Conference PaperPDF Available

Cyber Insurance of Information Systems

Authors:

Abstract and Figures

Nowadays, more-and-more aspects of our daily activities are digitalized. Data and assets in the cyber-space, both for individuals and organizations, must be safeguarded. Thus, the insurance sector must face the challenge of digital transformation in the 5G era with the right set of tools. In this paper, we present CyberSure-an insurance framework for information systems. CyberSure investigates the interplay between certification, risk management, and insurance of cyber processes. It promotes continuous monitoring as the new building block for cyber insurance in order to overcome the current obstacles of identifying in real-time contractual violations by the insured party and receiving early warning notifications prior the violation. Lightweight monitoring modules capture the status of the operating components and send data to the CyberSure backend system which performs the core decision making. Therefore, an insured system is certified dynamically, with the risk and insurance perspectives being evaluated at runtime as the system operation evolves. As new data become available, the risk management and the insurance policies are adjusted and fine-tuned. When an incident occurs, the insurance company possesses adequate information to assess the situation fast, estimate accurately the level of a potential loss, and decrease the required period for compensating the insured customer. The framework is applied in the ICT and healthcare domains, assessing the system of medium-size organizations. GDPR implications are also considered with the overall setting being effective and scalable.
Content may be subject to copyright.
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Cyber Insurance of Information Systems
Security and Privacy Cyber Insurance Contracts for ICT and Helathcare Organizations
George Hatzivasilis, Panos
Chatziadam, Nikos Petroulakis,
Sotiris Ioannidis
Institute of Computer Science
FORTH
Heraklion, Crete, Greece
{hatzivas, panosc, npetro,
sotiris}@ics.forth.gr
Matteo Mangini
Network Integration and
Solutions (NIS) Srl.
Genova, Italy
matteo.mangini@nispro.it
Christos Kloukinas
Department of Computer Science
City, University of London
London, UK
C.Kloukinas@city.ac.uk
Artsiom Yautsiukhin
Institute for Informatics and
Telematics (IIT)
Italian National Research
Council (CNR)
Naples, Italy
artsiom.yautsiukhin@iit.cnr.it
Michalis Antoniou
HD Insurance (HDI) Ltd.
Athens, Greece
michalis.antoniou@hellasdirect.g
r
Dimitrios G. Katehakis
Center for eHealth Applications
and Sevices (CeHA)
Heraklion, Greece
katehaki@ics.forth.gr
Marios Panayiotou
Cablenet Communication
Systems Ltd.
m.
panayiotou
@cablenetcy.net
Abstract—Nowadays, more-and-more aspects of our daily
activities are digitalized. Data and assets in the cyber-space, both
for individuals and organizations, must be safeguarded. Thus,
the insurance sector must face the challenge of digital
transformation in the 5G era with the right set of tools. In this
paper, we present CyberSure an insurance framework for
information systems. CyberSure investigates the interplay
between certification, risk management, and insurance of cyber
processes. It promotes continuous monitoring as the new
building block for cyber insurance in order to overcome the
current obstacles of identifying in real-time contractual
violations by the insured party and receiving early warning
notifications prior the violation. Lightweight monitoring
modules capture the status of the operating components and
send data to the CyberSure backend system which performs the
core decision making. Therefore, an insured system is certified
dynamically, with the risk and insurance perspectives being
evaluated at runtime as the system operation evolves. As new
data become available, the risk management and the insurance
policies are adjusted and fine-tuned. When an incident occurs,
the insurance company possesses adequate information to assess
the situation fast, estimate accurately the level of a potential loss,
and decrease the required period for compensating the insured
customer. The framework is applied in the ICT and healthcare
domains, assessing the system of medium-size organizations.
GDPR implications are also considered with the overall setting
being effective and scalable.
Keywords—insurance, security, risk analysis, certification,
ICT, e-health, CyberSure, Event Calculus
I. I
NTRODUCTION
The increasing importance of the digital insurance market
worldwide and the challenges arising in it are indicated by
several studies [1], [2]. Recent surveys [2], [3] show
significant trends, including: fast expansion, significant
investment (e.g., €51M by multi-line insurers, €30M by
property and casualty (P&C) insurers and €21M by life
insurers), and dramatic increase in cyber insurance costs and
premiums.
