Visit ebookball.

com to download the full version and

explore more ebook or textbook

Security Risk Models for Cyber Insurance 1st

Edition by David Rios Insua, Caroline Baylon, Jose
Vila ISBN 9781000336221 1000336220

_____ Click the link below to download _____

https://ebookball.com/product/security-risk-models-for-
cyber-insurance-1st-edition-by-david-rios-insua-caroline-
baylon-jose-vila-isbn-9781000336221-1000336220-20090/

Explore and download more ebook or textbook at ebookball.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Risk Analysis in Finance and Insurance 2nd edition by

Alexander Melnikov ISBN 0367382865 978-0367382865

https://ebookball.com/product/risk-analysis-in-finance-and-
insurance-2nd-edition-by-alexander-melnikov-
isbn-0367382865-978-0367382865-14042/

Cyber Strategy Risk Driven Security and Resiliency 1st

Edition by Carol Siegel, Mark Sweeney ISBN 9781000048506
1000048500
https://ebookball.com/product/cyber-strategy-risk-driven-security-and-
resiliency-1st-edition-by-carol-siegel-mark-sweeney-
isbn-9781000048506-1000048500-20092/

Enterprise Risk Management Models Focus on Sustainability

4th edition by David Olson, Desheng Wu ISBN 3662680378 ‎
978-3662680377
https://ebookball.com/product/enterprise-risk-management-models-focus-
on-sustainability-4th-edition-by-david-olson-desheng-wu-
isbn-3662680378-aeurz-978-3662680377-24108/

Research Methods for Cyber Security 1st edition by Thomas

Edgar, David Manz ISBN 0128053496 ‎ 978-0128053492

https://ebookball.com/product/research-methods-for-cyber-security-1st-
edition-by-thomas-edgar-david-manz-
isbn-0128053496-aeurz-978-0128053492-16646/
FISMA and the Risk Management Framework The New Practice
of Federal Cyber Security 1st by Stephen Gantz, Daniel
Philpott ISBN 1597496413 978-1597496414
https://ebookball.com/product/fisma-and-the-risk-management-framework-
the-new-practice-of-federal-cyber-security-1st-by-stephen-gantz-
daniel-philpott-isbn-1597496413-978-1597496414-16660/

Information Security Program Guide Company Policies

Departmental Procedures IT Standards and Guidelines 1st
edition by IT Security Risk Manager, David Rauschendorfer
1795092432 978-1795092432
https://ebookball.com/product/information-security-program-guide-
company-policies-departmental-procedures-it-standards-and-
guidelines-1st-edition-by-it-security-risk-manager-david-
rauschendorfer-1795092432-978-1795092432-20016/

Computational Intelligence Cyber Security and

Computational Models Recent Trends in Computational
Models, Intelligent and Secure Systems 1st edition by
Indhumathi Raman, Poonthalir Ganesan, Venkatasamy
https://ebookball.com/product/computational-intelligence-cyber-
Sureshkumar, Latha Ranganathan 3031155564 9783031155567
security-and-computational-models-recent-trends-in-computational-
models-intelligent-and-secure-systems-1st-edition-by-indhumathi-raman-
poonthalir-ganesan-venkatasamy-s/

Computational Intelligence Cyber Security and

Computational Models Proceedings of ICC3 2013 1st edition
by Sai Sundara Krishnan, Anitha, Lekshmi, Senthil Kumar,
Anthony Bonato ISBN 8132216792 9788132216797
https://ebookball.com/product/computational-intelligence-cyber-
security-and-computational-models-proceedings-of-icc3-2013-1st-
edition-by-sai-sundara-krishnan-anitha-lekshmi-senthil-kumar-anthony-
bonato-isbn-8132216792-9788132216-2/

Computational Intelligence Cyber Security and

Computational Models Proceedings of ICC3 2013 1st edition
by Sai Sundara Krishnan, Anitha, Lekshmi, Senthil Kumar,
Anthony Bonato ISBN 8132216792 9788132216797
https://ebookball.com/product/computational-intelligence-cyber-
security-and-computational-models-proceedings-of-icc3-2013-1st-
edition-by-sai-sundara-krishnan-anitha-lekshmi-senthil-kumar-anthony-
bonato-isbn-8132216792-9788132216-3/
Security Risk Models for Cyber
Insurance
Security Risk Models for Cyber
Insurance

Edited by
David Rios Insua
Caroline Baylon
Jose Vila
First edition published 2021
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press

2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

© 2021 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

The right of David Rios Insua, Caroline Baylon and Jose Vila to be identified as the authors of the editorial material, and
of the authors for their individual chapters, has been asserted in accordance with sections 77 and 78 of the Copyright,
Designs and Patents Act 1988.

Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot as-
sume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have
attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders
if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please
write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or
utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including pho-
tocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission
from the publishers.

For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the
Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are
not available on CCC please contact [email protected]

Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for iden-
tification and explanation without intent to infringe.

ISBN: 9780367339494 (hbk)

ISBN: 9780429329487(ebk)

Typeset in Computer Modern font

by KnowledgeWorks Global Ltd.
 To Susana, Isa, and Carla. David Rios Insua
To my parents. Caroline Baylon
To Julian, Oriana, Marina, and Rodrigo. Jose Vila
Contents

Foreword ix

Preface xi

Acknowledgements xiii

List of Figures xv

List of Tables xvii

Editors xix

Contributors xxi
Abbreviations xxiii

1 Introduction 1
David Rı́os Insua, Nikos Vasileiadis, Aitor Couce Vieira, and Caroline Baylon
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 A schematic view of cybersecurity risk management . . . . . . . . . . . . . 4
1.3 The current state of the cyber insurance market . . . . . . . . . . . . . . . 6
1.4 The way forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 The Cyber Insurance Landscape 11

Katsiaryna Labunets, Wolter Pieters, Michel van Eeten, Dawn Branley-Bell, Lynne Cov-
entry, Pam Briggs, Inés Martı́nez, and Jhoties Sewnandan
2.1 The cyber insurance ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 The cyber insurance adoption process and its challenges . . . . . . . . . . . 14
2.3 Effects of policy interventions . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3 Behavioural Issues in Cybersecurity 27

Jose Vila, Pam Briggs, Dawn Branley-Bell, Yolanda Gomez, and Lynne Coventry
3.1 The cybersecurity challenge for organisations . . . . . . . . . . . . . . . . . 28
3.2 Individual decision-making within an organisation . . . . . . . . . . . . . . 29
3.3 Modelling pyschological and behavioural economics factors . . . . . . . . . 32
3.4 Psychological models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.5 Behavioural economics models . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.6 The benefits of combining psychological and behavioural economics ap-
proaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

vii
viii Contents

4 Risk Management Models for Cyber Insurance 49

Aitor Couce Vieira, David Rı́os Insua, Caroline Baylon, and Sebastain Awondo
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.3 The CSRM model: Cybersecurity resource allocation, including cyber insur-
ance product selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.4 Cyber insurance product design . . . . . . . . . . . . . . . . . . . . . . . . 61
4.5 Cyber insurance policy issuance and fraud detection . . . . . . . . . . . . . 66
4.6 Cyber reinsurance decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5 A Case Study in Cybersecurity Resource Allocation and Cyber Insur-

ance 83
Aitor Couce Vieira, David Rı́os Insua, Alberto Redondo, and Caroline Baylon
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.2 Case description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.3 Model formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.4 Model components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.5 Model solution and assessment . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

6 Conclusions 125
Caroline Baylon, Deepak Subramanian, Jose Vila, and David Rios Insua
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
6.2 The key concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.3 Novel and innovative contributions to cybersecurity and cyber insurance . 128
6.4 Policy implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Bibliography 137

Index 147
Foreword

Cybersecurity has firmly established itself as a major global threat. We regularly hear
reports of a company having experienced “the biggest data breach in history,” with each
much larger than the last. It is not uncommon for organisations to suffer attacks involving
the data of hundreds of millions—or even billions—of customers. We are also seeing a
rise in cyber attacks on critical infrastructure, from transportation networks to the power
grid, and their related potential for disruption. As a response to this risk, the insurance
industry is developing novel cyber insurance products that facilitate risk transfer within a
risk management portfolio.
However, the development of cyber insurance products presents a number of challenges.
One of them is the rapidly evolving cyber threat landscape, including the growth in the
number of attacks and the sophistication of attackers, that makes it difficult to accurately
assess cyber risks. Another is the limited amount of historical data, which is traditionally the
basis for insurance underwriting. In addition, customers are often unable to fully evaluate
the cybersecurity risks they face and lack clarity around cyber insurance options. These
issues call for new approaches in this domain.
This publication is the result of an initiative of the AXA-ICMAT Chair in Adversarial
Risk Analysis, supported by the AXA Research Fund, and the CYBECO (Supporting Cy-
ber Insurance from a Behavioural Choice Perspective) Project, a European Union-funded
project through the Horizons 2020 programme. The project has brought together a di-
verse team of interdisciplinary European researchers, including cybersecurity practitioners
as well as experts from the fields of risk analysis, psychology, behavioural economics, de-
cision analysis, computer science, modelling, and policymaking. The findings underscore
the importance of supporting independent academic research projects to find new ways to
tackle the cybersecurity challenges that our society faces today.
The result is a volume that examines cyber insurance decision-making processes within
organisations, identifies the behavioural issues underlying cybersecurity, and proposes in-
novative risk analysis models. It provides a timely contribution to the literature on cyberse-
curity and cyber insurance, offering guidance to companies in their cybersecurity resource
allocation decisions and insights for insurers and brokers in their risk mitigation roles, thus
contributing to a more resilient and “cybersecure” environment.

