Conference Paper

Differentiating Cyber Risk of Insurance Customers: The Insurance Company Perspective

Authors:
  • Secure Practice
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

As a basis for offering policy and setting tariffs, cyber-insurance carriers need to assess the cyber risk of companies. This paper explores the challenges insurance companies face in assessing cyber risk, based on literature and interviews with representatives from insurers. The interview subjects represent insurance companies offering cyber-insurance in a market where this is a new and unknown product. They have limited historical data, with few examples of incidents leading to payout. This lack of experience and data, together with the need for an efficient sales process, highly impacts their approach to risk assessment. Two options for improving the ability to perform thorough yet efficient assessments of cyber risk are explored in this paper: basing analysis on reusable sector-specific risk models, and including managed security service providers (MSSPs) in the value chain.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Customers underestimate the probability of cyber-attacks to their business, leading to underestimation of the possible risks (Rohn et al., 2016). Suppliers of cybersecurity insurance services do not have enough experience and historical data, to identify, assess and evaluate the risks and the premium needed (Tøndel et al., 2016). Another aspect is the role of the insurance companies in consulting and risk assessments, as private governance mechanism in improving the organizations' cyber readiness (Talesh, 2018). ...
... Others focus on one of two sides of the cybersecurity insurance coin: Some research examine the organizations (i.e. the customers of cybersecurity insurance services) inclination and readiness to adopt cybersecurity insurance services (Bandyopadhyay, 2012;Bandyopadhyay et al., 2009;De Smidt & Botzen, 2018;Franke & Meland, 2019). Others deal with the cybersecurity insurance companies (i.e. the suppliers of cybersecurity insurance services), mainly in the context of assessing cybersecurity risks (Eling & Schnell, 2016;Meland et al., 2017;Tøndel et al., 2016). Eling and Schnell (2016) pointed that the research on cybersecurity risk is limited while emphasizing the immense difficulties to insure cybersecurity risk, mainly due to lack of data and modelling approaches, mentioning that availability of data on cybersecurity risk is rather scarce. ...
... Other research examined the insurance market in different geographical zones, as well as the decision process of insurance companies relating to cybersecurity insurance and risk handling. Tøndel et al. (2016) emphasized the supplier, the cybersecurity insurance companies, mainly in the Nordic market, and examined their challenges in assessing cybersecurity risk. They found that the abilities of insurance companies to evaluate risk assessment is highly impacted by limited experience with cybersecurity insurance services and little historical data to rely on. ...
Article
Full-text available
This study examines the cybersecurity insurance market in the United States (U.S.) in order to reveal if an “invisible hole” of services and information exists in this market. This is performed by mapping the cybersecurity insurance services, offered by insurance companies, to cope with cybersecurity risks, and finding in which way these services are exposed, visible and comprehensive, in the insurance companies' websites. The research questions examined the extent cybersecurity insurance services offered by the main U.S. insurance companies; the visibility of such services on their websites; and the types of services offered. The sample included 44 insurance companies based upon nine lists of the top U.S. insurance companies. The findings present that most companies (68%) offer cybersecurity insurance services, while only a few (26.92%) expose such information in a visible way. Moreover, on the one hand, the insurance companies use general terms for services, which may be blur and ambiguous, while on the other hand, there is a widespread of specific services, most of them (81%) provided only by few companies. These findings may derive due to insufficient understanding of cybersecurity insurance clients' needs and may reflect the lack of maturity of the cybersecurity insurance market, as matured marketplaces are mostly more standardized. This study demonstrates that there is a long way to advance until the insurance market for cybersecurity risks will be mature, customers (businesses and organizations) will understand the needs for such insurance, and insurance companies will develop and offer relevant insurance services.
... Moreover, 74% of UK businesses deem cyber security as a high priority for their operation. However, it is challenging to apply cyber insurance to enhance wireless security, due to the difficulty in characterizing and assessing wireless risks [20]. This motivates us to incorporate risk modeling and quantification of cellular networks into a cyber insurance framework. ...
... Fig. 10 shows the impact of the density of eavesdroppers ρ E on the ruin probability ψ. It can be found that ψ increases 20 (c) ξ = 0.5 Fig. 9. Ruin probability as a function of Ns (p l = 1). exponentially with ρ E . ...
