Investigating the tension between cloud-related actors and individual privacy rights

Historically, little more than lip service has been paid to the rights of individuals to act to preserve their own privacy. Personal information is frequently exploited for commercial gain, often without the person’s knowledge or permission. New legislation, such as the EU General Data Protection Regulation Act, has acknowledged the need for legislative protection. This Act places the onus on service providers to preserve the confidentiality of their users’ and customers’ personal information, on pain of punitive fines for lapses. It accords special privileges to users, such as the right to be forgotten. This regulation has global jurisdiction covering the rights of any EU resident, worldwide. Assuring this legislated privacy protection presents a serious challenge, which is exacerbated in the cloud environment. A considerable number of actors are stakeholders in cloud ecosystems. Each has their own agenda and these are not necessarily well aligned. Cloud service providers, especially those offering social media services, are interested in growing their businesses and maximising revenue. There is a strong incentive for them to capitalise on their users’ personal information and usage information. Privacy is often the first victim. Here, we examine the tensions between the various cloud actors and propose a framework that could be used to ensure that privacy is preserved and respected in cloud systems

Cyber insurance: the current situation and prospects of development

The aim of the article is to analyze current trends in the development of cyber insurance. The following methods of scientific research were used in the preparation of the article: generalization, correlation analysis, comparative analysis. The authors analyze in detail the main trends in the spread of cybercrime. The correlation analysis between the number of registered cybercrimes in a particular country and its GDP, the number of business entities, indicated the lack of correlation between the studied indicators. It states that the most common types of cybercrime are: hacking, unauthorized access, accidental exposure, insider and physical theft. The sectoral analysis of the distribution of cybercrime has revealed a decrease in the share of financial companies while increasing the share of health care companies. It is noted that cyber insurance is one of the effective preventive measures that minimize the negative effects of cybercrime intervention. The article presents segmentation of the cyber insurance market by geography and size of insurance companies. The results of the analysis showed the dominance of US companies in the cyber insurance market. It is stated that the sectoral distribution of cybersecurity policy purchasers in general follows the trends of the sectoral distribution of cybercrime. The volume of cyber insurance, expenses of insured legal entities is analyzed. The main trends in the development of cyber insurance have been identified. The factors that hold back the development of cyber risk insurance have been identified. The main ones include the following: high level of information entropy in the process of cyber risk assessment, lack of a single standard for filling insurance services in the field of cyber insurance. It is noted that in the medium term the cyber insurance market is prospective for insurance companies. This is caused by the increasing scale of cyber threats and the costs associated with cyberattacks

The Techno-Neutrality Solution to Navigating Insurance Coverage for Cyber Losses

Insurers currently constrict coverage for losses involving electronic information in traditional insurance product lines. As a result, insurance customers are driven to the brave new world of non-standardized varieties of cyber-risk insurance policies. That world abounds with coverage gaps as the market for cyber insurance sorts itself out. Until that synchronization of coverage for cyber losses occurs, litigation is bound to occur as the boundaries of coverage remain patchwork and uncertain. This article examines the degree to which cyber losses differ from other insured losses. The cyber-loss insurance coverage jurisprudence reveals a mishmash of principles and coverage terms that are largely focused on the technology of the loss and not on the nature of the loss insured. Unpredictable and unhelpful analogies have ensued, prompting a highly inefficient coverage marketplace and resulting litigation experience. This article also draws parallels with the market experience of a number of now-commonplace insurance coverage products, like commercial general liability policies, that also went through an initial period of uncertainty. Lessons from those prior insurance experiences are instructive as the wild world of cyber insurance stabilizes. This article proposes that, to reduce the prevalence of insurance coverage disputes about cyber losses, courts should jettison the cyber loss differentiation altogether and instead focus on the nature of the inherent risk insured against, as opposed to the risk\u27s cyber quality. Taking a technologically neutral stance-applying techno-neutrality to insurance policy language-can act as a market stabilizer. This approach is preferable to introducing new, untested insurance products or, alternatively, risking arbitrary coverage gaps under traditional product lines. The long-term, more commercially sensible solution is for insurers to simply fold cyber-loss coverage into traditional coverage products and not differentiate losses based on particular or peculiar property characteristics

A scalable approach to joint cyber insurance and security-as-a-service provisioning in cloud computing

