Daniel W WoodsThe University of Edinburgh | UoE · School of Informatics
Daniel W Woods
Computer Science (PhD), University of Oxford
About
36
Publications
7,493
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
285
Citations
Citations since 2017
Introduction
My doctoral research looked at how insurance shapes cybersecurity practices in organisations. I'm also interested in quantifying risk and privacy economics.
Skills and Expertise
Additional affiliations
September 2019 - present
August 2018 - December 2018
Education
October 2015 - September 2019
October 2014 - August 2015
Publications
Publications (36)
This paper introduces a causal model inspired by structural equation modeling that explains cyber risk outcomes in terms of latent factors measured using reflexive indicators. First, we use the model to classify empirical cyber harm studies. We discover cyber harms are not exceptional in terms of typical or extreme losses. The increasing frequency...
Insurance premiums reflect expectations about the future losses of each insured. Given the dearth of cyber security loss data, market premiums could shed light on the true magnitude of cyber losses despite noise from factors unrelated to losses. To that end, we extract cyber insurance pricing information from the regulatory filings of 26 insurers....
Cyber insurance policies commonly indemnify the cost of incident response services. This creates a multi-layered economic problem in that the policyholder hiring external firms incurs transaction costs and the insurer paying the bill creates a principal-agent problem. We adopted a multi-stage research design to understand how insurers address the p...
0-day brokers are market makers who serve both adversaries seeking to exploit computer systems and researchers who develop the means to do so. This involves searching for buyers/sellers, negotiating prices and contracts , and monitoring the contract. In this paper we characterise the search aspect of 0-day broking. We extracted longitudinal data on...
Across both the public and private sector, cyberse-curity decisions could be informed by estimates of the likelihood of different types of exploitation and the corresponding harms. Law enforcement should focus on investigating and disrupting those cybercrimes that are relatively more frequent , all else being equal. Similarly, firms should account...
Thousands of incidents each year are managed by law firms. Victim firms call a hotline and delegate incident response to external counsel without a preexisting relationship. We examine how this model breaks from convention and outline questions for future research.
In the commodification of consent, a legal concept designed to empower users has been transformed into an asset that can be traded across firms. Users interact with a consent dialog offered by one coalition member. The default setting allows any other coalition member, including both publishers and third-party vendors, to use this consent as a lega...
Empirical estimates of privacy harm can help victims to demonstrate damages resulting from violations or support organisations in balancing harm to individuals against the cost of preventative measures. Quantitative studies of privacy harm are relatively rare. Personal identity insurance provides an additional source of quantitative data regarding...
Privacy preference signals are digital representations of how users want their personal data to be processed. Such signals must be adopted by both the sender (users) and intended recipients (data processors). Adoption represents a coordination problem that remains unsolved despite efforts dating back to the 1990s. Browsers implemented standards lik...
Privacy preference signals allow users to express preferences over how their personal data is processed. These signals become important in determining privacy outcomes when they reference an enforceable legal basis, as is the case with recent signals such as the Global Privacy Control and the Transparency & Consent Framework. However, the coexisten...
Information sharing is widely held to improve cybersecurity outcomes whether its driven by market forces or by cooperation among firms and individuals. Formal institutions may be established to facilitate cooperative information sharing. This paper presents a case-study of such an institution, the CERT Coordination Center (CERT/CC), and provides qu...
Privacy preference signals are digital representations of how users want their personal data to be processed. Such signals must be adopted by both the sender (users) and intended recipients (data processors). Adoption represents a coordination problem that remains unsolved despite efforts dating back to the 1990s. Browsers implemented standards lik...
Definitions of war found in cyber insurance policies provide a novel window into the concept of cyber war. Mediated by market forces, changes in policy wording reflect shifting expectations surrounding technology and military strategy. Legal cases contesting war clauses probe state-formulated narratives around war and offensive cyber operations. In...
In the commodification of consent, a legal concept designed to empower users has been transformed into an asset that can be traded across firms. Users interact with a consent dialogue offered by one coalition member. The default setting allows any other coalition member, including both publishers and third-party vendors, to use this consent as a le...
Risk transfer options offer hope, but little more.
Presentation slides for a talk given at Princeton's Center for Information Technology Policy.
Definitions of war found in cyber insurance policies provide a novel window into the concept of cyber war. Changes in policy wording reflect shifting expectations surrounding technology and military strategy as mediated by market forces. In a recent legal case, an insurer refused to pay a property insurance claim by arguing the cause of the claim,...
Risk transfer plays an increasing role in information security risk management as organisations purchase cyber insurance and vendors offer cyber warranties. These cyber risk transfer products affect how risk managers make decisions. An archetypal example is insurers offering discounts on cyber insurance contingent on information security controls b...