Cyber insurance and security certification have been
effective and widely accepted means of managing uncertainty
and risks, and establishing trust in the provision of cyber
systems [4], [5]. Certification provides evidence of a
satisfactory regular assessment of the provision of a service
against protection mechanisms designed to mitigate security
risks. Additionally, insurance i) establishes responsibility of
covering the costs of re-instating service provision following
interruptions or deviations from contractual obligations and/or
regulatory standards, and (ii) can provide compensation for
losses suffered by service consumers due to improper service
operation (e.g., loss of personal or commercially sensitive
data). Certification and insurance have been used as two
instruments of risk mitigation and trust establishment in a
wide spectrum of services and industries, such as the
construction businesses, transportation, hospitality,
Information and Communications Technology (ICT),
healthcare, and services in the banking sector (e.g. [6], [7], [8],
[9]).
From an insurance perspective, having cyber security
certifications is a way to demonstrate that certain security
controls have been implemented according to appropriate
standards [4]. Thus, for certified products some insurance
companies require reduced premiums [6], [10].
The substantial new revenue opportunities arising from the
cyber insurance need to be complemented by large cost
savings [11], [12]. Also, insurance will need to introduce more
accurate risk assessments, behavior-based insurance contracts
and dynamic pricing, and handle diverse consumer technology
This work has received funding from the European Union Horizon’s
2020 research and innovation programme under the grant agreements No.
786890 (THREAT-ARREST) and No. 830927 (CONCORDIA), and the
Marie Skodowska
-
Curie grant agre
ement No. 734815 (Cyber
-
Sure).
and frequent regulatory changes driven by new compliance
challenges. These trends require more dynamic and automated
creation, management and adaptation of cyber insurance
policies, including dynamic risk assessment and dynamic
pricing [12]. In addition, the costs of acquiring customers can
be reduced by the use of analytics and increased insurance
customization to the characteristics of the subject of insurance.
These requirements cannot, however, be addressed
effectively at present [11], [13], [14]. More specifically,
certification is currently carried out according to schemes
based on labor-intensive inspection and offline testing of
cyber systems at distinct time points (e.g. annually). Hence, it
is costly and cannot guarantee the preservation of certified
properties in between the certification audits. Furthermore, as
the estimation of risk and creation of cyber insurance policies
also take place at distinct periodic points (rather than
continuously), they cannot take into account any changes in
systems that may have happened in between. Also, in current
practice, the estimation of risk and creation of insurance
contracts do not consider detailed operational evidence
obtained through continuous monitoring and testing. Thus,
risk estimates might not be accurate and insurance policies
might not be effective enough for the insurer and the insured.
The overall aim of CyberSure is to fill these gaps by
developing an innovative framework supporting the creation
and management of cyber insurance policies and offering a
sound liability basis for establishing trust in cyber systems and
services. This framework will be supported by a platform of
integrated tools enabling:
1. the dynamic certification of the security and privacy
properties of cyber systems and services that need to
be insured,
2. the dynamic estimation of security and privacy risks
for such systems and services, and
3. the development, monitoring, and management of the
related cyber insurance policies for these systems and
services based on (1) and (2).
Two indicative applications scenarios that exhibit different
assessment features are considered, with CyberSure
evaluating: i) the cloud services
1
in Cyprus that are offered by
the Internet provider Cablenet to end-customers, and ii) the
healthcare software suite
2
that is provided by an IT vendor
(third-party) to a local hospital in Greece.
The rest of the paper is structured as follows: Section 2
outlines the related solutions of cyber insurance and their
limitations. Section 3 presents the proposed CyberSure
framework and its underlying components. The applied
insurance model and the business innovation are detailed in
Section 4. The evaluated organizations and their assessment
are presented in Sections 5. Finally, Section 6 concludes the
results of this work.
1
CABLENET: https://www.cablenetbusiness.com.cy/public-
cloud-services-for-business/cloud-server/
2
CeHA: https://www.ics.forth.gr/ceha/FlipbookV1/CeHA.pdf
II. B
ACKGROUND
&
C
OMPARISON WITH
R
ELATED
W
ORK
Insurance tries to protect an organization or individual
from economic loss, managing risk and uncertainty [15], [16],
[17]. In the case of cyber insurance, we also need to assess the
imposition of certain standards (i.e. for security, privacy,
safety, dependability, etc.). This study focuses on the security
and privacy aspects of an information system. Specifically, it
concentrates in the insurance of ICT or healthcare
organizations, taking into account the demanded compliance
in Europe with the General Data Protection Regulation
(GDPR) [18] and data offloading (e.g. [19]), respectively.
Today, there are several cyber insurance frameworks that
are offered by international insurance stakeholders [2], [3].
Table I refers the most representative of them and summarizes
their main features. CyberSure’s insurance strategy extends
the capabilities of the HDI cyber insurance modules.