As computing services are increasingly cloud-based, corporations are investing in cloud-based security measures. The Security-asa- Service (SECaaS) paradigm allows customers to outsource security to the cloud, through the payment of a subscription fee. However, no security system is bulletproof, and even one successful attack can result in the loss of data and revenue worth millions of dollars. To guard against this eventuality, customers may also purchase cyber insurance to receive recompense in the case of loss. To achieve cost effectiveness, it is necessary to balance provisioning of security and insurance, even when future costs and risks are uncertain. To this end, we introduce a stochastic optimization model to optimally provision security and insurance services in the cloud. Since the model we design is a mixed integer problem, we also introduce a partial Lagrange multiplier algorithm that takes advantage of the total unimodularity property to find the solution in polynomial time. We also apply sensitivity analysis to find the exact tolerance of decision variables to parameter changes. We show the effectiveness of these techniques using numerical results based on real attack data to demonstrate a realistic testing environment, and find that security and insurance are interdependent

Charging and discharging of plug-in electric vehicles (PEVs) in vehicle-to-grid (V2G) systems: A cyber insurance-based model

In addition to being environment friendly, vehicle-to-grid (V2G) systems can help the plug-in electric vehicle (PEV) users in reducing their energy costs and can also help stabilizing energy demand in the power grid. In V2G systems, since the PEV users need to obtain system information (e.g., locations of charging/discharging stations, current load, and supply of the power grid) to achieve the best charging and discharging performance, data communication plays a crucial role. However, since the PEV users are highly mobile, information from V2G systems is not always available for many reasons, e.g., wireless link failures and cyber attacks. Therefore, in this paper, we introduce a novel concept using cyber insurance to 'transfer' cyber risks, e.g., unavailable information, of a PEV user to a third party, e.g., a cyber-insurance company. Under the insurance coverage, even without information about V2G systems, a PEV user is always guaranteed the best price for charging/discharging. In particular, we formulate the optimal energy cost problem for the PEV user by adopting a Markov decision process framework. We then propose a learning algorithm to help the PEV user make optimal decisions, e.g., to charge or discharge and to buy or not to buy insurance, in an online fashion. Through simulations, we show that cyber insurance is an efficient solution not only in dealing with cyber risks, but also in maximizing revenue for the PEV user

MANAGING CYBERSECURITY AS A BUSINESS RISK FOR SMALL AND MEDIUM ENTERPRISES

Cyberspace has become the “Wild West” of business opportunities for companies. The explosion of growth opportunities has also created substantial cyber insecurity for such companies. Large companies have the budget and resources to manage cybersecurity risks with the ability to hire experts to provide guidance and technology to address problems on a large corporate scale. Small and medium sized enterprises (SME), on the other hand, lack the funding, knowledge, and human capital to sufficient defend itself against the various criminals. This research analyzes three solutions for some of the major categorical problems for SMEs looking to manage cybersecurity risks without necessarily large investments in only highly technical solutions which include community policing for broad cooperation within industries, cyber insurance, and cyber hygiene. The research was based on literature review on existing literature including substantial government policy, and openly available information available on the Internet. Research yielded the necessity of adopting solutions beyond technology in order to improve security and resilience for SMEs. The proposed solutions are ideally applicable under specific scenarios for SMEs. Broad adoption may not yield the necessary security or resilience for companies without a clear understanding of its existing security strateg

A New Perspective on Internet Security using Insurance

Managing security risks in the Internet has so far mostly involved methods to reduce the risks and the severity of the damages. Those methods (such as firewalls, intrusion detection and prevention, etc) reduce but do not eliminate risk, and the question remains on how to handle the residual risk. In this paper, we take a new approach to the problem of Internet security and advocate managing this residual risk by buying insurance against it, in other words by transferring the risk to an insurance company in return for a fee, namely the insurance premium. We consider the problem of whether buying insurance to protect the Internet and its users from security risks makes sense, and if so, of identifying specific benefits of insurance and designing appropriate insurance policies. Using insurance in the Internet raises several questions because entities in the Internet face correlated risks, which means that insurance claims will likely be correlated, making those entities less attractive to insurance companies. Furthermore, risks are interdependent, meaning that the decision by an entity to invest in security and self-protect affects the risk faced by others. We analyze the impact of these externalities on the security investments of the users using simple models that combine recent ideas from risk theory and network modeling. Our key result is that using insurance would increase the security in the Internet. Specifically, we show that the adoption of security investments follows a threshold or tipping point dynamics, and that insurance is a powerful incentive mechanism which pushes entities over the threshold into a desirable state where they invest in self-protection. Given its many benefits, we argue that insurance should become an important component of risk management in the Internet, and discuss its impact on Internet mechanisms and architecture

The human factor in cybersecurity: An experimental approach to cyber-risk and cyberinsurance