Marie Bogataj, Director of the AXA Research Fund, Paris

Arnaud Tanguy, AXA Group Chief Security Officer, Paris

ix
Preface

A defining feature of modern society is its pervasive digitalisation, as exemplified by the

information systems that store and process valuable data, much of it confidential. These
systems include cyber-physical systems that operate critical infrastructure, the social net-
works that host so many of our interactions with others, and platforms that enable financial
transactions such as online shopping or banking, to name but a few. Against this backdrop,
cyber attacks are increasing in frequency, impact, and sophistication and can affect all types
of organisations from corporations and governments to SMEs and NGOs, as well as indi-
vidual citizens. The number of security breaches has increased by 67% in the past five years
and cybercrime is estimated to cost the world economy $600 billion annually, or 0.8% of
global GDP (Accenture and Ponemon Institute, 2019; McAfee and Center for Strategic and
International Studies, 2018). The 2017 NotPetya attack was particularly destructive, caus-
ing over $10 billion in damage as it propagated across the corporate networks of a number
of major multinational companies.
The use of cybersecurity risk management methods is essential in order to deal with
these challenges. These methods enable organisations to assess the threats to their assets,
what security measures they should implement to reduce the likelihood of such threats
occurring, and to lessen their potential impacts should they occur. Yet, despite their virtues,
the current frameworks used for cybersecurity risk management are mainly based on risk
matrices, which have well-documented shortcomings that could potentially lead to a sub-
optimal allocation of cybersecurity resources. They also do not typically take into account
the intentionality of threats. This may be even more of an issue if we take into account the
increasing variety of threats, as well as the growing number of security measures to choose
from to counter these threats.
In this context, new methods of cybersecurity risk management are emerging, notably
involving the use of cyber insurance. Cyber insurance can fulfil a key role by keeping risks
manageable for insured companies by transferring the risk to insurers. It also provides
companies with incentives to improve their cybersecurity by requiring them to implement
certain minimum protections, thereby reducing overall risk. However, the cyber insurance
market is still underdeveloped for several reasons. From the demand side, companies may
struggle to decide whether or not to buy cyber insurance and which products to buy, in
part due to difficulty understanding their cybersecurity risk. This is made more complex
by the rapidly changing nature of the risk. From the supply side, this also means that it is
difficult for insurance companies to create an overall risk picture for the domain, making it
challenging to design and price cyber insurance products.
To this end, this book presents findings from the European Union-funded CYBECO
(Supporting Cyber Insurance from a Behavioural Choice Perspective) Project, which has
developed new models for risk management in cybersecurity, including a model to assist
companies in selecting cyber insurance products and models to aid insurers in underwriting
them. More specifically, the models developed consider the behavioural choices of both com-
panies (their risk reduction and risk transfer decisions) and insurers (their risk assessment
decisions). They also take into account the behavioural choices of the relevant threat act-
ors (their risk generation decisions). This book facilitates the adoption of these models as

xi
xii Preface

well, by providing a case study to illustrate how to implement the cyber insurance product
selection model and a link to a prototype “toolbox” based on the model that assesses a
company’s cybersecurity risk and provides advice on their optimal allocation of financial re-
sources between cybersecurity and cyber insurance. In this way, this book aims to promote
better cybersecurity risk management practices and the greater uptake of cyber insurance,
thus helping to reduce overall cybersecurity risk and benefitting society as a whole.

David Rios Insua, Valdoviño

Caroline Baylon, London
Jose Vila, Valencia
Acknowledgements

We would like to express our gratitude to the European Commission for its generous funding
of the CYBECO (Supporting Cyber Insurance from a Behavioural Choice Perspective)
Project through its Horizons 2020 programme under grant agreement number 740920.
In addition, we would like to thank AXA for its valuable suggestions regarding this
book. We are particularly grateful to Marie Bogataj, Head of the AXA Research Fund;
Arnaud Tanguy, Group Chief Security Officer; Dr Cecile Wendling, Head of Strategy, Threat
Anticipation, and Research; Scott Sayce, Group Head of Financial Lines and Cyber; Thomas
Lawson, Information Risk Advisory Director; and Sara Gori, Global Head of Reputation
Risk Management, whose comments on drafts of this book were invaluable. Any remaining
errors are our own.
Prof. David Rios Insua also appreciates the support of the AXA Research Fund through
the AXA-ICMAT Chair in Adversarial Risk Analysis, of the US National Science Foundation
through grant number DMS-163851 at SAMSI (The Statistical and Applied Mathematical
Sciences Institute), as well as of the Spanish Ministry of Science through project number
MTM2017-86875-C3-1-R.
The views set forth in this volume are those of the authors and should not be taken to
represent the perspectives of the European Commission, of AXA, of any other organisations
mentioned in the book.

David Rios Insua, Valdoviño

Caroline Baylon, London
Jose Vila, Valencia

xiii
List of Figures

1.1 Basic schematic view of the factors involved in CSRM . . . . . . . . . . . . 5

1.2 Detailed schematic view of the factors involved in CSRM . . . . . . . . . . 6

2.1 The cyber insurance ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2 Burke and Litwin Performance and Change Model (adapted from Burke and
Litwin, 1992) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 Protection Motivation Theory (PMT) Model (Rogers, 1983 revision) . . . . 19
2.4 Cyber Insurance Adoption Model (Martinez Bustamante, 2018) . . . . . . . 21
2.5 Simplified ecosystem for the Agent-Based Model (Sewnandan, 2018) . . . . 22
2.6 Flow diagram of the Agent-Based Model (Sewnandan, 2018) . . . . . . . . . 24
2.7 Interface of the Agent-Based Model in NetLogo (Sewnandan, 2018) . . . . . 25

3.1 Theory of Planned Behaviour (Ajzen and Madden, 1986; Ajzen, 1991) . . . 33
3.2 The Extended Parallel Process Model (Witte, 1996) . . . . . . . . . . . . . 35
3.3 The Health Belief Model (as interpreted by Dodel and Mench, 2017) . . . . 36
3.4 Sample display screen, which presents the recommended cybersecurity
strategy options as expected values framed as losses and includes a recom-
mendation message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.5 Sample display screen, which presents the cybersecurity products and cyber
insurance options along with the price of each in VC . . . . . . . . . . . . . 44
3.6 Sample display screen, which shows the payout for a subject who took out a
cyber insurance policy and experienced a cyber attack . . . . . . . . . . . . 45

4.1 TAID of the CSRM problem for an organisation. . . . . . . . . . . . . . . . 55

4.2 ID of the CSRM problem for the Defender . . . . . . . . . . . . . . . . . . . 57
4.3 ID of the CSRM problem for Attacker 1 . . . . . . . . . . . . . . . . . . . . 58
4.4 BAID for cyber insurance policy issuance . . . . . . . . . . . . . . . . . . . 68
4.5 BAID for cyber insurance fraud detection . . . . . . . . . . . . . . . . . . . 70
4.6 Influence Diagram for cybersecurity reinsurance . . . . . . . . . . . . . . . . 74
4.7 Standard risk management approach to the CSRM problem (without ARA) 78
4.8 ARA approach to the CSRM problem . . . . . . . . . . . . . . . . . . . . . 80

5.1 MAID for Median . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

5.2 Compeet’s probabilities of attacking Median for 0 to 30 days, depending on
whether Median has a DDoS mitigation system . . . . . . . . . . . . . . . . 106
5.3 Antonymous’s probabilities of attacking Median for 0 to 30 days, depending
on whether Median has a DDoS mitigation system . . . . . . . . . . . . . . 108
5.4 Cybegangsta’s probability of attacking Median, given that Median has im-
plemented the default portfolio . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.5 Modern Republic’s probabilities of attacking Median with various attack
types, depending on whether Median has a DDoS mitigation system and
assuming Median has implemented the default portfolio . . . . . . . . . . . 113
5.6 Histograms of AA , BA , and PA . . . . . . . . . . . . . . . . . . . . . . . . . 122

xv
List of Tables

4.1 Probabilities of various threats occurring depending on the security controls

implemented, as well as costs of the security controls and of cyber insurance,
in thousands of dollars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.2 Expected costs of attacks, in thousands of dollars . . . . . . . . . . . . . . . 79
4.3 Effectiveness and costs of the cybersecurity portfolios, in thousands of dollars 79
4.4 Random assessments for the Attacker . . . . . . . . . . . . . . . . . . . . . 80
4.5 Probabilities of various threats occurring depending on the security controls
implemented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.6 Effectiveness of the cybersecurity portfolios, in thousands of dollars . . . . . 81