Article
Full-text available
The fifth-generation (5G) wireless networks are expected to provision value-added services with ubiquitous coverage, which makes data security unprecedentedly critical. In this context, physical layer security has emerged as a promising solution to safeguard data transmission by exploiting characteristics of the wireless medium. Despite the recent technological advance in physical layer security and wireless transmission, secrecy outages (i.e., data breaches) and service outages (i.e., connection failures) will inevitably happen and incur financial losses. This economical consequence is a fact that is mostly overlooked by the existing literature. To provide financial protection against secrecy outage and service outage, we introduce a cyber insurance framework for wireless users in cellular networks, where each user pays a premium to an insurer for a future financial compensation if an outage occurs to him/her. In particular, we derive the network risks of the cellular users in terms of secrecy outage probability and service outage probability as well as the financial risk of the cyber insurer in terms of the ruin probability which indicates the chance that the insurer experiences a deficit in affording the losses of outage users. Through numerical evaluation, we demonstrate the impact of network performance on the financial risk of the insurer. The numerical results also show that the ruin probability of the insurer can be effectively reduced by equipping a larger number of antennas at base stations or increasing network frequency reuse.
... A summary of the literature study to answer the fourth research question (RQ4) can be seen in TABLE VIII. [36] Cyber losses identifier [32] Decision-theoretic model [52] Framework for insurance [30] Analysis of risk model [9] Risk assessment method [48] Cyber insurance model [49] Cyber insurance model [34] Model of secondary loss [7] Uninterruptible power supply solutions [31] Model for cybersecurity information sharing [45] Interaction model the insured and the insurer [17] Model for data breach cost [28] Framework for internal security assessment [40] Scoring model for cyber insurance [29] Cyber risk assessment and risk evaluation [41] Framework for differentiated pricing [22] Model to measure extreme risk [42] Design of cyber insurance policies [10] Machine learning for cybersecurity assessment [43] Framework for a cyber insurance contract [11] Data breach notification laws [27] A framework of cyberproduct using blockchain [21] Model for cybersecurity information exchange [44] Model for security assessment [33] Computation of tractable approximation [24] Framework for cyber risk estimation [23] Optimal strategies analysis [37] Scheme for an optimal cyber insurance contract [26] Model for optimal spending in cybersecurity [14] Model for data breach losses [50] Investment optimal distribution [25] Model for optimal cyber insurance policies [16] Build cyber insurance policies [20] Optimal security investment [8] Model for insurance cover the spillover effect [38] Model of the cyber insurance market [18] Cyber insurance framework [39] Framework for cyber insurance policy awareness [15] Guide for transportation infrastructure practitioners [51] Suggest to the government to make policies [13] Framework for cyberrisk assessment and mitigation [46] Model to investigate the interaction between the insurer and insured [19] Model for user risk probability and optimal cyber insurance [35] Framework for cybersecurity incident communication [12] A framework of cybersecurity investment decision [47] Suggest to the government to create guidance and regulatory ...
... The Bayesian probabilities used in CRISM to generate risk scores can be improved by incorporating more data. For example, by analysing databases containing large amounts of cyber event information, other 27 See Tøndel et al. (2016). factors could be determined to update probabilities and increase accuracy. ...
Article
Full-text available
Effective cyber risk management should include the use of insurance not only to transfer cyber risk but also to provide incentives for insured enterprises to invest in cyber self-protection. Research indicates that asymmetric information, correlated loss, and interdependent security issues make this difficult if insurers cannot monitor the cybersecurity efforts of the insured enterprises. To address this problem, this paper proposes the Cyber Risk Scoring and Mitigation (CRISM) tool, which estimates cyberattack probabilities by directly monitoring and scoring cyber risk based on assets at risk and continuously updated software vulnerabilities. CRISM also produces risk scores that allow organisations to optimally choose mitigation policies that can potentially reduce insurance premiums.