TABLE I. C
YBER
I
NSURANCE
S
OLUTIONS
Product
Name /
Covers
HDI
(Cyber
Sure)
AIG
Cyber
Edge
Allianz
Cyber
Protect
Chubb
Cyber
ERM /
DigiTech
CAN
NetProtect
360
Liberty
Cyber
Event
management X X X X X X
protection
liability
Third party
liability
X X X X X X
Cyber
liability X X X X X X
Digital media X (opt.) X X (opt.) (opt.)
Network
interruption X X X X (opt.) X
Cyber
Exortion (opt.) (opt.) (opt.) X (opt.) (opt.)
The evaluated cyber threats [15], [16] include i) general
attacks (e.g. malware, Denial of Service (DoS), etc.), ii) data
breaches by hackers (i.e. security failures, unauthorized
access, and employee negligence), iii) ransomware,
impersonation fraud, phishing, whaling, spam/infected email,
and iv) problems or exposure by collaborating third-parties.
Fig. 1 illustrates the relevant statistics by claim type for HDI.
For the examined ICT and electronic health (e-health) sectors,
data breaches constitute the most severe threat (especially with
the high fines for GDPR violations), while malware infection,
ransomware, and exposure by third-parties are also important.
Fig. 1. HDI’s statistics by claim
Fig. 2. CyberSure’s deployment infrastructure
Insurance is not easy [11], [14]. The next challenges for
incumbents include developing underwriting criteria and
software solutions to handle coverage for types or classes the
industry has no track record for, such as GDPR violations,
drones, etc. Emerging areas of new business provide risk and
potential return if the price is right. Emerging coverages,
however, have potentially very different processing and billing
requirements [13].
By relying on automated or semi-automated security
certification and risk assessment, CyberSure develops a novel
tool supported framework for cyber insurance. In this
framework, insurance policies can drive certification
procedures and be based on the outcomes of such processes,
demanding specific attention to risks to be covered and
relaxing the assessment of the risks that are not covered by the
policy. The interaction between cyber insurance and security
certification will also reduce the information asymmetry
between insurers and clients. Automating cyber insurance
management will also enable the generation of statistical data
about risk assessment and rates of accidents, which will
improve the maturity of the cyber insurance market.
III. T
HE
C
YBER
S
URE
P
LATFORM
This section describes the deployment infrastructure of
CyberSure. It consists of four core components: i) the risk
assessment tools (RIS
3
and NESSOS
4
), ii) the certification tool
(CUMULUS [21], [22]), iii) the insurance tool (HDI
5
), and iv)
the pilot systems (cloud and e-health platforms). The various
components of the CyberSure platform are installed in the
3
RIS: https://dgsspa.com/pagine/15/ris
4
NESSOS: http://www.nessos-project.eu/
5
HDI tool: https://www.hellasdirect.gr/en/
relevant host companies with on-line monitoring controls
being deployed on the two pilot systems of the ICT provider
and the healthcare organization, respectively. The involved
systems are integrated and common interfaces are
implemented to enable the exchange of information. Fig. 2
depicts the deployment infrastructure of CyberSure, which is
detailed below.
A. Risk Assessment
The two risk assessment tools that perform the baseline
and comprehensive risk analysis are installed in the two host
companies (the RIS tool in NIS and NESSOS in CNR). The
ISO-27001 standard [20] and the GDPR [18] are disassembled
into their underlying security and privacy controls,
respectively. Then, security experts from these two companies
interview the employees of a pilot system sequentially. For
both tools, questionnaires and other information are completed
on-line by the employees. The tools process the received data
and the security experts finalize the risk assessment report.
The baseline analysis is performed with the RIS tool and
the employees are requested to provide related information
regarding the operational systems and the deployed controls.
The tool assesses the maturity of these defence mechanisms
and procedures, and estimates the probability of exploiting
each one of them along with their criticality for the business
operations. This initial documentation, is provided to the
evaluated organization along with a set of suggested system
upgrades. The process is repeated for a more thorough
analysis that examines the final compliance of each pilot
system.
Then, a comprehensive risk assessment is performed via
the NESSOS tool. The outcomes of the baseline analysis are
given as input and the in-depth evaluation concentrates in the
most vulnerable points of the system that exhibit high
exploitation risk. In contrast to the general analysis of RIS that
takes into account the possibility of facing specific security-
/privacy-related events, NESSOS considers real incidents that
have been recorded in the examined organization, the local
market, or this economic sector in general. Such incidents may
include equipment theft, electric power breaks, targeted
malicious actions against this organization, and coordinated
attacks in similar communities.