5.1 Key assets for Median . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.2 Environmental threats impacting Median . . . . . . . . . . . . . . . . . . . 86
5.3 Accidental threats impacting Median . . . . . . . . . . . . . . . . . . . . . . 87
5.4 Non-targeted cyber threats impacting Median . . . . . . . . . . . . . . . . . 87
5.5 Adversaries interested in attacking Median . . . . . . . . . . . . . . . . . . 88
5.6 Targeted threats impacting median . . . . . . . . . . . . . . . . . . . . . . . 89
5.7 Types of attacks carried out by each attacker . . . . . . . . . . . . . . . . . 89
5.8 Threat impacts on assets for each individual threat . . . . . . . . . . . . . . 90
5.9 Effect of security controls on the likelihood (L) and/or impact (I) of threats,
and their costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.10 Median’s insurance product choices, according to coverage and prices . . . . 92
5.11 Objectives for each attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.12 Attacker objectives in monetary terms . . . . . . . . . . . . . . . . . . . . . 103
5.13 Attacker objectives in total units . . . . . . . . . . . . . . . . . . . . . . . . 103
5.14 Costs of replacement or repair of IT systems and computer equipment for
Median . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.15 Cost of loss in market share for Median . . . . . . . . . . . . . . . . . . . . 114
5.16 Costs of loss of availability for Median . . . . . . . . . . . . . . . . . . . . . 114
5.17 Costs of the exposure or loss of customer and employee data for Median . . 115
5.18 Costs of the exposure or loss of business information for Median . . . . . . 115
5.19 Impacts on Median in monetary terms . . . . . . . . . . . . . . . . . . . . . 116
5.20 Impacts on Median in total units . . . . . . . . . . . . . . . . . . . . . . . . 117
5.21 Number of potential security control portfolios for each insurance portfolio . 118
5.22 Median’s best portfolios when Compeet is the only Attacker . . . . . . . . . 118
5.23 Median’s best portfolios when Antonymous is the only Attacker . . . . . . . 119
5.24 Median’s best portfolios when Cybegansta is the only Attacker (includes
non-targeted threats as well) . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.25 Median’s best portfolios when Modern Republic is the only Attacker (includes
non-targeted threats as well) . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.26 Median’s best portfolios when all threats are considered (targeted Attackers
and non-targeted threats) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

xvii
Editors

David Rı́os Insua is AXA-ICMAT Chair in Adversarial Risk Analysis and a Member of
the Spanish Royal Academy of Sciences.

Caroline Baylon is Security Research and Innovation Lead at AXA and a Research Affil-
iate at the Centre for the Study of Existential Risk, University of Cambridge.

José Vila is Scientific Director at DevStat, Associate Professor at the University of Valen-
cia, and Research Fellow at the Centre for Research on Social and Economic Behaviour
(ERI-CES) and Intelligent Data Analysis Laboratory (IDAL).

xix
Contributors

Sebastain Awondo Katsiaryna Labunets

The University of Alabama Delft University of Technology
Tuscaloosa, USA Delft, Netherlands

Caroline Baylon Inés Martı́nez

AXA Delft University of Technology
London, UK Delft, Netherlands

Dawn Branley-Bell Wolter Pieters

Northumbria University Delft University of Technology
Newcastle upon Tyne, UK Delft, Netherlands

Pam Briggs Alberto Redondo

Northumbria University ICMAT-CSIC
Newcastle upon Tyne, UK Madrid, Spain

Aitor Couce Vieira David Rı́os Insua

ICMAT-CSIC ICMAT-CSIC
Madrid, Spain Madrid, Spain

Lynne Coventry Jhoties Sewnandan

Northumbria University Delft University of Technology
Newcastle upon Tyne, UK Delft, Netherlands

Michel van Eeten Deepak Subramanian

Delft University of Technology AXA
Delft, Netherlands Paris, France

Yolanda Gomez Nikos Vasileiadis

DevStat TREK
Valencia, Spain Thessaloniki, Greece

Jose Vila
DevStat and University of Valencia
Valencia, Spain

xxi
Abbreviations

Abbreviations
ABM Agent-Based Model GDPR General Data Protection Regula-
ARA Adversarial Risk Analysis tion
BAID Bi-Agent Influence Diagram ID Influence Diagram
BEE Behavioural Economics Experi- IoT Internet of Things
ment ISF Information Security Forum
CSRM Cybersecurity Risk Management IT Information Technology
CVaR Conditional Value-at-Risk LDA Loss Distribution Approach
MAID Multi-Agent Influence Diagram
DDoS Distributed Denial-of-Service
NGO Non-Governmental Organisation
DNS Domain Name System
NIS Network and Information Systems
EIOPA European Informational and Occu- PII Personal Identifiable Information
pational Pensions Authority PMT Protection Motivation Theory
ENISA European Union Agency for Cyber- PR Public Relations
security SME Small and Medium Enterprise
EPPM Extended Parallel Process Model TAID Tri-Agent Influence Diagram
EU European Union TPB Theory of Planned Behaviour
GDP Gross Domestic Product VaR Value-at-Risk

xxiii
1
Introduction

David Rı́os Insua

ICMAT

Nikos Vasileiadis
TREK

Aitor Couce Vieira

ICMAT

Caroline Baylon
AXA

CONTENTS
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 A schematic view of cybersecurity risk management . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 The current state of the cyber insurance market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 The way forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

This chapter begins by presenting the central thesis of this book: In order to tackle the
pressing cybersecurity challenge, companies need to employ a reliable Cybersecurity Risk
Management (CSRM) methodology. Yet current CSRM approaches have significant short-
comings that can lead to the incorrect prioritisation of cyber risks and of resources. The
inclusion of cyber insurance could significantly improve CSRM methods, but the cyber in-
surance market is currently underdeveloped due to both demand and supply side challenges.
To overcome this, this book proposes new models for risk management in cybersecurity, in-
cluding a main CSRM model for companies and a series of auxiliary models for insurers.
The following sections in this chapter introduce fundamental concepts that later parts of
the book will build upon, first providing a schematic view of the factors involved in CSRM
and then describing the key facets of the cyber insurance market at present.

1.1 Overview
1.1.1 The cyber threat landscape
The threat actors
Cybersecurity is a major global concern, with attacks becoming increasingly ubiquitous,
growing in both frequency and size (WEF, 2020). There are a diversity of threat actors
whose numbers are steadily rising as well. These include hacktivists, who are closely linked

1
2 Introduction

with political or social movements and could involve anyone from hackers taking action
to defend free speech to those closely aligned with terrorist organisations. Insiders are
another important cyber threat and, indeed, the biggest source of incidents (Cardenas et al.,
2009). However, they may be the easiest to handle through a sound cybersecurity program.
Cybercriminals are increasing in capability. Many cybercriminal groups have become mature
professional organisations, with some employing dozens of hackers and possessing extensive
financial resources (Cardenas et al., 2008). Well-functioning markets on the “dark web”
provide skilled individuals with incentives to steal data or develop new automated attack
tools (Herley and Florêncio, 2010). The ability to purchase such tools has also made it
easier for those without advanced technical skills to engage in cybercrime. Perhaps the
most formidable threats at present are nation states. Although partially constrained by the
possible military, economic, and political repercussions of launching cyber attacks, state
actors are increasingly developing offensive programs and stockpiling cyberweapons, which
could be released either accidentally or intentionally. This is a particular concern given the
increased tensions between global powers at present.

A rise in the number and impact of attacks

As companies, governments, and individuals become ever more connected to the internet,
the attack surface is growing and along with it the number and impact of attacks as well.
High-profile corporate data breaches in recent years include the 2017 breach of Equifax,
in which the data of over 140 million customers—including social security and credit card
numbers—was stolen. The Yahoo data breach, first reported in 2016 but dating back to
2013, saw the theft of passwords as well as personal data associated with all 3 billion of
its user accounts. The 2015 breach of Anthem resulted in the theft of 78.8 million client
records containing Personally Identifiable Information (PII). In the 2013 Target data breach,
hackers were able to access the Target network through an attack on one of its third party
suppliers, an air conditioning company; they made off with the credit card information of
70 million customers and also caused Target major reputational damage (Manworren et al.,
2016).
Among a spate of major ransomware attacks, the 2017 WannaCry attack took down the
UK National Health Service, Telefonica, and FedEx, as well as others, causing significant
disruption and entailing losses estimated to have reached $4 billion (Berr, 2016). Its use of
a leaked US National Security Agency exploit made it particularly damaging. Governments
have also been hard hit, with a 2018 ransomware attack on the City of Atlanta impacting
city services, from utilities to parking, that took months to recover from. Similarly, a 2016
ransomware attack on San Francisco public transit disrupted payment services for the city’s
light rail system.
The 2017 NotPetya attack affected thousands of companies including Maersk, DHL,
and Saint-Gobain and caused an estimated $10 billion in damages (Greenberg, 2018). Al-
though purporting to be ransomware, many experts believe that NotPetya was in fact a
cyberweapon created by Russia and targeted at Ukraine that inadvertently hit a number of
unrelated targets. Other high-profile attacks attributed to state actors include the 2015 at-
tack on the Ukrainian power grid that left some 230,000 people without power for up to six
hours, an attack that Russia is also thought to have instigated. The first known successful
attack on a power grid, it illustrates the rise of attacks on cyber-physical systems with real
world consequences. An early example was the 2010 Stuxnet attack on an Iranian nuclear
facility that damaged one fifth of its nuclear centrifuges, which is widely believed to have
been carried out by the US and Israel (Brenner, 2013).
Additionally, distributed denial-of-service (DDoS) attacks are growing more destructive,
in large part due to the exponential growth of the Internet of Things (IoT); many IoT
Overview 3

devices are rolled out quickly, cheaply, with little thought as to cybersecurity, and therefore
can be readily co-opted into botnets. The 2016 Mirai botnet, composed of a host of internet-
connected devices from cameras to baby monitors, took down major internet sites including
Twitter, Netflix, CNN, and The New York Times by launching an attack on Dyn, which
controls much of the internet domain name system.
Finally, new types of attacks are regularly emerging. For example, the rise in value
of cryptocurrencies has brought about a growth in cryptojacking attacks that take over
computers to secretly mine bitcoin. And as progress is made in AI, cybercriminals are
increasingly employing AI-enabled attacks as well.