Preprint
As the body of academic literature continues to grow, researchers face increasing difficulties in effectively searching for relevant resources. Existing databases and search engines often fall short of providing a comprehensive and contextually relevant collection of academic literature. To address this issue, we propose a novel framework that leverages Natural Language Processing (NLP) techniques. This framework automates the retrieval, summarization, and clustering of academic literature within a specific research domain. To demonstrate the effectiveness of our approach, we introduce CyLit, an NLP-powered repository specifically designed for the cyber risk literature. CyLit empowers researchers by providing access to context-specific resources and enabling the tracking of trends in the dynamic and rapidly evolving field of cyber risk. Through the automatic processing of large volumes of data, our NLP-powered solution significantly enhances the efficiency and specificity of academic literature searches. We compare the literature categorization results of CyLit to those presented in survey papers or generated by ChatGPT, highlighting the distinctive insights this tool provides into cyber risk research literature. Using NLP techniques, we aim to revolutionize the way researchers discover, analyze, and utilize academic resources, ultimately fostering advancements in various domains of knowledge.
Article
As individuals become increasingly digitally dependent, cyber threats and cyber insurance to mitigate them gain relevance. This literature review conceptualizes a framework for siting Personal Cyber Insurance (PCI) within the context of cyberspace. The lack of empirical research within this domain demonstrates a need to identify and define the scope of PCI in order to allow cyber insurers to understand customer needs, and to conduct effective management and distribution of PCI products and services. We conducted a systematic literature review of 229 articles that were clustered into three meta-level themes: cyberspace, personal cyber risk, and PCI. The literature review indicates a significant paucity of research related to PCI particularly as it is influenced by antecedent risk externalities, the nature of cyberspace itself, the PCI market and operations, and post-cyber event support. The paper concludes with a proposal for a future research agenda.
Article
We present an economic model for decisions on competing cyber-security and cyber-insurance investment based on the Gordon-Loeb model for investment in information security. We consider a one-period scenario in which a firm may invest in information security measures to reduce the probability of a breach, in cyber-insurance or in a combination of both. The optimal combination of investment and insurance under the assumptions of the Gordon-Loeb model is investigated via consideration of the costs and benefits of investment in security alongside purchasing insurance at an independent premium rate. Under both exponential (constant absolute risk aversion) and logarithmic (constant relative risk aversion) utility functions it is found that when the insurance premium is below a certain value, utility is maximised with insurance and security investment. These results suggest that cyber-insurance is a worthwhile undertaking provided it is not overly costly. We believe this model to be the first attempt to integrate the Gordon-Loeb model into a classical microeconomic analysis of insurance, particularly using the Gordon-Loeb security breach functions to determine the probability of an insurance claim. The model follows the tradition of the Gordon-Loeb model in being accessible to practitioners and decision makers in information security.
Article
Full-text available
This paper examines the design of affirmative and silent coverage in view of the cyber risks in traditional insurance policies for select product lines on the German market. Given the novelty and complexity of the topic and the insufficient coverage in the literature, we use two different sources. We analysed the general insurance terms and conditions of different traditional insurance lines using Mayring’s qualitative content analysis. Also, we conducted interviews with experts from the German insurance industry to evaluate how insurers understand their silent cyber exposures, and what measures they take to deal with this new exposure. The study shows a considerable cyber liability risk potential for insurers in the considered insurance lines. This arises from the affirmative as well as silent cover inclusions and exclusions for cyber risks, which result from imprecise wordings of insurance clauses and insufficient descriptions of the contractually specified scope of the insurance coverage.
Article
Purpose This paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience. Design/methodology/approach The study is based on semi-structured interviews with supply-side actors: six general insurance companies, one marine insurance company and two insurance intermediaries. Findings The Norwegian cyber-insurance market supply-side has grown significantly in the past two years. The General Data Protection Regulation (GDPR) is found to have had a modest effect on the market so far but has been used by the supply-side as an icebreaker to discuss cyber-insurance with customers. The NIS Directive has had little or no impact on the Norwegian cyber-insurance market until now. Informants also indicate that Norway is still the least mature of the four Nordic markets. Practical implications Some policy lessons for different stakeholders are identified. Originality/value Empirical investigation of cyber-insurance is still rare, and the paper offers original insights on market composition and actor motivations, ambiguity of coverage, the NIS Directive and GDPR.