B. Certification Process
Thereafter, the on-line certification model and the
underlying controls are deployed. These are the CyberSure’s
components that continuously monitor a pilot system, issue
the certificate, and detect potential violations. They deploy
CUMULUS certification models (e.g. [21], [22]) for this
purpose and, based on automated (or semi-automated)
certification carried out using them, they develop ways of
dynamically adjusting risk estimates, insurance policies and
premiums. In particular, the framework considers the case of
dynamic certification, based on continuous monitoring,
dynamic testing and hybrid combinations of them, adaptation
of cyber insurance policies as the conditions of the cyber
system operation evolve and new data become available, as
well as fine-tuning and adjusting the risk associated to the
insurance policies.
C. Insurance Contracts
Finally, the final risk assessment outcomes are parsed by
the insurance tool that runs in HDI. Classified historical data
regarding the considered risks are aggregated in the model
together with other parameters, like discounts or penalizations.
The insurance experts estimate the economic parameters of the
potential insurance contract. Risk diversification is also
estimated, meaning that, based on the monitoring portfolio,
high-risk aspects are insured for higher price. The result is a
set of contract offers that cover specific operational aspects
and risks, providing several options from basic to full
coverage of the economic loss. Each evaluated organization
chooses one of them based on its needs and financial
capabilities.
IV. I
NSURANCE
M
ODEL
&
B
USINESS
I
NNOVATION
A. The Insurance Model
The main target of CyberSure is to build a flexible
economic model for publication and pricing decisions and
create an automated insurance pricing model. The innovative
methods for continuous certification and assurance assist the
insurance organization to understand the impact of multiple
variables regarding risk and loss, and price its products.
A Generalized Linear Model (GLM) is applied in order to
estimate the economic value for a specific contract. The
pricing formulas are described by equations (1-3):
Pricing =
i
Cover
i
(1)
Cover
i
= Base_cover
i
*
j
(1+factor
j
) (2)
Base_cover
i
= f
i
(main factors) (3)
Where the main factors include core insurance criteria,
like: i) revenue or asset value, ii) limits/deductible (reduce
small and frequent claims, e.g. if the employees violate the
security ISO and use default or weak passwords), iii) critical
dependency of business processes on IT/Business interruption,
iv) past claims (indicative of past security issues or past
targeting), v) retention time (reward loyal customers), vi) type
of industry (some sectors are more susceptible to attacks than
others), vii) type of collected data (sensitive personal data,
personal data, or other), and viii) for-profit/non-profit
(hacktivist) targeting.
The Base_cover
i
in eq. (3) and factor
j
in eq. (2) are
derived from the risk assessment process. They determine the
prices, taking into consideration the relative risk of this
customer for each cover.
The insurance model analyzes the interdependency and
impact of multiple factors. It is applied for the prediction of
risk and cost from the frequency and severity of claims that
are related to specific customers. The impact analysis reveals
opportunities to lower premiums for the identified lower-risk
customers or to increase them for higher-risk ones.
With CyberSure in place, the overall insurance framework
can take advantage of the continuous risk assessment and
assurance in order to:
1. Provide the total expected loss for each customer
(base pricing)
2. Estimate the risk of each cyber threat for each
customer (per cover)
3. Assess how these factors are affected if we exclude
small and very large claims (according to
deductibles/limits)
4. Monitor if the customers adhere to the security rules
5. Deduce which covers/threats can be supported with
higher confidence level
6. And specify which operations we can give (e.g. data
protection liability)
B. Business Innovation
The platform provides new business services and
opportunities of innovation, both for the organizations and the
insurance companies that are involved.
1) Insured Organizations
The insured organizations benefit under this setting, as
they are provided with accurate and more complete
information regarding the real cyber security status, with
suitable and effective suggestions for updating the current
systems. The overall risk from disruptive and malicious events
is reduced and the business operation is safeguarded against
significant economic losses.
Whenever possible, the insured organization is provided
warnings towards an upcoming violation of the certificate
before the relevant event occurs. The insured organization is
alerted with timely and adequate information in order to take
precautionary measures and avoid cyber-threats.
2) Insurance Companies
One main procedure is the collection of statistical data
regarding cyber-threats for the specific economic sectors (i.e.
healthcare or ICT). It becomes preferable for an insurance
company to utilize the collected statistical information from
the currently evaluated organizations in order to update its
own database and take more robust decisions regarding its
insurance models and policies. The insurance company
gathers the data about various incidents that have occurred in
the specific domains, based on the risk assessment procedures
and the interviews of the accountable personnel that took place
prior to the certification process. Then, the company updates
the information in its own databases that are also considered
as a main business asset.
The overall analysis and evaluation procedures of the
examined pilot systems provide adequate information and
assist the insurance company in order to establish a proper
contract with low economic risk. The analysis takes into
consideration the fine that is determined by GDPR (€20M or
the 4% of the organization’s budget). For the insurance
company there have to be a decent profit for certifying a
business while the economic risk should also be low.