1.1.2 Cybersecurity risk management

To deal with these challenges, the use of a sound Cybersecurity Risk Management (CSRM)
methodology is essential. CSRM techniques rely heavily on risk analysis (Bedford and
Cooke, 2001), enabling organisations to assess the risks to their assets as well as what
safeguards should be implemented to reduce the likelihood of various threats occurring and
their impact if they do. Numerous frameworks have been developed to support cybersecur-
ity risk management, including the international standard ISO 27005 (ISO, 2011), CRAMM
in the UK (Central Communication and Telecommunication Agency, 2003), MAGERIT in
Spain (Amutio et al., 2012), EBIOS in France (ANSSI, 2010), the NIST Risk Management
Framework and others in the US (NIST, 2018; NIST, 2012), and CORAS by an EU-funded
project (Lund et al., 2011). Similarly, a number of compliance and control assessment frame-
works like ISO 27001 (ISO, 2013), Common Criteria (Common Criteria, 2017), and the
Cloud Controls Matrix (Cloud Security Alliance, 2019) offer guidance on the implementa-
tion of cybersecurity best practices. The above methodologies and frameworks provide an
extensive catalogue of threats, assets, and controls, as well as detailed guidelines for the
implementation of countermeasures to protect digital assets. However, much remains to be
done regarding risk analysis from a methodological point of view.

Challenges with current risk management approaches in cybersecurity

A detailed study of the main approaches to CSRM reveals that they often rely on risk
matrices, which have well-documented shortcomings (Cox, 2008; Thomas et al., 2013).
Compared with more stringent methods, the ordinal ratings for likelihood, severity, and
risk used in risk matrices are prone to ambiguity and subjective interpretation. They also
systematically assign the same rating to threats that are significantly different qualitatively.
This can potentially lead to a sub-optimal allocation of cybersecurity resources. Hubbard
and Seiersen (2016) and Allodi and Massacci (2017) provide additional critical perspectives
on the use of risk matrices in cybersecurity. The problem may be even more significant if
we take into account the increasing variety of cybersecurity threats, as well as the growing
complexity of the security controls used in cybersecurity risk management.
Moreover, these methodologies typically do not explicitly take into account the inten-
tionality of certain threats, with a few exceptions like the UK’s IS1 (National Technical
Authority for Information Assurance, 2012). Yet the vast majority of security companies
and industry bodies emphasise the importance of defending against adversarial threats, not
just accidental or environmental ones (ISF, 2017). As a consequence, current CSRM ap-
proaches may lead companies to incorrectly prioritise cyber risks and the measures they
should implement to defend against them.
4 Introduction

Cyber insurance as part of an alternative CSRM methodology and obstacles to

overcome
In this context, a complementary way of dealing with cyber risks through risk transfer is
emerging. This involves the use of cyber insurance products, which have been introduced
in recent years by companies like AXA, Generali, or Allianz. Cyber insurance can fulfil
a key role in the economics of cybersecurity in several ways. First, by keeping cyber risks
manageable for insured companies by transferring the risk to the insurance provider. Second,
by providing incentives to improve cybersecurity, requiring companies to implement certain
minimum protections, thereby reducing overall risk.
Unfortunately, cyber insurance is still underdeveloped for a variety of reasons. On the
demand side, companies often struggle to decide whether or not to buy insurance, and which
products to buy. On the supply side, it is difficult for insurance companies to assess the
overall risk when it comes to cybersecurity and thus to design their product offerings, partly
because of a lack of data. This is discussed further in Section 1.3.

1.1.3 The approach of this book

The growing cyber threat landscape, coupled with the shortcomings of current CSRM frame-
works and the unrealised potential of cyber insurance for risk management, underscores the
need for new cybersecurity risk management approaches. This book presents findings from
the European Union-funded CYBECO (Supporting Cyber Insurance from a Behavioural
Choice Perspective) Project, which has developed new models for risk management in cy-
bersecurity. This includes both a model for companies and a series of models for insurers,
in order to help further develop both the demand and supply sides of the cyber insurance
market. More specifically, the model aimed at companies assists them in determining their
optimal cybersecurity resource allocation (including selecting a cyber insurance product)
and the models destined for insurers aid them with the design of cyber insurance products
(including setting premiums) as well as with estimating risks (such as determining whether
or not to issue a policy).
These models take a number of behavioural elements into account. They model the
behavioural choices of various cyber threat actors in terms of their decisions as to whether
or not to attack a company, thus progressing beyond the current CSRM frameworks that
do not properly account for adversarial threats. They also consider the behavioural choices
of companies and insurers, looking at companies’ cybersecurity resource allocation and risk
transfer decisions and insurers’ risk assessment decisions. These models are presented in
detail in Chapter 4.
In the next two sections, we provide background information on the key components of
the cybersecurity risk management problem and on the current state of the cyber insurance
market. This provides important context for the concepts presented in the rest of this book.

1.2 A schematic view of cybersecurity risk management

To provide the necessary foundation for many of the topics discussed in the rest of this book,
this section gives an overview of the factors involved in CSRM. We present a basic schematic
view in Figure 1.1. An organisation faces potential cyber threats that can have significant
impacts upon it. It chooses what we call a “cybersecurity portfolio,” which consists of a
A schematic view of cybersecurity risk management 5

combination of security products (security controls and recovery controls) and insurance
products, that enables it to manage its cybersecurity risk as best as possible.

Figure 1.1: Basic schematic view of the factors involved in CSRM

Figure 1.2 elaborates upon the four elements in the basic schematic view. The organ-
isation is described in terms of its profile and assets, together with what we shall call other
organisational features.
With respect to threats, we use the Information Security Forum (ISF) classification of
targeted cyber threats (in which the threat actors, or attackers, specifically aim their attacks
at the organisation) and unintentional threats. The latter include non-targeted cyber threats
(cyber attacks that are not directly targeted at an organisation, e.g. that are random or
opportunistic), accidental threats (cyber incidents caused without malicious intent, e.g. due
to human error or system failure), and environmental threats (natural disasters that are
outside the control of the organisation, e.g. floods or earthquakes).
The impacts of an attack include insurable impacts, which can be partly covered by
insurance products, and non-insurable ones, which are not covered by insurance.
The cybersecurity portfolio includes security controls, which are put in place by the
organisation and consist of measures to prevent, protect against, and counter cyber attacks,
including threat detection and response. This helps reduce the likelihood of threats occurring
and mitigates their impact if they do. As in the ISF classification, we can further divide the
security controls according to procedural controls (practices and procedures that enhance
security), technical controls (technology solutions, e.g. software or hardware), and physical
controls (physical measures, e.g. guards, gates, and security cameras).
In addition to security controls, the cybersecurity portfolio also includes recovery con-
trols, typically implemented to respond to and recover from cyber attacks, reducing their
impact. It also encompasses insurance contracts serving to transfer the risk, helping re-
duce the financial consequences of an attack. The above instruments will typically have
to satisfy certain constraints when it comes to available cybersecurity budgets, compliance
requirements, and so on.1
Each element in these boxes may involve a large number of components, which are
detailed in cyber risk management catalogues. For example, the ISF’s catalogue lists the
the following tools to implement technical security controls:
ˆ firewalls and internet gateways,
ˆ secure configurations,
ˆ access control systems,
ˆ malware protection systems,
ˆ backup systems,
1 The business and investment concept of accepting risk, which occurs when a company believes that the

potential loss from a risk is not significant enough to justify spending money to prevent it, is outside the
scope of the schematic views.
6 Introduction

Figure 1.2: Detailed schematic view of the factors involved in CSRM

ˆ intrusion detection systems,

ˆ wireless access control systems,

ˆ mobile device control systems,

ˆ cryptographic solutions,

ˆ DDoS protection systems, and

ˆ other technical controls, which includes new controls that might be developed.

Note that the first four security controls are also part of the UK’s Cyber Essentials.
Moreover, for each of these security controls there could be a large number of potential
providers, each with their own specifications.
Clearly, the many CSRM factors discussed above—the diversity of threats, the range of
potential impacts, and the large number of products to choose from for the protection of
cyber assets, from a plethora of security controls to relatively new products such as cyber
insurance—illustrate the complexity of the CSRM challenges that must be overcome.

1.3 The current state of the cyber insurance market

This section provides an overview of the various facets of the cyber insurance market, setting
forth basic concepts that later chapters build upon.
The current state of the cyber insurance market 7

1.3.1 Decision-making within an organisation regarding the purchase

of cyber insurance
When deciding upon its cybersecurity resource allocation and selecting a cyber insurance
product, an organisation typically performs the following steps: It begins by considering
its compliance requirements. Then it analyses its value-chain and classifies its assets. Next,
the organisation assesses the existing security controls it has in place to protect its assets
This is followed by an impact analysis of the effect of a cyber attack on its assets. If the
organisation determines that a cyber attack could have a critical impact on operations, it
will likely choose security controls and a cyber insurance product offering high levels of
cybersecurity protection and financial coverage.
If it does not deem that the impact of an attack would be significant, the organisation
will carry out a business continuity resilience evaluation to ensure that it can minimise the
damage caused in the event of a cyber attack. The organisation will also carry out a finan-
cial impact quantification and cyber insurance price comparison, which involves simulating
the financial cost of a cyber attack in certain high-risk scenarios and then for each cyber
insurance product calculating a ratio of the cost of the premium to the amount of financial
coverage provided by the cyber insurance product. If the ratio is greater than 1 (i.e. if the
benefit of the cyber insurance product’s financial coverage exceeds the cost of the premium),
then the organisation will likely choose that cyber insurance product.
If not, given that:
1. the cost of the cyber insurance product would exceed the benefit of the cyber
insurance product’s financial coverage,
2. the organisation would not suffer a disastrous interruption from such an attack,
and
3. the organisation is not subject to relevant regulatory or legal obligations,
then the organisation is unlikely to select the proposed cyber insurance product.
This cyber insurance decision-making process may be particularly difficult for SMEs, as
they tend to have less cybersecurity knowledge and fewer resources to invest compared to
larger companies.

