Cyber Security Incentives and the Role of Cyber Insurance

This paper outlines the opportunities of and challenges in using cyber insurance to incentivise cyber security practices. Findings are based on a review of existing industry reports and academic research. The paper forms part of an independent research project by RUSI and the University of Kent that provides actionable policy recommendations on how to incentivise cyber security through cyber insurance. They derive from a series of interviews and workshops with insurers, businesses, cyber security providers, government and other key stakeholders. The current evidence about the ability of cyber insurance to improve cyber security practices is limited. While cyber insurers may be able to provide expertise to policyholders and increase their awareness of cyber risks, much of the existing evidence base is largely theoretical and there is still considerable scepticism from customers about the benefits of cyber insurance. The uptake of cyber insurance, particularly by small to medium enterprises (SMEs), remains low. Existing research suggests that some of the overarching factors explaining this are: the high cost of policies and the difficulties insurers face in pricing premiums appropriately; confusion over what types of incidents insurance policies cover (and the issue of ‘silent cyber’); and a lack of understanding of risks stemming from cyber incidents. There is the potential for the cyber insurance market to learn from other insurance markets to increase uptake, although understanding the depth of these connections requires further enquiry. The paper concludes by identifying several policy questions raised by the existing literature. These questions serve to guide the next stage of the project and to prompt new conversations about how cyber insurance might better incentivise cyber security practices

Developing and Validating a Behavioural Model of Cyberinsurance Adoption

Business disruption from cyberattacks is a growing concern, yet cyberinsurance uptake remains low. Using an online behavioural economics experiment with 4800 participants across four EU countries, this study tests a predictive model of cyberinsurance adoption, incorporating elements of Protection Motivation Theory (PMT) and the Theory of Planned Behaviour (TPB) as well as factors in relation to risk propensity and price. During the experiment, participants were given the opportunity to purchase different cybersecurity measures and cyberinsurance products before performing an online task. Participants likelihood of suffering a cyberattack was dependent upon their adoption of cybersecurity measures and their behaviour during the online task. The consequences of any attack were dependent upon the participants insurance decisions. Structural equation modelling was applied and the model was further developed to include elements of the wider security ecosystem. The final model shows that all TPB factors, and response efficacy from the PMT, positively predicted adoption of premium cyberinsurance. Interestingly, adoption of cybersecurity measures was associated with safer behaviour online, contrary to concerns of “moral hazard”. The findings highlight the need to consider the larger cybersecurity ecosystem when designing interventions to increase adoption of cyberinsurance and/or promote more secure online behaviour

Rethinking FS-ISAC: An IT Security Information Sharing Network Model for the Financial Services Sector

This study examines a critical incentive alignment issue facing FS-ISAC (the information sharing alliance in the financial services industry). Failure to encourage members to share their IT security-related information has seriously undermined the founding rationale of FS-ISAC. Our analysis shows that many information sharing alliances’ membership policies are plagued with the incentive misalignment issue and may result in a “free-riding” or “no information sharing” equilibrium. To address this issue, we propose a new information sharing membership policy that incorporates an insurance option and show that the proposed policy can align members’ incentives and lead to a socially optimal outcome. Moreover, when a transfer payment mechanism is implemented, all member firms will be better off joining the insurance network. These results are demonstrated in a simulation in which IT security breach losses are compared both with and without participating in the proposed information sharing insurance plan

Affirmative and silent cyber coverage in traditional insurance policies : Qualitative content analysis of selected insurance products from the German insurance market

This paper examines the design of affirmative and silent coverage in view of the cyber risks in traditional insurance policies for select product lines on the German market. Given the novelty and complexity of the topic and the insufficient coverage in the literature, we use two different sources. We analysed the general insurance terms and conditions of different traditional insurance lines using Mayring’s qualitative content analysis. Also, we conducted interviews with experts from the German insurance industry to evaluate how insurers understand their silent cyber exposures, and what measures they take to deal with this new exposure. The study shows a considerable cyber liability risk potential for insurers in the considered insurance lines. This arises from the affirmative as well as silent cover inclusions and exclusions for cyber risks, which result from imprecise wordings of insurance clauses and insufficient descriptions of the contractually specified scope of the insurance coverage

Mapping the Coverage of Security Controls in Cyber Insurance Proposal Forms

Policy discussions often assume that wider adoption of cyber insurance will promote information security best practice. However, this depends on the process that applicants need to go through to apply for cyber insurance. A typical process would require an applicant to fill out a proposal form, which is a self-assessed questionnaire. In this paper, we examine 24 proposal forms, offered by insurers based in the UK and the US, to determine which security controls are present in the forms. Our aim is to establish whether the collection of security controls mentioned in the analysed forms corresponds to the controls defined in ISO/IEC 27002 and the CIS Critical Security Controls; these two control sets are generally held to be best practice. This work contains a novel research direction as we are the first to systematically analyse cyber insurance proposal forms. Our contributions include evidence regarding the assumption that the insurance industry will promote security best practice. To address the problem of adverse selection, we suggest the number of controls that proposal forms should include to be in alignment with the two information security frameworks. Finally, we discuss the incentives that could lead to this disparity between insurance practice and information security best practice, emphasising the importance of information security economics in studying cyber insurance

A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks

Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack. © 1998-2012 IEEE