If an incident occurs that is covered by a valid contract, the
insurance company must estimate the loss and pay the agreed
amount of money to the involved parties in a short period of
time. In case of a cyber-security incident, as the CyberSure
platform monitors the runtime operation of the pilot system, it
verifies in a short period if the agreed policies had been
followed or violated by the insured organization and facilitate
the compensation procedure accordingly.
V. A
PPLICATION
E
XAMPLES
For the ICT case study, the cloud provider offers data-
offloading services to its customers. It needs to insure its own
operation and be protected against compensations that must be
paid to the cloud users in case where an incident occurs (i.e.
security breach) for which the provider is accountable. For the
healthcare case, the hospital’s management sector needs to
issue an insurance contract between the hospital and the IT
company CeHA (third-party which provides the software suite
for the e-health services) in order to comply with the GDPR
[18], regarding the privacy preservation and the prevention of
unauthorized disclosure of health-related information. In both
studies, we must guarantee that the main confidentiality,
integrity, and availability controls, along with the role-based
access to the sensitive personal data is enforced in all cases
and the access rights are properly handled.
The key security, privacy, and dependability requirements
for the two pilots include:
1. the preservation of privacy, confidentiality and
integrity of customer data or medical records in-transit
and at-storage
2. the preservation of privacy, confidentiality and
integrity of financial data and prescription in-transit
and at-storage
3. and the preservation of a high degree of the cloud
platform and the e-health suite availability.
The integration of CyberSure and each insured system
(Cablenet’s cloud and CeHA’s suite) must itself comply with
these technical criteria. The CyberSure platform does not have
access to confidential information (i.e. customers’ data or
electronic health records (EHRs)). Additionally, the
monitoring components at the pilot-end do not collect
information regarding the users’/patients’ personal identifiable
information (PII) and are compliant with the GDPR.
A. CyberSure’s Monitoring Modules
The monitoring controls on the pilot system should capture
the personnel’s login behavior and inform the organization if it
does not comply with the ISO-27001 security policy, e.g. the
password strength is not sufficient, the passwords are not
changed regularly, there many failed login connections, etc.
All collected data from the pilot system are anonymized in
order to avoid any law violation (GDPR). Also, the service
owners must grant their permission for the integration of the
monitoring mechanisms with the CyberSure platform. If it is
required, the service owners are also informed of the process.
In case where the contract insures the availability of the
main servers during the working hours for each organization,
the CyberSure platform should inform the beneficiary about
the potential violation of the contract before the event really
occurs, e.g., the server has not been maintained for some
period and the possibility of malfunctioning during the next
few days is high.
Fig. 3. The insured services for the two pilot systems: a) email service, and
b) ward management
B. Server Availability SLA Example
Consider that one of the insured organizations needs to
sign a service-level agreement (SLA) regarding the
availability of the provided server, such as the servers’ up-
time, the EHR availability, and the volume of concurrently
supported clients. The organization must guarantee a
minimum delay in responding to availability issues for the
provided client applications (Fig. 3). The off-time cannot
exceed the agreed time during the insured period, as described
in the corresponding service level agreement.
We issue a contract utilizing the extended version of
CUMULUS. The initial evaluation life-cycle is for one year
and the contract can be renewed in an annual basis. Every day
the framework must monitor the availability of the system
every half hour during the working period. The relevant SLA
certification model (CM) is defined based on [21], [22].
The organization requests a certificate from CyberSure’s
certification authority based on this CM (see Fig. 2). The
authority submits it to the certificate generator, which
configures the monitoring infrastructure for starting the
incremental certification process. It then calls the monitoring
manager to find the monitoring infrastructure in the
organization’s end-devices. This monitor is a JAVA program
that periodically checks the HTTP request status. The
reasoning operation is modelled in Event Calculus [23], [24].
When the server is down, a relevant event is sent to CyberSure
and the pilot system operator is warned about the potential
contract violation. If the problem is fixed within the foreseen
period, the monitoring status is restored. Otherwise, the
contract is violated and the accountable entity takes the
responsibility.
VI. C
ONCLUSION
The digitalization of insurance procedures and the
coverage of cyber assets have now become an emerging
necessity. The European GDPR further stresses the need
towards cyber insurance, especially for organizations that
process high volumes of personal sensitive data. This article
proposes a novel cyber insurance framework, called
CyberSure. It tackles several limitations of the current
solutions by deploying continuous certification and real-time
assessment of risk and the contracted insurance policies. As a
case study, CyberSure assesses the system of a medium-size
cloud provider in Cyprus and a public hospital in Greece. The
overall approach is effective and efficient, and reduces the
possibility of potential security incidents, benefiting both the
insurer and the insured.