1.3.2 Growth of the market

Although the cyber insurance market is still underdeveloped, it is growing steadily. The
global size of the cyber insurance market was $3.89 billion in 2017 (Adroit Market Research,
2019) and is expected to reach $14 billion by 2022 (Sharma, 2018). The US is by far the
largest market, accounting for some 90% of the total (EIOPA, 2018). Europe comes in
second with a market size of e 295 million and is expanding rapidly, having grown 72%
between 2017 and 2018, the last year for which data was available (EIOPA, 2019).
Factors driving the growth in demand include greater awareness of cyber risks due to
the rising number of attacks, highly publicised data breach incidents and increased losses
associated with them, as well as fears of reputational damage caused by an attack (In-
point, 2017; P&S Intelligence, 2017). The implementation and enforcement of cyber and
information security-related legislation is also a factor. In the United States, the introduc-
tion of a number of data protection laws, including the 1996 Health Insurance Portability
and Accountability Act (HIPAA), played a major role in increasing the demand for cyber
insurance. More recently, the 2018 General Data Protection Regulation (GDPR) appears
to be having a similar effect in the European Union. The £183 million fine levied upon
British Airways under GDPR for its 2019 data breach was an unprecedentedly large sum
8 Introduction

and made companies operating in Europe take notice. While demand for cyber insurance
in recent years has been led by large corporations from a wide variety of sectors that store
PII, this seems to be changing as smaller companies become more aware of cyber threats
and the costs associated with them (Inpoint, 2017; Aon Inpoint, 2018).
The supply side of the market is dominated by a few big players, although here too
smaller insurers are increasingly offering cyber insurance products. In the US more than
60% of standalone premiums were written by the five largest insurance companies and in
Europe the top three companies wrote over 70% of premiums (Inpoint, 2017). However, the
number of insurers underwriting cyber insurance products is steadily rising. There has been
a significant increase in insurers’ appetite for cyber risk over the past decade, leading to an
upturn in the number and variety of policies issued.

1.3.3 Types of insurance products

Cyber insurance products are focused on commercial business at present (EIOPA, 2018).
They can be offered as a standalone product or added on to an existing policy as part
of a package. The main types of coverage offered include business interruption as well as
data loss and recovery, in addition to extortion, third party data breaches, and reputational
loss. Policies generally cover the costs of repairing IT systems, carrying out forensic invest-
igations, as well as notifying customers of data breaches and providing them with credit
monitoring. In some cases, they may cover the cost of the fine for a data breach, but regu-
lators do not always allow this to be covered by insurance. Insurance cover may also include
services such as legal support, public relations, and crisis management.
Additional descriptions of the potentially insurable impacts, including the distinction
between first party and third party impacts as with traditional insurance products, are
available in Couce-Vieira et al. (2020a). Since the Target attack, a number of companies
now require their third party suppliers to obtain separate liability coverage, as a condition
of doing business with them.
Cyber insurance cover for individuals is also starting to emerge, given the potential for
credit card or identity theft when using the internet and the increasing uptake of IoT devices
in the home.

1.3.4 Challenges for insurers

Insurers face a multitude of challenges—many stemming from the difficulty of accurately
assessing cybersecurity risk—that inhibit the development and accurate pricing of cyber
insurance products. One of the biggest challenges that insurers face is the constantly evolving
nature of cyber risk. As discussed earlier, the threats impacting organisations are growing
in size and sophistication, with new threat actors and types of attacks regularly emerging
on the scene. In tandem, the security posture of organisations can evolve rapidly as well.
They may regularly take on additional third party suppliers, thereby increasing their cyber
exposure, or implement new security products, decreasing it.
The challenge is compounded by correlations between various risks. Accumulation risk,
or the risk of a claim from a single incident spreading to multiple lines of business, is a major
concern for insurers. For example, a cyber attack that takes down the power grid will likely
impact a wide range of sectors that depend upon it from transport to communications,
affecting not just cyber insurance but also a host of other business lines including property,
health, and even life insurance (Lloyd’s and University of Cambridge Centre for Risk Studies,
2015). An even greater preoccupation for insurers is systemic risk, or the possibility that
The way forward 9

one incident could cause a cascading failure that triggers a collapse of the entire system2
(Ducos and de Ligniéres, 2019). For example, a cyber attack that takes down the power
grid could seriously threaten the viability of an insurance company or even of the insurance
industry as a whole if its impacts are consequential enough.
Another challenge is information asymmetry, given that organisations seeking to pur-
chase cyber insurance typically have more information about their risk posture than insurers.
This relates to moral hazard, or the risk that an organisation engages in riskier behaviour
because it has been insured. It can also lead to adverse selection, where an insurer provides
insurance coverage to an organisation whose risk is much higher than the insurer is aware of.
This results in an adverse effect for the insurer because it has issued an insurance policy at
a cost lower than it would charge if it were aware of the actual risk, exposing the insurer to
potential loses. Adverse selection is often due to an organisation seeking insurance coverage
providing false information or withholding pertinent information from the insurer.
Insurers are also confronted with the lack of data (Anderson and Fuloria, 2010) when
it comes to cyber incidents. Unlike in other domains that have similarly elevated levels of
risk—such as pandemics—there is an absence of historical data to draw on when setting
premiums. Organisations are also reluctant to disclose intrusion attempts or consequences
of attacks due to reputational concerns, as this could negatively affect their relations with
stakeholders or cause them to lose customers (Couce-Vieira et al., 2020a; Balchanos, 2012).
This challenge is exacerbated by an acute shortage of experienced cybersecurity under-
writers. Many underwriters have little knowledge of or experience with cybersecurity.
It can also be difficult to assess the financial impact of an attack that has occurred. For
example, for insurance products covering reputational loss from data breaches, it can be
particularly difficult to quantify the financial losses and implications for future revenues,
i.e. whether the loss is permanent or temporary.
If insurers can overcome these challenges, however, this represents an opportunity for
them to innovate in their offerings to help companies manage various degrees of risk.

1.4 The way forward

Given the many challenges that both companies and insurers face when it comes to CSRM,
there is a vital need for innovative new approaches to risk management in cybersecurity
for both customers and insurers. This book contributes to more rigorous methods of risk
management in cybersecurity by:

ˆ promoting cyber insurance as a key part of CSRM;

ˆ developing new models that consider the behavioural aspects of attackers, overcoming a
key issue with current CSRM frameworks that do not take the intentionality of threats
into account;
ˆ examining other behavioural aspects by factoring in the decisions of companies and in-
surers;
ˆ developing a method of dynamically pricing cyber insurance products in response to
changes in a company’s cybersecurity risk profile, helping insurers deal with the rapidly
evolving nature of cybersecurity risk;
2 as opposed to the damage being contained to harming just one component of that system
10 Introduction

ˆ proposing a method to better quantify accumulation risk, enabling insurers to better

manage correlated risks;
ˆ proposing policy solutions to overcome moral hazard issues, assisting insurers with chal-
lenges linked to information asymmetry;
ˆ using structured expert judgement elicitation techniques in instances where there is limited
data, as a way to partially overcome the lack of data in the cybersecurity domain;
ˆ facilitating the adoption of the models we have developed by designing and making pub-
licly available a toolbox that provides an online interface for the model aimed at com-
panies, as well as by providing a full case study illustrating how to implement the model;
and
ˆ giving particular consideration to SMEs, given that they may be especially vulnerable to
cyber attacks.

These topics are further developed and expanded upon in subsequent chapters. Chapter
2 provides an overview of the cyber insurance ecosystem and examines the decision-making
problems that organisations and insurers must contend with regarding risk management
for cybersecurity and cyber insurance, drawing on psychological perspectives. It also makes
use of an Agent-Based Model to assess the effects of various policy interventions on the
ecosystem. Chapter 3 discusses the cybersecurity challenges that organisations face, and
applies psychological and behavioural economics insights involving human behaviour and
decision-making to cybersecurity and cyber insurance. It also uses Behavioural Economics
Experiments to investigate the effects of behavioural interventions on cyber insurance up-
take. Building on this, Chapter 4 presents a series of models to assist organisations and
insurers with their decisions involving risk management in cybersecurity, including a key
model to help organisations determine their optimal allocation of cybersecurity resources
and select a cyber insurance product. It also provides auxiliary models to aid insurance com-
panies with their risk management issues, enabling better quantification of accumulation
risk and improved methods of designing and issuing cyber insurance products, including
ways to dynamically price these products. Chapter 5 presents a case study to illustrate
how to implement the key model developed in Chapter 4, providing detailed numerical ex-
amples. We conclude with a final discussion regarding the main points of this book and
their implications for policy.
2
The Cyber Insurance Landscape

Katsiaryna Labunets, Wolter Pieters, Michel van Eeten

Delft University of Technology

Dawn Branley-Bell, Lynne Coventry, Pam Briggs

Northumbria University

Inés Martı́nez, Jhoties Sewnandan

Delft University of Technology

CONTENTS
2.1 The cyber insurance ecosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 The cyber insurance adoption process and its challenges . . . . . . . . . . . . . . . . . . . . . 14
2.3 Effects of policy interventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

This chapter provides an analysis of the cyber insurance landscape. We start with an over-
view of the cyber insurance ecosystem, presenting the cyber insurance life cycle and the
main and secondary actors. We then examine organisational decision-making involving cy-
bersecurity and cyber insurance, both for companies as a whole and for Small and Medium
Enterprises in particular. We present the findings of studies we have conducted on these
topics, which draw on the Burke and Litwin Performance and Change Model and on Pro-
tection Motivation Theory, and consider the policy implications. Finally, we simulate the
effects of different policy interventions on the ecosystem, making use of an Agent-Based
Model to do so.