Cyber insurance could achieve public policy goals for cybersecurity using private-sector means. Insurers assess organizational security postures, prescribe security procedures and controls, and provide postincident services. We evaluate how such mechanisms impact security, identify market dynamics restricting their effectiveness, and sketch out pos...
We introduce a game-theoretic model to investigate the strategic interaction between a cyber insurance policyholder whose premium depends on her self-reported security level and an insurer with the power to audit the security level upon receiving an indemnity claim. Audits can reveal fraudulent (or simply careless) policyholders not following repor...
We introduce a game-theoretic model to investigate the strategic interaction between a cyber insurance policyholder whose premium depends on her self-reported security level and an insurer with the power to audit the security level upon receiving an indemnity claim. Audits can reveal fraudulent (or simply careless) policyholders not following repor...
The actuarially fair insurance premium reflects the expected loss for each insured. Given the dearth of cyber security loss data, market premiums could shed light on the true magnitude of cyber losses despite noise from factors unrelated to losses. To that end, we extract cyber insurance pricing information from the regulatory filings of 26 insurer...
Consumers struggle to distinguish between the quality of different enterprise security products. Evaluating performance is complicated by the stochastic nature of losses. It is recognised that this information asymmetry may lead to a “market for lemons” in which suppliers face no incentive to provide higher quality products. Some security vendors h...
Pre-print of our GameSec 2018 paper with DOI: 10.1007/978-3-030-01554-1_2
Making security investment decisions involves giving consideration to a variety of risks. However, there is little robust empirical evidence that can be used to support this process. This paper builds a road-map for incorporating cyber insurance data into existing security investment models.We propose an approach for using this data as an input for...
There is evidence that the availability of cyber insurance is contingent on an applicant's security posture and that premium discounts may apply if the applicant adopts security controls dictated by the insurer. As the cyber insurance market grows in size, questions arise regarding how this situation will affect investment in information security....
The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public–private partnership. This paper rectifies this omission and...
Policy discussions often assume that wider adoption of cyber insurance will promote information security best practice. However, this depends on the process that applicants need to go through to apply for cyber insurance. A typical process would require an applicant to fill out a proposal form, which is a self-assessed questionnaire. In this paper,...
Projects
Projects (2)
The concept of "insurance as governance" suggests insurers influence how policyholders manage risk. This project explores this idea in the context of insurance for cybersecurity risks.
Risk transfer plays an increasing role in information security risk management as organisations purchase cyber insurance and vendors offer cyber warranties. These cyber risk transfer products affect how risk managers make decisions. An archetypal example is insurers offering discounts on cyber insurance contingent on information security controls being in place. Alternatively, vendors offering cyber warranties incur relatively less cost if they produce more effective products, increasing the information risk managers possess when purchasing security products.
This dissertation uses mixed methods to ask how might cyber risk transfer products increase information about security decisions? Focusing on the incentives and strategies of market participants situates this dissertation within the Economics of Information Security. We collect empirical data in order to make realistic modelling decisions. We then introduce two decision-theoretic models to explore how mechanisms like cyber insurance and cyber warranties can increase information about the effectiveness of security controls. One of the resulting insights is operationalised by introducing a novel method to infer loss distributions from insurance prices.
Our first contribution collects data about cyber insurance risk assessment and how it feeds into pricing. A qualitative study involving nine insurance firms in the UK provides insights into market processes. We identify disparities between how an area of information security is valued by underwriters and how much information is collected in application forms. Additionally, we extract 26 regulatory filings describing how US insurers price cyber insurance, providing one of the first quantitative empirical studies of the cyber insurance market.
Our second contribution extends this model to consider multiple policyholders with an insurer coordinating information. Monte Carlo simulations are used to explore different strategies for the insurer. The results describe how the rate of attack, security spending, variance of losses, and gross return relate to the insurer's choice of strategy and number of insureds.
Our third contribution considers how consumers can use cyber warranties to increase information about the effectiveness of security products. We analyse 15 warranties attached to information security products to understand what they typically cover. We then introduce a simple model and derive four different inferences to be made, depending on the information held by the consumer. Numerical illustrations suggest vendors voluntarily offering warranties can force a separating equilibria. Finally, we discuss barriers to making these inferences in reality.
Our final contribution introduces a novel method to infer cyber loss distributions from insurance prices. We apply this to a set of 6,218 cyber insurance prices extracted in our first contribution. This allows us to derive what we term the County Fair Cyber Loss Distribution, which aggregates the inferred loss models from 26 separate pricing schemes. The results provide real estimates that organisations can use to quantify cyber risk.