A
CKNOWLEDGMENT
This work has received funding from the European Union
Horizon’s 2020 research and innovation programme under the
grant agreements No. 786890 (THREAT-ARREST) and No.
830927 (CONCORDIA), and the Marie Skodowska-Curie
grant agreement No. 734815 (Cyber-Sure).
R
EFERENCES
[1] W. Pritchett, “Insurtech 10: Trends for 2019,” The Digital Insurer,
KPMG, March, 2019, pp. 1-36.
[2] G. Matouschek, “InsturTechs Reshaping insurance today,” 27
th
congress of the International Association of Legal Protection Insurance
(RIAD), Ireland, Dublin, 5-6 October, 2017, pp. 1-29.
[3] A. Marotta et al., “Cyber-insurance survey,” Computer Science
Review, Elsevier, vol. 24, May, 2017, pp. 35-61.
[4] P. H. Meland, I. A. Tøndel, and B. Solhaug, “Mitigating risk with
cyberinsurance,” IEEE Security & Privacy, vol. 13, no. 6, 2015, pp. 38-
43.
[5] OECD, “Enhancing the role of insurance in cyber risk management,”
OECD Publishing, Paris, 2017, pp. 1-142.
[6] P. Millaire et al., “Latest industry trends in cyber security and cyber
insurance,” CyberCube, May, 2018, pp. 1-10.
[7] G. Hatzivasilis et al., “The CE-IoT framework for green ICT
organizations,” IEEE DCOSS, Santorini Island, Greece, 29-31 May,
2019, pp. 1-7.
[8] G. Hatzivasilis et al., “Real-time management of railway CPS,” IEEE
ECYPS, Bar Montenegro, 11-15 June, 2017, pp. 1-4.
[9] G. Hatzivasilis et al., “Review of security and privacy for the Internet
of Medical Things (IoMT),” IEEE DCOSS, Santorini Island, Greece,
29-31 May, 2019, pp. 8-15.
[10] D. Woods and A. Simpson, “Policy measures and cyber insurance: a
framework,” Journal of Cyber Policy, Taylor & Francis, vol. 2, no. 2,
2017, pp. 209-226.
[11] P. H. Meland and F. Seehusen, “When to treat security risks with cyber
insurance,” International Journal on Cyber Situational Awareness, C-
MRiC, vol. 3, no. 1, 2018, pp. 39-60.
[12] S. Romanosky et al., “Content analysis of cyber insurance policies:
how do carriers price cyber risk?,” Journal of Cybersecurity, Oxford
Academic, vol. 5, issue 1, Feb. 2019, pp. 1-38.
[13] T. Bandyopadhyay, V. S. Mookerjee, and R. C. Rao, “Why IT
managers don’t go for cyber-insurance products,” ACM
Communications, ACM, vol. 52, no. 11, 2009, pp. 68-73.
[14] M. Eling and J. H. Wirfs, “Cyber risk: too big to insure? Risk transfer
options for a mercurial risk class,” University of St. Gallen, Institute of
Insurance Economics, 2016, pp. 1-163.
[15] A. Arora and R. Telang, “Economics of software vulnerability
disclosure,” IEEE Security & Privacy, IEEE, vol. 3, issue 1, Jan.-Feb.,
2005, pp. 20-25.
[16] J. Armin et al., “2020 cybercrime economic costs: No measure no
solution,” IEEE ARES, Toulouse, France, 24-27 Aug., 2015, pp. 701-
710.
[17] F. Martinelli et al., “Preventing the drop in security investments for
non-competitive cyber-insurance market,” 12
th
International
Conference on Risks and Security of Internet and Systems (CRISIS),
Dinard, France, 19-21 Sept., 2017, pp. 1-16.
[18] Directive 95/46/EC General DataProtection Regulation (GDPR),
European Parliament and European Council, 2016: https://eur-
lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679 .
[19] L. Gao et al., “Economics of mobile data offloading,” IEEE
INFOCOM, Turin, Italy, 14-19 July, 2013, pp. 1-6.
[20] Information security management systems, ISO/IEC 27001, 2013:
https://www.iso.org/isoiec-27001-information-security.html .
[21] M. Krotsiani, G. Spanoudakis, and C. Kloukinas, “Monitoring-based
certification of cloud service security,” OTM Confederated
Conferences On the Move to Meaningful Internet Systems, Phodes,
Greece, Springer, LNCS, vol. 9415, 2015, pp. 644-659.