Este trabajo de investigación tiene como objetivo el desarrollo y validación experimental de modelos conductuales, con sólido fundamento teórico, capaces de explicar y prever la adopción de ciberseguro, así como los de los elementos clave de ciberseguridad detrás de dicha adopción. Con este fin, la presente disertación se centra en tres dimensiones clave en ciberseguridad: ciberseguro (adopción de productos de seguros que cubren parcialmente el impacto de posibles ataques), ciberprotección (adopción de medidas capaces de reducir el riesgo de sufrir un ataque) y comportamiento online (nivel de riesgo asumido por los usuarios cuando navegan en Internet). Estas dimensiones recogen aspectos conductuales relevantes que condicionan la adopción de ciberseguro, tales como: (i) la racionalidad en el reparto del presupuesto disponible para ciberseguridad entre productos de ciberprotección y seguros, (ii) posibles efectos negativos causados por la asimetría de información intrínseca a cualquier tipo de seguro (incluido el ciberseguro) y; (iii) formación de creencias sobre cibervulnerabilidad, especialmente en la percepción del nivel riesgo de recibir un ataque intencional, así como los métodos de elicitación de dichas creencias. Cumpliendo este objetivo, nuestra investigación contribuye a llenar un vacío en la literatura sobre la toma de decisión de compra de ciberseguros y la formación de percepciones sobre el ciber-riesgo. Tal y como se muestra en la sección de discusión de esta disertación, esta aportación tiene un papel relevante tanto científico como de formulación de políticas y de desarrollo empresarial. Este trabajo de investigación está estructurado en 3 capítulos: (i) Este estudio está dedicado a comprender y modelar las componentes conductuales críticas en el proceso de adopción del ciberseguro. En concreto, comenzamos analizando las posibles desviaciones de la racionalidad perfecta y las principales características conductuales durante la compra de ciberseguros. También analizamos cómo la adopción del ciberseguro puede afectar al comportamiento de los agentes en otras dimensiones estratégicas de la ciberseguridad, como la ciberprotección y el nivel de seguridad al navegar online. Para validar nuestros resultados, llevamos a cabo un experimento económico online con 4.800 sujetos en cuatro países de la UE. Nuestra principal conclusión es que los modelos de elección racional no pueden predecir la decisión sobre ciberseguridad de los agentes. Específicamente, encontramos que las personas muestran una tendencia a optar por una estrategia de ciberseguridad sobreprotectora al garantizar niveles de protección y cobertura más altos que aquellos que maximizan su utilidad esperada. Este resultado motiva la aplicación de un enfoque de economía conductual para analizar el ciberseguro, motivando el desarrollo de modelos conductuales alternativos que no asuman una racionalidad perfecta y sean capaces de explicar nuestros datos observacionales. Además, este resultado destaca la componente humana de la ciberseguridad y la necesidad de desarrollar intervenciones orientadas al comportamiento basadas en mecanismos conductuales y capaces de aprovechar la componente no racional de la toma de decisiones sobre ciberseguridad. (ii) La interrupción del negocio por ataques cibernéticos es una preocupación reconocida y creciente, sin embargo, la aceptación del ciberseguro ha sido relativamente baja. Este estudio propone y prueba un modelo predictivo de adopción de ciberseguros, incorporando elementos de la Teoría de la Motivación de la Protección (PMT) y la Teoría del Comportamiento Planificado (TPB), así como factores relacionados con la propensión al riesgo y el precio. Los datos se obtuvieron de un experimento de economía del comportamiento online con 4.800 participantes en cuatro países de la UE. Durante el experimento, los participantes tuvieron la oportunidad de comprar diferentes medidas de protección y productos de ciberseguro antes de realizar una tarea online. Seguidamente, algunos participantes sufrieron un ciberataque dentro del experimento, cuya probabilidad dependía de la adopción de medidas de protección y su comportamiento durante la tarea online. Las consecuencias de este ataque, a su vez, dependían de sus decisiones de compra de ciberseguro. El modelo utilizado se basa en ecuaciones estructurales (SEM) en el cual se incluye elementos del ecosistema de seguridad. El modelo resultante muestra que todos los factores TPB y únicamente el factor eficacia de respuesta de la PMT, predijeron positivamente la adopción de ciberseguro premium. La adopción de seguros premium también se vio influenciada por la adopción de medidas de seguridad, la propensión individual al riesgo y la diferencia de precio entre productos básicos y premium. Curiosamente, la adopción de medidas de ciberseguridad se asoció con un comportamiento más seguro online, contrariamente a las preocupaciones de "riesgo moral". Los hallazgos destacan la necesidad de considerar un ecosistema de ciberseguridad más amplio al diseñar intervenciones para aumentar la adopción de ciberseguros y / o promover un comportamiento online más seguro. (iii) En dominios como la seguridad nacional, la ciberseguridad y el marketing competitivo, es frecuente que los analistas necesiten pronosticar acciones adversas que afectan nuestras decisiones. Las técnicas estructuradas estándar de obtención del juicio de expertos son insuficientes porque