Tackling the cybersecurity challenge is a matter of survival for society at large. Cyber attacks are rapidly increasing in sophistication and magnitude—and in their destructive potential. New threats emerge regularly, the last few years having seen a ransomware boom and distributed denial-of-service attacks leveraging the Internet of Things.
For organisations, the use of cybersecurity risk management is essential in order to manage these threats. Yet current frameworks have drawbacks which can lead to the suboptimal allocation of cybersecurity resources. Cyber insurance has been touted as part of the solution – based on the idea that insurers can incentivize companies to improve their cybersecurity by offering premium discounts – but cyber insurance levels remain limited. This is because companies have difficulty determining which cyber insurance products to purchase, and insurance companies struggle to accurately assess cyber risk and thus develop cyber insurance products.
To deal with these challenges, this volume presents new models for cybersecurity risk management, partly based on the use of cyber insurance. It contains:
- A set of mathematical models for cybersecurity risk management, including (i) a model to assist companies in determining their optimal budget allocation between security products and cyber insurance and (ii) a model to assist insurers in designing cyber insurance products.
- The models use adversarial risk analysis to account for the behavior of threat actors (as well as the behavior of companies and insurers).
- To inform these models, we draw on psychological and behavioural economics studies of decision-making by individuals regarding cybersecurity and cyber insurance.
- We also draw on organizational decision-making studies involving cybersecurity and cyber insurance.
Its theoretical and methodological findings will appeal to researchers across a wide range of cybersecurity-related disciplines including risk and decision analysis, analytics, technology management, actuarial sciences, behavioural sciences, and economics. The practical findings will help cybersecurity professionals and insurers enhance cybersecurity and cyber insurance, thus benefiting society as a whole.
This book grew out of a two-year European Union-funded project under Horizons 2020, called CYBECO (Supporting Cyber Insurance from a Behavioral Choice Perspective).
Table of Contents
David R□□os Insua, Nikos Vasileiadis, Aitor Couce Vieira, and Caroline Baylon
2. The Cybersecurity and Cyber Insurance Landscape
Katsiaryna Labunets, Wolter Pieters, Michel van Eeten, Dawn Branley-Bell, Lynne Coventry, Pam Briggs, and In□es Mart□□nez, Jhoties Sewnandan
3. Behavioural Issues in Cybersecurity
Jose Vila, Pam Briggs, Dawn Branley-Bell, Yolanda Gomez, and Lynne Coventry
4. Risk Management Models for Cyber Insurance
Aitor Couce Vieira, David R□□os Insua, Caroline Baylon, and Sebastain Awondo
5. A Case Study in Cybersecurity Resource Allocation and Cyber Insurance
Alberto Redondo, Aitor Couce Vieira, David R□□os Insua and Caroline Baylon
Caroline Baylon, Deepak Subramanian, Jose Vila, and David Rios Insua
David Ríos Insua is AXA-ICMAT Chair in Adversarial Risk Analysis and a Member of the Spanish Royal Academy of Sciences.
Caroline Baylon is Security Research and Innovation Lead at AXA and a Research Affiliate at the Centre for the Study of Existential Risk, University of Cambridge.
Jose Vila is Scientific Director at DevStat and Associate Professor of Behavioural Economics at the University of Valencia.
"Cyber security is a multidisciplinary subject involving, IT, systems and security engineering. While in dealing with and protection against cyber risks other disciplines including decision and statistical analysis, psychology, risk management and insurance are also involved. This broad spectrum of fields of science is also reflected in the number of contributors to this edited collection of research findings. Originally a two-year research funded by the EU, the book covers in six chapters, cyber security research findings, simulated models as well as risk protection mechanism.
Many challenging issues in cyber risks which are not generally well understood by many businesses are discussed in this volume. A novelty of this book is in discussing behavioural aspects of cyber risks in chapter three.
The methodology and modelling discussed in this book lends much to system and security engineering, decision analysis and risk management using flow charts [. . .]. This book is not a textbook written for any particular curriculum, but can be supplementary material for IT security, risk research and insurance applications."
- Series A, Statistics in Society, Royal Statistical Society