[22] M. Krotsiani, C. Kloukinas, and G. Spanoudakis, “Cloud certification
process validation using formal methods,” International Conference on
Service Oriented Computing, Malaga, Spain, 13-16 Nov., 2017, pp. 65-
79.
[23] E. T. Muller, “Commonsense reasoning: an Event Calculus based
approach,” M. Kaufmann, edition 2, 2015.
[24] G. Hatzivasilis et al., “AmbISPDM: Managing Embedded Systems in
Ambient Environment and Disaster Mitigation Planning,” Applied
Intelligence, Springer, vol. 48, issue 6, pp. 1623-1643, 2017.
... The nature of the analysis was such that the phases of the CeHRes framework were unobvious and hence the roadmap was non-applicable to it. Some of the problems identified in the studies were centered around data privacy [14] [27], right to data portability [27], security [19], right to be forgotten [25] [28], cyber insurance to cover eHealth assets [28], among others. Interestingly, only one article identified and analysed the stakeholders where surveys were used to collect privacy concerns of stakeholders which were then translated into user requirements [19]. ...
... The nature of the analysis was such that the phases of the CeHRes framework were unobvious and hence the roadmap was non-applicable to it. Some of the problems identified in the studies were centered around data privacy [14] [27], right to data portability [27], security [19], right to be forgotten [25] [28], cyber insurance to cover eHealth assets [28], among others. Interestingly, only one article identified and analysed the stakeholders where surveys were used to collect privacy concerns of stakeholders which were then translated into user requirements [19]. ...
... Gamification, a component of modern eHealth applications, which encompasses persuasive features was also identified [29]. Some of the studies went ahead to develop solutions [18][23] [30][15] [28] that solved the identified privacy issue (e.g. [21]) in the eHealth system. ...
Chapter
Full-text available
eHealth systems for behavior change need to cope with a wide variety of privacy requirements specified by governmental and other regulations. We conducted a systematic review of scientific articles. Analysis of the articles revealed General Data Protection Regulation (GDPR) compliant eHealth technologies, challenges posed by GDPR as well as early solutions for them. In addition, we highlight key GDPR issues to be considered when designing persuasive technologies.
... Another novel perspective that could emerge on future applications is cyber insurance [67,68]. Insuring information systems is a risk-controlling procedure for organizations. ...
... Based on these data, the contract price is defined. In our previous work, we had implemented a relevant framework for the continuous insurance of information systems [68]. The recorded LCA properties of the core CE-IoT blockchain could feed relevant solutions with fruitful data for every currently deployed digital asset in the organization's setting. ...
Article
Full-text available
Eco-friendly systems are necessitated nowadays, as the global consumption is increasing. A data-driven aspect is prominent, involving the Internet of Things (IoT) as the main enabler of a Circular Economy (CE). Henceforth, IoT equipment records the system’s functionality, with machine learning (ML) optimizing green computing operations. Entities exchange and reuse CE assets. Transparency is vital as the beneficiaries must track the assets’ history. This article proposes a framework where blockchaining administrates the cooperative vision of CE-IoT. For the core operation, the blockchain ledger records the changes in the assets’ states via smart contracts that implement the CE business logic and are lightweight, complying with the IoT requirements. Moreover, a federated learning approach is proposed, where computationally intensive ML tasks are distributed via a second contract type. Thus, “green-miners” devote their resources not only for making money, but also for optimizing operations of real-systems, which results in actual resource savings.
... WARDOG functionality [12] as well as the active participation of users is crucial. Security certification and cyber insurance are also instruments to establish trust and reduce risk in the provision of a wide spectrum of industries and services ( [19], [20], [21]). Insurance and certification can also enhance the trustworthiness of potential customers. ...
Conference Paper
Full-text available
Botnets form a special type of malware that nowadays constitute one of the biggest threats in cyber-security. Ordinarily, the hacker exploits existing vulnerabilities to infiltrate the system and install a command-and-control (C&C) infrastructure. Thereupon, the system is "botnized" and performs the bot-master's commands. In most cases, the attacker does not intend to destroy the compromised assets but to utilize them in order to perform other type of attacks , such as crypto-mining or Denial of Service (DoS) campaigns to targeted websites. Nevertheless, ransomware or other disruptive attacks can also be launched at some point and harm the owner of the infected equipment. This paper starts with an overview of botnet cases, attacker's tactics, and relevant defense mechanisms. Then, we present a real step-by-step digital forensics investigation on a customer's bare-metal server in the cloud. The attack was performed in 2020. We describe the storyline from the server's installation, the infection , the investigation, the proper mitigation actions, as well as, the economic implication. Finally, we sum-up which were the main mistakes that enable the attack and propose a silver bulletin for server setup in the cloud.