Article
Der Beitrag untersucht vor dem Hintergrund einer hochdynamischen, extrem wandlungsfähigen Risikolandschaft in den Unternehmen den Status quo der Versicherung von Cyberrisiken sowie den Umgang mit solchen Gefahren im Risikomanagement. Angesichts der Neuartigkeit und Komplexität des Themas sowie der bisherigen unzureichenden Betrachtung im Schrifttum werden Interviews mit Experten aus Versicherungs- und Beratungsunternehmen sowie Interessenverbänden geführt. Die Untersuchungsergebnisse zeigen, dass in der Unternehmenspraxis ein mangelndes Risikobewusstsein für Cyberbedrohungen einen bedeutenden Einflussfaktor für die IT-Sicherheit darstellt und Cyberrisiken im Risikomanagement häufig unzureichend berücksichtigt werden. Zudem bieten Cyber-Policen aktuell keine Allgefahrendeckung für Cyberschäden und der deutsche Cyber-Versicherungsmarkt ist bislang wenig erschlossen.
Article
Full-text available
Cyber insurance is a rapidly developing area which draws more and more attention of practitioners and researchers. Insurance, an alternative way to deal with residual risks, was only recently applied to the cyber world. The immature cyber insurance market faces a number of unique challenges on the way of its development. In this paper we summarise the basic knowledge about cyber insurance available so far from both market and scientific perspectives. We provide a common background explaining basic terms and formalisation of the area. We discuss the issues which make this type of insurance unique and show how different technologies are affected by these issues. We compare the available scientific approaches to analysis of cyber insurance market and summarise their findings with a common view. Finally, we propose directions for further advances in the research on cyber insurance.
Technical Report
Full-text available
Risk transfer can be an economically favorable way of handling security and privacy issues, but choosing this option indiscriminately and without proper knowledge is a risk in itself. This report provides an overview of knowledge gaps related to cyber-insurance as a risk management strategy. These are grouped into three high-level topics; cyber-insurance products, understanding and measuring risk and estimation of consequences. The topics are further divided into 11 knowledge areas with recommendations for further research. The work is based on a study of academic literature and other written materials, such as various reports and newspaper articles. There is a clear lack of empirical data on cyber-insurance, and in particular qualitative studies aiming to understand and describe needs, obstacles and processes relevant for cyber-insurance. We recommend a stronger emphasis on research related to topics that are specific to cyber-insurance, covering decision models for buyers of insurance, barriers for information sharing, impact of cyber-insurance on security, and business models for insurers.
Conference Paper
Full-text available
Context: At the same time as our dependence on IT systems increases, the number of reports of problems caused by failures of critical IT systems has also increased. This means that there is a need for risk analysis in the development of this kind of systems. Risk analysis of technical systems has a long history in mechanical and electrical engineering. Objective: Even if a number of methods for risk analysis of technical systems exist, the failure behaviour of information systems is typically very different from mechanical systems. Therefore, risk analysis of IT systems requires different risk analysis techniques, or at least adaptations of traditional approaches. This means that there is a need to understand what types of methods are available for IT systems and what research that has been conducted on these methods. Method: In this paper we present a systematic mapping study on risk analysis for information systems. 1086 unique papers were identified in a database search and 57 papers were identified as relevant for this study. These papers were classified based on 5 different criteria. Results: This classification, for example, shows that most of the discussed risk analysis methods are qualitative and not quantitative and that most of the risk analysis methods that are presented in these papers are developed for IT systems in general and not for specific types of IT system, like medical systems. Conclusions: The results show that many new risk analysis methods have been proposed in the last decade but even more that there is a need for more empirical evaluations of the different risk analysis methods. Many papers were identified that propose new risk analysis methods, but few papers discuss a systematic evaluation of these methods or a comparison of different methods based on empirical data
Article
Full-text available
Various aspects related to the use of recently developed cyber-risk insurance policies aimed at providing coverage against losses from internet related breaches in information security are discussed. A generic framework for using cyber-risk insurance for helping to manage information security risk is described. The framework is based on the entire risk management process and includes a comprehensive four-step cyber-risk insurance decision plan. Various aspects related to pricing of such insurance policies, and the effects that may arise out of adverse selection are also discussed.
Article
Full-text available
For Resilience Engineering, 'failure' is the result of the adaptations necessary to cope with the complexity of the real world, rather than a breakdown or malfunction. The performance of individuals and organizations must continually adjust to current conditions and, because resources and time are finite, such adjustments are always approximate. This definitive new book explores this groundbreaking new development in safety and risk management, where 'success' is based on the ability of organizations, groups and individuals to anticipate the changing shape of risk before failures and harm occur. Featuring contributions from many of the worlds leading figures in the fields of human factors and safety, Resilience Engineering: Concepts and Precepts provides thought-provoking insights into system safety as an aggregate of its various components, subsystems, software, organizations, human behaviours, and the way in which they interact. The book provides an introduction to Resilience Engineering of systems, covering both the theoretical and practical aspects. It is written for those responsible for system safety on managerial or operational levels alike, including safety managers and engineers (line and maintenance), security experts, risk and safety consultants, human factors professionals and accident investigators.