no tienen en cuenta la intencionalidad. Una técnica de descomposición basada en el análisis de riesgo de confrontación seguida de reglas de recomposición basadas en modelos de elección discreta permite tal proceso facilitando tales evaluaciones.This research work aims at developing and experimentally validate theoretically-sound behavioural models capable to explain and foresee the adoption of cyberinsurance and related human cybersecurity behaviour. Specifically, this dissertation focus on three critical and interrelated dimensions of cybersecurity: cyberinsurance (adoption of insurance products partially covering the impact of potential attacks), cyberprotection (adoption of measures able to reduce the risk level of suffering an attack) and online behaviour (level of cyber-risk assumed by users when navigating online). Such dimensions take into the game most of the relevant behavioural issues related to cyberinsurance adoption, such as (i) the rationality of the allocation of the available cybersecurity budget between the adoption of protection and insurance products, (ii) the potential negative effect coming from the information asymmetry intrinsic to any field of insurance (including cyberinsurance) and; (iii) belief formation on cybervulnerability, especially on risk perception and risk assessment methods in case of intentional attacks. By achieving this objective, our research contributes to fill the critical existing gap on how agents do actually make their decisions on cyberinsurance adoption and form their perceptions on their own cyber-risks, which has relevant scientific as well as policy-making and business development role as shown in the discussion section of this dissertation. This research work is structured in 3 chapters: (i) This study is devoted to understanding and modelling critical behavioural insights in the process of cyberinsurance adoption. Specifically, we start by analysing potential deviations from perfect rationality and the main behavioural features in the purchase of cyberinsurance polices. We also analyse how the adoption of cyberinsurace may affect agents’ behaviours in other dimensions of their cybersecurity strategy, such as cyberprotection and safety level when navigating online. To validate our findings, we run an online economic experiment with 4,800 subjects in four EU countries. Our main conclusion is that Rational Choice Models fail to predict agents’ cybersecurity decision. Specifically, we found that individuals show a tendency to opt for an overprotective cybersecurity strategy by ensuring higher protection levels and insurance coverage than those maximising their expected utility. This result motivates the application of a behavioural economics approach to analyse the cyberinsurance, motivating the development of alternative behavioural models not assuming perfect rationality and capable to explain our observational data. Moreover, this result highlights the focus on the human component of cybersecurity and the need to develop behavioural-oriented interventions based in sound behavioural insights and capable to take advantage of the non-rational component of cybersecurity decision-making. (ii) Business disruption from cyberattacks is a recognised and growing concern, yet the uptake of cyberinsurance has been relatively low. This study proposed and tested a predictive model of cyberinsurance adoption, incorporating elements of Protection Motivation Theory (PMT) and the Theory of Planned Behaviour (TPB) as well as factors in relation to risk propensity and price. Data was obtained from an online behavioural economics experiment with 4,800 participants across four EU countries. During the experiment, participants were given the opportunity to purchase different protection measures and cyberinsurance products before performing an online task. Some participants then suffered a cyberattack in the experimental setup, the probability of which was dependent upon their adoption of protection measures and their behaviour during the online task. The consequences of this attack were in turn dependent upon their cyberinsurance purchase decisions (i.e., basic vs premium insurance purchase). Structural Equation Modelling (SEM) was applied and the model was further developed to include elements of the wider security ecosystem. The resulting model shows that all TPB factors, but only response efficacy from the PMT factors positively predicted adoption of premium cyberinsurance. Premium insurance adoption was also influenced by security measure adoption, individual propensity for risk, and the price differential between basic and premium products. Interestingly, adoption of cybersecurity measures was associated with safer behaviour online, contrary to concerns of ‘moral hazard’. The findings highlight the need to consider the larger cybersecurity ecosystem when designing interventions to increase adoption of cyberinsurance and/or promote more secure online behaviour. (iii) In domains such as homeland security, cybersecurity and competitive marketing it is frequently the case that analysts need to forecast adversarial actions that impact our decisions. Standard structured expert judgement elicitation techniques fall short as they do not take into account intentionality. A decomposition technique based on adversarial risk analysis followed by recomposition rules based on discrete choice models enable such process facilitating such assessments