2.1 The cyber insurance ecosystem

Cyber insurance is a risk transfer option that companies can use to mitigate IT-related losses
in exchange for a premium (Fauntleroy et al., 2015). Product offerings mainly cover losses
due to a virus or hacking or data breaches, but not IT incidents in general. In this section,
we provide an overview of the cyber insurance ecosystem, including the cyber insurance life
cycle and the main and secondary actors involved in cyber insurance processes. It is based
on the cyber insurance and security risk management literature, an analysis of major cyber
insurance products available on the market, and interviews with insurers.

11
12 The Cyber Insurance Landscape

2.1.1 The cyber insurance life cycle

The cyber insurance life cycle includes several processes. It begins with a request for an
insurance offer. A company decides to buy cyber insurance to cover certain residual cyber
risks and requests a price quote from an insurance provider (insurer). Next, the insurer
assesses the company’s risks. The risk assessment approaches used depend on the type
of company (financial company, large corporation, etc.) and the internal workflow of the
insurer. After completing the risk assessment, the insurer prepares a proposed contract,
negotiations ensue between the insurer and the company, and once both parties agree the
contract is signed.
The claims handling process is triggered when the insured company experiences an actual
or a suspected data breach or cyber attack. The insured company must notify an incident
manager and activate the company’s insurance policy. Several parties may be involved in
this process, e.g. a breach counsel for problem handling, a forensic investigator, and in the
case of some incidents the regulator must be notified as well. Based on the information
collected and the insurance terms, the insurer determines the payout.

2.1.2 Actors and relationships

Analysing this cyber insurance life cycle, we have identified the relevant parties and existing
relationships between them, which we have modelled in Figure 2.1. Below we briefly describe
the main and secondary actors in the model and their relationships.
The main actors are:
ˆ An insurance provider (insurer) takes on companies’ risk, providing them with appropriate
coverage in exchange for payment (Marotta et al., 2017). Insurers aim to build a profitable
portfolio of clients and increase their market share. They also look to build cybersecurity
awareness among the companies they have insured.
ˆ A company is a business that seeks to purchase cyber insurance. For the purposes of this
book, we classify companies according to the following categories1 :

1. Small and Medium Enterprises (SMEs) have a staff headcount below 250 per-
sons and a turnover below e50 million (European Commission, 2020).
2. Medium-sized companies have a staff headcount below 2,000 persons and a
turnover ≤ e500 million (Hargrave, 2019).
3. Large companies have a staff headcount of more than 2,000 persons or a turnover
above e500 million.

A company that purchases cyber insurance becomes an insured company. Insured com-
panies’ aims are to acquire a better picture of the cyber threats impacting them, transfer
cyber risk-related losses in exchange for reasonable premiums, get advice on cybersecurity
protective measures,2 and receive assistance in the cyber incident response process.
ˆ An insurance broker or other intermediary aims to provide advice to assist the company
in the selection of an appropriate cyber insurance product. Brokers aim to run a profitable
business and improve their market penetration. There are two types of brokers: retail and
wholesale. Since for the purposes of this model we are primarily interested in brokers
that sell cyber insurance products to companies, we only consider retail ones, who buy
insurance products from either insurers or wholesale brokers and sell them to businesses
1 Note that these categories will vary according to the insurer. Some insurers also have a Jumbo category.
2 Not every insurer offers these services.
The cyber insurance ecosystem 13

or individuals.3 Other intermediaries that sell insurance products to companies include

agents, who are employed by insurers to sell insurance products on their behalf, and
insurance consultants.
The secondary actors, presented in alphabetical order, are:
ˆ A consumer uses products and services provided by the company (Mentzer et al., 2001).
Consumers aim to obtain a product or service that meets their needs in exchange for a
reasonable cost. The interests of consumers are usually communicated to policymakers
through consumer protection authorities, like the European Insurance and Occupational
Pensions Authority (EIOPA), and by sharing the findings of research that has been un-
dertaken.
ˆ An expert provides assistance to the insurer in such areas as risk assessment, forensics,
legal issues, public relations, and other services that the insurer may need. Experts can
be either in-house or external.
ˆ A policymaker takes part in the policymaking process. Policymakers might be national
governments, members of parliament, and government agencies/public bodies, among oth-
ers. They rely on information from varied sources such as research, representatives of spe-
cial interest groups, associations of insurance providers or SMEs, and others. Policymakers’
work results in the development of new policies, which a regulator is then responsible for
implementing. In our context, the policymakers’ goals involve raising the overall level of
cybersecurity in the ecosystem. They also consist of managing the cyber risk to systems
within their responsibility. To do so, policymakers might like to, for example, encourage
companies to adopt essential security controls via cyber insurance policy requirements.
ˆ A reinsurer (reinsurance provider) accepts a portion of the risk of the insurers’ portfolio in
exchange for payment. Reinsurance is essentially insurance for insurers (Kesan and Hayes,
2017). Reinsurers can be either private companies (e.g. Munich Re4 ) or governmental
organisations (Robinson, 2012).
ˆ A regulator is a public body responsible for the supervision and oversight of a particu-
lar industry or business activity, ensuring that organisations within that sector comply
with all applicable laws, rules, and regulations (Levi-Faur, 2011). Some organisations are
regulated by multiple regulators, depending on their business domain(s). Cyber insurance-
related activities fall under the authority of a number of different regulators. This includes
insurance regulators as well as cybersecurity sector regulators, such as national Data Pro-
tection Authorities (e.g. the “Commission nationale de l’informatique et des libertés” is
the French Data Protection Authority). EU National Data Protection Authorities are also
responsible for implementing EU regulations involving information privacy, such as the
General Data Protection Regulation (GDPR), within their countries.
ˆ A researcher (research) investigates cyber insurance-related topics. This might involve
research conducted at universities or think tanks, in private companies, consultancies, or
elsewhere. Research findings can inform the work of policymakers, helping evaluate the
effect of policy interventions on the ecosystem. They can also assist insurers in developing
cyber insurance policies.
ˆ A security provider provides security products and services to other parties to safeguard
their assets. Security providers can work directly with companies or by cooperating with
insurers.
3 By contrast, wholesale brokers act as an intermediary between retail brokers and insurers.
4 https://www.munichre.com
14 The Cyber Insurance Landscape

ˆ A threat actor (threat) is often a malicious actor that aims to launch an attack against the
company (Kissel, 2013). There are also non-malicious threat actors that unintentionally
cause harm, e.g. due to committing an error. In the cyber insurance context, the motiva-
tions and aims of threat actors could be essential factors for understanding the behavioural
elements of an attack. It is also important to distinguish between insider threats and ex-
ternal ones. Insiders already have access to the company’s information systems, while
external threat actors need to obtain access in order to perpetrate an attack.

ˆ A vendor provides companies with a product or service. This would typically be an equip-
ment vendor supporting the company’s businesses processes, such as a software provider
or network provider (Mentzer et al., 2001). Companies may require their vendors to have
cyber insurance and/or prove that they are compliant with cybersecurity regulations. [NB:
Although technically speaking a security provider (listed above) is a type of vendor, we
have separated these into two categories to emphasise an important distinction: a vendor
covers all vendors providing the company with products or services, while a security com-
pany only provides the company with security products and services.]

2.2 The cyber insurance adoption process and its challenges

Now that we have established a clear picture of the cyber insurance ecosystem, we seek
to better understand how cybersecurity and cyber insurance decisions are taken within
this ecosystem. This section focuses on what happens at the company level. Section 2.2.1
examines organisational decision-making involving cybersecurity and cyber insurance within
all types of companies. Section 2.2.2 then does a deep dive on the decision-making process
within SMEs specifically. In each instance, we consider the policy implications.

2.2.1 General company-level decision-making process for cybersecurity

and cyber insurance
Companies must make key investment decisions concerning cybersecurity measures (includ-
ing cyber insurance) on a regular basis, but there is a lack of research directly investigating
how companies make these decisions, as identified by Weishäupl et al. (2018). In particular,
a recent literature review by Heidt et al. (2019) highlighted the scarcity of studies analysing
IT-related security decision-making that take contextual factors into account, notably be-
havioural, environmental, and organisational ones. They found that these contextual factors
are often overlooked because the majority of research in this area is quantitative in nature.
They thus argue that it is important for research to consider such contextual factors (Heidt
et al., 2019, p. 6145).