Article
According to conventional wisdom, information security management must start with a quantitative risk analysis. Such an analysis works fine in theory, but it hardly works in practice. Baseline requirements, vulnerability management, and qualitative risk analysis can combine to provide a viable alternative.
Article
To achieve a proper balance between security investments and acceptable loss, businesses take a mixed approach to risk management. In addition to preventive and remedial actions and self-insurance, many are now buying cyberinsurance, a cost-saving but still-developing strategy.
Article
This paper describes a new method for the development of early warning indicators based on resilience and Resilience Engineering. This resilience based early warning indicator (REWI) method consists of three main parts. The first part is a set of contributing success factors being attributes of resilience, the second part is general issues for each of the contributing success factors ensuring that the goal of each contributing success factor is fulfilled, and the third part is the indicators established for each general issue, i.e., the way of measuring the general issues. This research has shown that it is possible to develop 'an indicator system' based on resilience engineering theory from which early warning indicators can be established. It may be used as a stand-alone system, or indicators established by other approaches may be included for the final selection of indicators. Further work is necessary in order to investigate to what degree these resilience based indicators are complementary to other safety performance indicators, for instance whether they provide a more appropriate measure of the ability to 'cope with the unexpected'.
Article
This paper discusses the adequacy of insurance for managing cyber risk. To this end, we extract 994 cases of cyber losses from an operational risk database and analyse their statistical properties. Based on the empirical results and recent literature, we investigate the insurability of cyber risk by systematically reviewing the set of criteria introduced by Berliner (1982). Our findings emphasise the distinct characteristics of cyber risks compared with other operational risks and bring to light significant problems resulting from highly interrelated losses, lack of data and severe information asymmetries. These problems hinder the development of a sustainable cyber insurance market. We finish by discussing how cyber risk exposure may be better managed and make several sug-gestions for future research.
Conference Paper
Recent literature on cyber-insurance has stressed the importance of discriminating network users on insurance contracts for the following reasons: (i) preventing adverse selection, (ii) partly internalizing the negative externalities of interdependent security, (iii) achieving maximum social welfare, (iv) helping a risk-averse insurer to distribute costs of holding safety capital among its clients, and (v) insurers sustaining a fixed amount of profit per contract. Thus, an important problem is studying ways to appropriately execute the user discrimination process. In this paper we take a network topological perspective and propose a technique (mechanism) to pertinently contract discriminate insured network users. We mathematically show that the Bonacich/Eigenvector centralities of network users is an appropriate parameter for differentiating insurance clients.
Conference Paper
This paper presents a method for evaluating an organization's ability to manage security incidents. The method is based on resilient thinking, and describes how to identify, select and implement early-warning indicators for information security incident management.
Article
The growth in qualitative research is a well-noted and welcomed fact within the social sciences; however, there is a regrettable lack of tools available for the analysis of qualitative material. There is a need for greater disclosure in qualitative analysis, and for more sophisticated tools to facilitate such analyses. This article details a technique for conducting thematic analysis of qualitative material, presenting a step-by-step guide of the analytic process, with the aid of an empirical example. The analytic method presented employs established, well-known techniques; the article proposes that thematic analyses can be usefully aided by and presented as thematic networks. Thematic networks are web-like illustrations that summarize the main themes constituting a piece of text. The thematic networks technique is a robust and highly sensitive tool for the systematization and presentation of qualitative analyses.
Article
Attack trees provide a methodical way of describing threats against, and countermeasures protecting, a system. By extension, attack trees provide a methodical way of representing the security of systems. They allow people to make calculations about security, compare the security of different systems, and do a whole bunch of other cool things. This chapter starts with a simple attack tree for a noncomputer security system, and builds the concepts up slowly. it illustrates a simple attack tree against a physical safe, and an attack tree for the PGP e-mail security program. Once people build up a library of attack trees against particular computer programs, door and window locks, network security protocols, or whatever, they can reuse them whenever they need to. For a national security agency concerned about compartmentalizing attack expertise, this kind of system is very useful.