Article
Full-text available
The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public–private partnership. This paper rectifies this omission and presents a framework to help underpin such a partnership, giving particular consideration to possible government interventions that might affect the cyber insurance market. We have undertaken a qualitative analysis of reports published by policy-making institutions and organisations working in the cyber insurance domain; we have also conducted interviews with cyber insurance professionals. Together, these constitute a stakeholder analysis upon which we build our framework. In addition, we present a research roadmap to demonstrate how the ideas described might be taken forward.
Article
Full-text available
The need to manage embedded systems, brought forward by the wider adoption of pervasive computing, is particularly vital in the context of secure and safety-critical applications. Technology infiltrates in ordinary things, hitching intelligence and materializing smart systems. Each of these individual entities monitors a specific set of parameters and deduces a constrained local view of the surrounding environment. Many distributed devices exchange information in order to infer the real system state and achieve a consistent global view. However, conflicts may arise due to the integration of deficit pieces of local knowledge. Robust and efficient conflict resolution is essential, especial in cases of emergency where the system must contribute with timely and accurate data to the overall crisis management operation. In this paper, we present AmbISPDM - a formal framework for the management of embedded systems with a coherent conflict resolution mechanism. The process is implemented as a software agent's reasoning behaviour and applied in the multi-agent domain. As a proof of concept, a smart university campus setting is deployed, with agents controlling embedded devices to assist living conditions in normal operation and the evacuation planning in case of fire.
Article
Full-text available
Cyber insurance is a rapidly developing area which draws more and more attention of practitioners and researchers. Insurance, an alternative way to deal with residual risks, was only recently applied to the cyber world. The immature cyber insurance market faces a number of unique challenges on the way of its development. In this paper we summarise the basic knowledge about cyber insurance available so far from both market and scientific perspectives. We provide a common background explaining basic terms and formalisation of the area. We discuss the issues which make this type of insurance unique and show how different technologies are affected by these issues. We compare the available scientific approaches to analysis of cyber insurance market and summarise their findings with a common view. Finally, we propose directions for further advances in the research on cyber insurance.
Article
Full-text available
Information security breaches frequently exploit software flaws or vulnerabilities, causing significant economic losses. Considerable debate exists about how to disclose such vulnerabilities. A coherent theoretical framework helps identify the key data elements needed to develop a sensible way of handling vulnerability disclosure
Article
Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses has grown rapidly in the past decade. While there exists much theoretical literature about cyber insurance, very little practical information is publicly available about the actual content of the polices and how carriers price cyber insurance premiums. This lack of transparency is especially troubling because insurance carriers are often cited as having the best information about cyber risk, and know how to assess – and differentiate – these risks across firms. In this qualitative research, we examined cyber insurance policies filed with state insurance commissioners and performed thematic (content) analysis to determine (i) what losses are covered by cyber insurance policies, and which are excluded?; (ii) what questions do carriers pose to applicants in order to assess risk?; and (iii) how are cyber insurance premiums determined – that is, what factors about the firm and its cybersecurity practices are used to compute the premiums? By analyzing these policies, we provide the first-ever systematic qualitative analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.
Conference Paper
The rapid development of cyber insurance market brings for- ward the question about the effect of cyber insurance on cyber security. Some researchers believe that the effect should be positive as organisa- tions will be forced to maintain a high level of security in order to pay lower premiums. On the other hand, other researchers conduct a theo- retical analysis and demonstrate that availability of cyber insurance may result in lower investments in security. In this paper we propose a mathematical analysis of a cyber-insurance model in a non-competitive market. We prove that with a right pricing strategy it is always possible to ensure that security investments are at least as high as without insurance. Our general theoretical analysis is confirmed by specific cases using CARA and CRRA utility functions.
Article
To achieve a proper balance between security investments and acceptable loss, businesses take a mixed approach to risk management. In addition to preventive and remedial actions and self-insurance, many are now buying cyberinsurance, a cost-saving but still-developing strategy.
Article
Despite positive expectations, cyber-insurance products have failed to take center stage in the management of IT security risk. Market inexperience, leading to conservatism in pricing cyber-insurance instruments, is often cited as the primary reason for the limited growth of the cyber-insurance market. In contrast, here we provide a demand-side explanation for why cyber-insurance products have not lived up to their initial expectations. We highlight the presence of information asymmetry between customers and providers, showing how it leads to overpricing cyber-insurance contracts and helps explain why cyber insurance might have failed to deliver its promise as a cornerstone of IT security-management programs.
Insurtech 10: Trends for 2019
  • W Pritchett
W. Pritchett, "Insurtech 10: Trends for 2019," The Digital Insurer, KPMG, March, 2019, pp. 1-36.