Study design
We drew on the Burke and Litwin (1992) Performance and Change Model, shown in Figure
2.2, in order to examine the drivers of IT-related decision-making, including the role of
the contextual factors mentioned above. The Burke and Litwin Model is a general model
describing the many factors that drive change within an organisation and serves as a useful
starting point. The model illustrates how behaviour within companies can be influenced by a
complex system of twelve factors. All the pathways between the factors are bidirectional, and
therefore all factors, from company structure to motivation in the workplace, can feed into
 The cyber insurance adoption process and its challenges
Reinsurance
Research results provider

Cover part of insurer's

Research Interests of insurers clients losses
Provide results
(e.g., insurance federation)

Compliance with Request for a specific

Insurance regulations expertise
Insurer Expert
regulator
Policy y
recommendations Compliance with olic
regulations t i a te p ns
go tio Cover Collect necessary
Ne condi data
Policy losses
Policymaker changes
Insurance Pay due to
broker A premiums
ins dvice cyber
Security services for
ura o risk
nce n cy insurer and its clients
offe ber
ring
s
Provide security services
Sector Security
Company
regulator Compliance with Invest in security controls provider
regulations

Interests of consumers Interests of companies

(e.g., consumer rights Provide
(e.g., SME association)
supervisory authority) product/service
Damage or steal
Vendor
ide company's assets
Prov ervice
uc t/s
Consumer pro d

Threat

Figure 2.1: The cyber insurance ecosystem

15
16 The Cyber Insurance Landscape

External
Environment

Leadership

Mission and Organisational

Strategy Culture

Management
Practices

Systems
Structure (Policies and
Procedures)

Work Unit
Climate

Motivation

Task Requirements
Individual
and Individual
Needs and Values
Skills/Abilities

Individual and
Organisational
Performance

Figure 2.2: Burke and Litwin Performance and Change Model (adapted from Burke and
Litwin, 1992)

organisational change in many different ways. The model ranks them in order of influence,
with the most important factors at the top. The external environment is therefore the
dominant factor in the model, having a significant impact on a company’s mission and
strategy, organisational culture, and leadership, and through them, on the other factors as
well.
We can apply this model in a cybersecurity context. In order to identify the key roles
and influential drivers of cybersecurity and cyber insurance specifically, we conducted 11
in-depth interviews with practitioners inside companies. This included individuals respons-
ible for making cybersecurity decisions within a company as well as those involved in the
sale/marketing of cybersecurity-related products and services (including cyber insurance).
Those interviewed were from companies of different sizes, a mix of larger companies and
The cyber insurance adoption process and its challenges 17

SMEs. We then carried out a qualitative analysis to identify and understand the influen-
tial drivers of cybersecurity-related decision-making within companies at board and senior
management level.

Findings
We found that the decision-making process at company level involves a complex ecosystem in
its own right. These systems can vary dramatically between companies, depending upon size,
maturity, and sector. There is no universal ‘one size fits all’ structure for cybersecurity and
cyber insurance decision-making within companies. There are also many different factors,
both internal and external, that can influence companies’ cybersecurity decision-making
and cyber insurance adoption. Any cybersecurity services, products, and interventions need
to account for this variation between companies in the decision-making process.

Internal drivers
There are many different processes influencing cybersecurity-related decisions inside a com-
pany. For example, cyber insurance adoption often seems to be driven outside of the tech-
nical teams (for example, from finance). Companies often have complex (and non-universal)
structures involving numerous boards, committees, teams, and departments, each reflecting
their own motivations, priorities, and ways of doing things.
In keeping with Weishäupl et al. (2018), we found evidence that companies can perceive
cybersecurity-related decision-making (and related processes) to be time-consuming and
tedious. For example, even the process of acquiring an insurance quote (and gathering the
associated company information needed to obtain it) and the renewal process are seen as
effortful. This can have a detrimental impact upon cyber insurance adoption, and is further
compounded by a lack of awareness around cyber risk and cyber insurance coverage. Com-
panies also expressed a mistrust of insurers, with concerns in regards to lack of transparency
surrounding coverage. Resource and financial constraints also play a role.

External drivers
Cyber insurance adoption appears to be largely influenced by legislation and other policy
aspects. In keeping with Weishäupl et al. (2018), our findings suggest that there may be a
disconnect between the existing academic literature that sometimes regards cybersecurity
decision-making as intrinsically motivated, and the emerging literature (such as this current
study) that shows that companies may be more motivated to invest in cybersecurity because
they need to do so to comply with legislation.
Legislation as a driver for cyber insurance also fits within the Burke and Litwin Model.
As previously mentioned, this model suggests that the most dominant influence on organisa-
tional performance and change is the external environment. This could include factors such
as legislation (e.g. the introduction of the GDPR) and media coverage of cyber risk—both of
which were mentioned by those we interviewed as drivers of cyber insurance uptake. There-
fore, in much the same way as Burke and Litwin, we found that external factors appear to
have a strong influence on cybersecurity decision-making within companies.
Many approaches to cybersecurity assume a rational decision-making process. However,
human decision-making and perception of risk does not always follow rational processes
(Evans, 2003). This will be discussed further in Chapter 3. Many approaches also assume
accurate calculations of benefit and risk—but this is unlikely at best, due to the current
lack of data on cyber risk and how to measure it (Eling and Schnell, 2016).
Our findings suggest that companies may be responsive to more detailed cyber insur-
ance policy wording regarding the specific terms and conditions of coverage (e.g. inclusions
18 The Cyber Insurance Landscape

and exclusions). However, greater precision can make it difficult for policies to take into ac-
count the changing nature of the cybersecurity environment. Therefore a balance is needed
between providing enough detail to reassure and/or guide companies, whilst maintaining
enough room for policies to take into account new developments in cybersecurity risk and
protection. Further research is required to investigate the most appropriate level of spe-
cificity. Legislation surrounding the standardisation of cyber insurance policy wording could
help to reassure companies, and also address confusion over what policies cover (and clarify
the perceived ‘grey area’ between traditional insurance policies and cyber policies).
Given companies’ lack of confidence in insurers, policymakers should foster practices that
could help build trust between insurers and insured companies. To achieve greater awareness
around cyber risk and improve cybersecurity practices, policymakers can help partially
overcome the issues involving the absence of good cyber incident data by promoting greater
information sharing. There is a need for further investigation into the most appropriate
ways to implement this.

2.2.2 Decision-making process in SMEs

Of the limited research that has been done on how organisations make decisions about
cybersecurity and cyber insurance, it tends to focus on large companies. Yet, as the Burke
and Litwin Model implies, the complexity of a company’s ecosystem varies significantly
according to a company’s size. The cyber insurance adoption process for SMEs will therefore
have a number of distinct characteristics. Moreover, SMEs face particular cybersecurity
challenges. Relatively speaking they have fewer resources to invest in cybersecurity, making
them more susceptible to cyber attacks. Research on this under-investigated sector is thus
essential.

Study design
To investigate what mechanisms and factors influence how SMEs decide on cyber insurance
adoption, we drew on the Protection Motivation Theory (PMT) Model. We use Rogers’
1983 revision of the model, which is the most commonly used version, shown in Figure
2.3 (Rogers, 1983; Floyd et al., 2000). PMT is a behavioural theory that identifies the
elements that a decision-maker relies on to determine whether or not to protect against a
threat. According to PMT, the protection motivation of an SME is based on three main
components: sources of information, threat appraisal, and coping appraisal. There are two
types of sources of information: environmental and intrapersonal. Environmental sources of
information (rewards, severity, and vulnerability) are used to create the threat appraisal,
and intrapersonal sources of information (response efficacy, self-efficacy, and response costs)
are used to create the coping appraisal.
We conducted semi-structured interviews with representatives of ten SMEs. The in-
terviews used semi-structured interview questions based on PMT. (The semi-structured
interview guide is available in Labunets et al. (2019).)

Findings
We developed a Cyber Insurance Adoption Model for SMEs, shown in Figure 2.4, to illus-
trate an SME’s decision-making process regarding cyber insurance (Martinez Bustamante,
2018). In the centre of the model is cyber insurance adoption. The other components show
the cognitive process that a decision-maker uses to decide whether or not to purchase cy-
ber insurance. It is based on the three central components of the PMT model—sources
of information, threat appraisal, and coping appraisal —but extends it with two additional
components: potential impediments and drivers of cyber insurance adoption. These two
The cyber insurance adoption process and its challenges 19

Sources of
Cognitive Mediating Processes
information

Severity
Threat
Rewards
appraisal
Environmental Vulnerability

Fear Protection
motivation
Response
Interpersonal efficacy
Response Coping
costs appraisal
Self-efficacy

Figure 2.3: Protection Motivation Theory (PMT) Model (Rogers, 1983 revision)

additional components arose out of the interview process as important elements to consider
as well.
Overall, the interview findings revealed that the cyber insurance decision-making process
is problematic for SMEs due to poor understanding of cybersecurity risks and the dynamic
nature of those risks. We provide more specifics about each model component.