Chapter
Bayesian networks are probabilistic models based on direct acyclic graphs. These models enable a direct representation of causal relations between variables. Their structure is ideal for combining prior knowledge, which often comes in causal form, and observed data. This article gives a short description of the concepts of this important class of models that have become extremely popular in recent years.
Article
We propose a comprehensive formal framework to classify all market models of cyber-insurance we are aware of. The framework features a common termi-nology and deals with the specific properties of cyber-risk in a unified way: in-terdependent security, correlated risk, and information asymmetries. A survey of existing models, tabulated according to our framework, reveals a discrepancy be-tween informal arguments in favor of cyber-insurance as a tool to align incentives for better network security, and analytical results questioning the viability of a mar-ket for cyber-insurance. Using our framework, we show which parameters should be considered and endogenized in future models to close this gap.
Conference Paper
Organizations live with residual IT security risk since technological controls are imperfect. This underlines the importance of cyber insurance in the management of IT security risk. Despite the obvious advantages, cyber insurance instruments are scarcely utilized in practice. Extant research mostly considers the economic aspects of the rational purchase of cyber insurance. In contrast, we take an organizational perspective and attempt to isolate the paradigms, contexts and constituent forces that shape the organizational decision making process towards utilization of cyber insurance. Prescriptive and descriptive decisional models are analyzed, organizational decision constituencies are explained and domain specific contexts are included before we propose an integrated decision framework for organizational utilization of cyber insurance.
Article
Over the past four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. Although restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. So far, there is no systematic overview of the available methods. In this article, the authors survey verification, validation, and evaluation methods referenced in ISRM literature and discuss which ISRM phase to apply the methods. They then demonstrate how to select appropriate methods with a real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation, and evaluation and can serve as a reference for ISRM researchers and users who aim to establish trust in their results.
Article
Despite positive expectations, cyber-insurance products have failed to take center stage in the management of IT security risk. Market inexperience, leading to conservatism in pricing cyber-insurance instruments, is often cited as the primary reason for the limited growth of the cyber-insurance market. In contrast, here we provide a demand-side explanation for why cyber-insurance products have not lived up to their initial expectations. We highlight the presence of information asymmetry between customers and providers, showing how it leads to overpricing cyber-insurance contracts and helps explain why cyber insurance might have failed to deliver its promise as a cornerstone of IT security-management programs.
Article
The emergence of cyberinsurance to provide incentives for security investments that reduce risk of network or information security breaches is discussed. The increasingly rising number of virus attacks, hacker assaults, and other IT security incidents have brought new urgency to efforts to strengthen IT security at every level. IT security has referred to technical protective measures such as firewalls, authentication systems, and antivirus software to counter such attacks and mitigation measures to reduce losses when a security breach occur. Cyberinsurers could administer surveys at regular intervals and link coverage to a certain minimum standard of security. Carriers and customers both have become more sophisticated in dealing with security assessments before obtaining cyberinsurance coverage. Demand for both liability and first-party coverage is rising, and the insurance industry is responding by cautiously increasing its capacity to underwrite cyberpolicies.
