard, we would like to investigate the possibility of raising the security investments by optimising the loading factor, an additional amount of fee for the premium. In practice, organisations do not face a single threat but multiple threats during a certain period. To the best of our knowledge, there is not a study considering multiple threats in the cyber insurance field to analyse how security investments can be varied. Thus, we investigate the multiple threats case in a competitive cyber insurance market and find how security expenditure can be efficiently distributed between the insurance premium and security investments/controls. The analysis allows us to map security controls and cyber insurance cost-effectively. We provide both theoretical and algorithmic solutions to deal with the problem and validate the solutions in both artificial and practical cases. For a practical scenario, we develop a questionnaire-based risk assessment tool to feed our risk treatment solution with necessary empirical data. In both insurance markets, a degree of security interdependence is a unique peculiarity that affects the behaviour of organisations to invest in their self-protection and have cyber insurance. We theoretically analyse the effect of security interdependence in both market models and show whether it affects positively or negatively.

DATA QUALITY CONSEQUENCES OF MANDATORY CYBER DATA SHARING BETWEEN DUOPOLY INSURERS

Reinert, Olof, Wiesinger, Tobias

January 2020

Cyber attacks against companies are becoming more common as technology advances and digitalization is increasing exponentially. All Swedish insurance companies that sell cyber insurance encounter the same problem, there is not enough data to do good actuarial work. In order for the pricing procedure to improve and general knowledge of cyber insurance to increase, it has been proposed that insurance companies should share their data with each other. The goal of the thesis is to do mathematical calculations to explore data quality consequences of such a sharing regime. This thesis is based on some important assumptions and three scenarios. The most important assumptions are that there are two insurance companies forced to share all their data with each other and that they can reduce the uncertainty about their own product by investing in better data quality. In the first scenario, we assume a game between two players where they can choose how much to invest in reducing the uncertainty. In the second scenario, we assume that there is not a game, but the two insurance companies are forced to equal investments and thus have the same knowledge of their products. In the third scenario, we assume that the players are risk averse, that is, they are not willing to take high risk. The results will show how much, if any, the insurance companies should invest in the different scenarios to maximize their profits (if risk neutral) or utility (if risk averse). The results of this thesis show that in the first and second scenario, the optimal profit is reached when the insurance companies do not invest anything. In the third scenario though, the optimal investment is greater than zero, given that the companies are enough risk averse.

Cyber insurance

Information transmission

Game theory

Cournot market

Nash Equilibrium

Cyberförsäkring

Informationsdelning

Spelteori

Cournot-marknad

Nashjämvikt

Engineering and Technology

Teknik och teknologier

Mathematics

Matematik

Cyber insurance as a risk manager

Modica, Claudio

10 1900

No description available.

Assurance

Cybercriminalité

Risque

Police d'assurance

Cyber assurance

Gestion du risque

Théorie Ancrée

Insurance

Cybercrime

Risk

Coverage

Cyber Insurance

Risk Management

Grounded Theory