Sources of information
We identified the following needs surrounding a company’s sources of information: Cyber
insurance is a relatively new concept for SMEs, so insurers and brokers have to be proactive
in raising SMEs’ awareness of cyber risks and available cyber insurance products. A policy
measure regulating the role and liability of insurers and brokers in advising their clients on
cybersecurity could benefit SMEs, as it is key for them to receive high-quality advice and
trust their advisors. Insurers and brokers also need to be fully cognizant of the responsibility
that they bear as advisors.
Another factor is that SMEs view the cyber threats they face and mitigation tactics they
use as sensitive topics. This could explain why SMEs are often not willing to share their
cybersecurity methods, which likely slows down the diffusion of cybersecurity best practices
among SMEs. Further policy measures establishing and/or promoting cybersecurity certi-
fication schemes for companies and raising cybersecurity awareness could help SMEs obtain
a clearer picture of their cybersecurity readiness. Cihon et al. (2018) agree: “Regulation
should clearly signal to firms that certification helps meet their cybersecurity ‘duty of care’,
which, if a breach were to occur, would see firms enjoy better defence against tort liability
and fines.” (NB: A cybersecurity certification framework is underway in the EU.)

Threat appraisal
Digitalisation is important for a company’s growth, but it also creates new threat vectors
through which a company can be attacked. While embracing digitalisation (e.g. cloud tech-
nology), SMEs are simultaneously concerned as part of their threat appraisal that this makes
them more vulnerable to experiencing a data leak—which could affect the company’s repu-
20 The Cyber Insurance Landscape

tation and cause clients to lose trust in them. This drives them to increase their security
measures in order to protect their data. It also pushes them to consider cyber insurance as
a practical risk transfer strategy. As mentioned previously, a policy measure encouraging
the development of standard language for cyber insurance policies could help SMEs better
understand what residual risks they can transfer with cyber insurance.

Coping appraisal
When it comes to a company’s coping appraisal, our findings indicate that cyber insurance
is an attractive option for SMEs to transfer the risk of potential losses from a cyber attack
if the insurance policy is clear and the premium price is fair. Since cyber insurance also
provides policy holders with complementary information regarding cyber threats and help
with cyber incident management, this creates added value for SMEs because they tend to
lack knowledgeable personnel to deal with incidents. (However, if a company has inves-
ted sufficiently in cybersecurity protection measures and has skilled staff, then it has less
motivation to buy cyber insurance.)
Further policy measures/regulations that impose financial costs on companies that ex-
perience cyber incidents (e.g. cost of notifying affected organisations or individuals following
a breach, or fines in the event of a breach attributable to non-compliance with regulations)
will likely motivate them to consider cyber insurance options. Various insurers already offer
services helping companies ensure that they are compliant with existing regulations. Again,
standardising cyber insurance policy language will help.

Impediments
Many of the impediments to cyber insurance adoption are problems that arise when com-
panies try to buy cyber insurance. The process can be seen as complicated and there is
often confusion about what a policy’s coverage entails—as well as doubts about whether
it will actually pay out in the event of an incident. High premiums also have a dissuasive
effect.
Another reason for SMEs not purchasing cyber insurance is that a number of them be-
lieve they have a low probability of being attacked. Some companies, notably IT companies,
think that they already have sufficient cybersecurity measures in place, so purchasing cyber
insurance does not provide them with any added value. Finally, some erroneously believe
that they have transferred the risk to the security provider; one of the interviewees com-
mented that “it’s not necessary for us to have insurance because [the security provider] has
taken care of the [risk]”.

Drivers
The main drivers of purchasing cyber insurance for companies include wanting to protect
their reputation, which they do through various risk mitigation strategies, cyber insurance
being one of them. Sectorial regulators make some recommendations in this respect.
Increasing awareness and experience of cybersecurity incidents also drives decision
makers towards cyber insurance adoption. As mentioned previously, the additional services
provided by cyber insurance (e.g. cyber threat information or incident assistance) motivates
companies to purchase policies as well. Finally, small company status is a driver of cyber
insurance adoption, with small companies increasingly realising that cyber insurance can
help them.
 The cyber insurance adoption process and its challenges
Figure 2.4: Cyber Insurance Adoption Model (Martinez Bustamante, 2018)

21
22 The Cyber Insurance Landscape

2.3 Effects of policy interventions

The previous section presented various factors impacting the cyber insurance adoption
process. In this section, we discuss an Agent-Based Model (ABM) (van Dam et al., 2013) to
simulate the effects of different types of policy interventions on overall risk. In agent-based
modelling, system-level effects are studied based on simulating the behaviour of individual
agents and their interactions.

Figure 2.5: Simplified ecosystem for the Agent-Based Model (Sewnandan, 2018)

2.3.1 Study design

In order to keep the complexity of the model manageable, we used a simplified version of
the cyber insurance ecosystem depicted in Figure 2.1 and its actors (i.e. the agents) as the
basis for the model. This simplified ecosystem is shown in Figure 2.5 (Sewnandan, 2018).
For the agents in the simplified ecosystem, behavioural rules and parameters were defined
as detailed in Sewnandan (2018) and the associated flow diagram is shown in Figure 2.6. At
each “tick” of the model, representing a month in real time, agents observe their environment
and execute actions. Security strength influences the risk of being attacked. Organisations
conduct cyber risk management (right box), including making decisions about purchasing
insurance and/or investing in improved security. Organisations also update their status (left
box), including recovery from attacks and paying insurance premiums. Attackers can attack
organisations (middle box), after which organisations can make insurance claims. Individual
security strengths are updated through (a) effectiveness reduction over time, and (b) new
security investments.
The ABM was implemented in NetLogo (Tisue and Wilensky, 2004), with an interface as
shown in Figure 2.7. Sewnandan (2018) provides details on the parameters and the results
of a sensitivity analysis, which examines how the uncertainty in the output of a model or
system can be attributed to different sources of uncertainty in the inputs.
The system-level variables we use to study the effects of policy interventions are:
1. The average security level (on a scale of 0 from 1) in the ecosystem; and
2. The global value loss in the ecosystem (total asset value lost in euros, representing
the inverse of resilience).
Effects of policy interventions 23

Using the model above, we investigated the effects of the following cyber insurance policy
options on the ecosystem as a whole:
ˆ Package options: the combination of the maximum amount in damages covered by the
insurance and the insurance premium;
ˆ Contract length: the duration of the insurance contract (6, 12, or 24 months);
ˆ Risk selection: demanding improved cybersecurity levels,5 or increasing the premium for
clients when an insurer believes their cybersecurity levels need improvement;
ˆ Incentivisation: lowering the premium for clients with high cybersecurity levels;
ˆ Upfront risk assessment: requiring a potential client to perform a certain type of risk
assessment first6 ;
ˆ Sharing cybersecurity information: providing clients with information on security controls,
threats, etc. to help enhance their cybersecurity;
ˆ Requiring organisations to maintain their cybersecurity levels: demanding that their initial
cybersecurity levels are maintained to retain coverage.
We ran simulations for an ecosystem consisting of 125 organisations.
We also conducted a synergy experiment, which involves determining whether two or
more discrete policy options can have a combined effect that is greater than the sum of the
effects of each on their own. In essence, whether the whole is greater than the sum of its
parts. In the experiment, we investigated the effects of combining the options risk selection,
incentivisation, and sharing cybersecurity control information.

2.3.2 Findings
We measured the effect of the different policy options on (a) the average security level in
the ecosystem, (b) the global value loss in the ecosystem (i.e. the total asset value lost, or
the inverse of resilience), and (c) the percentage of insured organisations, under the model
assumptions and parameter settings.
We observed that the effects of the different policy options on the average security level
in the ecosystem are relatively small, with the synergy experiment providing the best results.
For all policy options, the average security level was in the range of 0.54 to 0.58.
In terms of the impact on global value loss, the effects are small as well. In this case, the
effect of the synergy experiment is somewhere in the middle compared to individual policy
options. This suggests that although the combination of policy options improves overall
security, it does not necessarily improve resilience, in the sense of reducing the global value
loss. This could be because high-risk organisations might not purchase cyber insurance when
the risk selection and incentivisation policy options are implemented, due to not being able
to purchase it at an acceptable price.
Also, the synergy experiment results in a relatively low percentage of insured organisa-
tions (less than 40 out of 125 organisations, or 32%). This is because the combined policy
options make cyber insurance less attractive for some (high risk) organisations, thereby re-
ducing adoption but improving ecosystem-level security. The detailed overview of the results
is available in Sewnandan (2018).
5 In practice this would be among companies that already have reasonable cybersecurity levels, as insurers

will not insure companies that have poor or low security levels. Insurers decline many risks based on a
company having poor or low cybersecurity levels. The threshold will depend on each insurer’s individual
risk tolerance.
6 At present, many insurers only assess a potential client’s risk based on the client’s application form.
 24
The Cyber Insurance Landscape
Figure 2.6: Flow diagram of the Agent-Based Model (Sewnandan, 2018)
 Effects of policy interventions
Figure 2.7: Interface of the Agent-Based Model in NetLogo (Sewnandan, 2018)

25
Other documents randomly have
different content
 payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite these
efforts, Project Gutenberg™ electronic works, and the medium
on which they may be stored, may contain “Defects,” such as,
but not limited to, incomplete, inaccurate or corrupt data,
transcription errors, a copyright or other intellectual property
infringement, a defective or damaged disk or other medium, a
computer virus, or computer codes that damage or cannot be
read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU AGREE
THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT
LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT
EXCEPT THOSE PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE
THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person
or entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you
do or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission

of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status
by the Internal Revenue Service. The Foundation’s EIN or
federal tax identification number is 64-6221541. Contributions
to the Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact
 Section 4. Information about Donations to
the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or determine
the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About

Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookball.com