10 things IT probably doesn’t know about cyber insurance
  • E Chickowski
Chickowski, E.: 10 things IT probably doesn't know about cyber insurance (September 23rd 2014)
Cybersecurity insurance workshop readout report
  • N Protection
  • P Directorate
UK cyber security: The role of insurance in managing and mitigating the risk
  • U K Hm Government
  • Marsh Ltd
The economic impact of cyber-attacks
  • B Cashell
  • W D Jackson
  • M Jickling
  • B Webel
Cashell, B., Jackson, W.D., Jickling, M., Webel, B.: The economic impact of cyberattacks. Tech. rep., CRS Report for Congress (April 2004)
Cyberattack insurance a challenge for business
  • N Perlroth
  • E A Harris
Perlroth, N., Harris, E.A.: Cyberattack insurance a challenge for business (June 8th 2014)
Insurance for cyber attacks: The issue of setting premiums in context
  • C Toregas
  • N Zahn
Toregas, C., Zahn, N.: Insurance for cyber attacks: The issue of setting premiums in context. Tech. rep., The George Washington University (January 7th 2014)
International Organization for Standardization: ISO/IEC 27001: Information technology -Security techniques -Information security management systems -Requirements
International Organization for Standardization: ISO/IEC 27001: Information technology -Security techniques -Information security management systems -Requirements. ISO (2013)
Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice
  • C Biener
  • M Eling
  • J H Wirfs
Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance-Issues and Practice 40(1), 131–158 (2015)
Ponemon: 2014 cost of data breach study: Global analysis
Ponemon: 2014 cost of data breach study: Global analysis. Tech. rep., Ponemon Institute LLC (May 2014)
Bayesian networks. Encyclopedia of statistics in quality and reliability
  • I Ben-Gal
Ben-Gal, I.: Bayesian networks. Encyclopedia of statistics in quality and reliability (2007)
Netdiligence cyber claims study 2014
  • Netdilgence
NetDilgence: Netdiligence cyber claims study 2014. Tech. rep., NetDilligence (2014)
National Protection and Programs Directorate: Cybersecurity insurance workshop readout report
National Protection and Programs Directorate: Cybersecurity insurance workshop readout report. Tech. rep., U.S. Department of Homeland Security (2012)
Cambridge Centre for Risk Studies: Business blackout -the insurance implications of a cyber attack on the us power grid
  • Lloyd
Lloyd's, Cambridge Centre for Risk Studies: Business blackout -the insurance implications of a cyber attack on the us power grid. Tech. rep., Lloyd's (2015)
Programs: Cyber insurance roundtable readout report - health care and cyber risk management: Cost/benefit approaches
  • Protection
  • National
  • Directorate
Programs: Insurance industry working session readout report
  • Protection
  • National
  • Directorate
Programs: Cyber risk culture roundtable readout report
  • Protection
  • National
  • Directorate
Modeling cyber-insurance: Towards a unifying framework
  • R Böhme
  • G Schwartz
Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Workshop on the Economics in Information Security (WEIS) (2012)
Enhancing resilience through cyber incident data sharing and analysis: The value proposition for a cyber incident data repository
  • Homeland Department
  • Security
Department of Homeland Security: Enhancing resilience through cyber incident data sharing and analysis: The value proposition for a cyber incident data repository. Tech. rep. (2015)
International Electrotechnical Commission: IEC 61025 Fault Tree Analysis (1990) 20. International Organization for Standardization: ISO/IEC 27004: Information technology -Security techniques -Information security management
  • Marsh Hm
  • Ltd
HM Government UK and Marsh Ltd.: UK cyber security: The role of insurance in managing and mitigating the risk (March 2015), https://www.gov.uk/ government/publications/uk-cyber-security-the-role-of-insurance 19. International Electrotechnical Commission: IEC 61025 Fault Tree Analysis (1990) 20. International Organization for Standardization: ISO/IEC 27004: Information technology -Security techniques -Information security management -Measurement. ISO (2009)
A survey on cyberinsurance
  • A Marotta
  • F Martinelli
  • S Nanni
  • A Yautsiukhin
Marotta, A., Martinelli, F., Nanni, S., Yautsiukhin, A.: A survey on cyberinsurance. Tech. Rep. IIT TR-17/2015, Ubstutyti du Ubfirnatuca e Telematica (2015)
Development of early warning indicators based on resilience engineering
  • K Øien
  • S Massaiu
  • R Tinmannsvik
  • F Strseth
Øien, K., Massaiu, S., Tinmannsvik, R., Strseth, F.: Development of early warning indicators based on resilience engineering. In: PSAM10, International Probabilistic Safety Assessment and Management Conference. pp. 7-11
Managing cyber security as a business risk: Cyber insurance in the digital age
  • Ponemon
Ponemon: Managing cyber security as a business risk: Cyber insurance in the digital age. Tech. rep., Ponemon Institute LLC (August 2013)
cost of data breach study: Global analysis
  • Ponemon
Ponemon: 2014 cost of data breach study: Global analysis. Tech. rep., Ponemon Institute LLC (May 2014)
Using cyberinsurance as a risk management strategy: Knowledge gaps and recommendations for further research
  • I A Tøndel
  • P H Meland
  • A Omerovic
  • E A Gjaere
  • B Solhaug
Tøndel, I.A., Meland, P.H., Omerovic, A., Gjaere, E.A., Solhaug, B.: Using cyberinsurance as a risk management strategy: Knowledge gaps and recommendations for further research. Tech. Rep. SINTEF A27298, SINTEF (2015)