Incentive Mechanisms for Managing and Controlling Cyber Risks: The Role of Cyber Insurance and Resource Pooling

Faced with a myriad of costly and frequent cyber threats, organizations not only invest in software security mechanisms such as firewalls and intrusion detection systems but increasingly also turn to cyber insurance which has emerged as an accepted risk mitigation mechanism and allows purchasers of insurance policies to transfer their risks to the insurer. Insurance is fundamentally a method of risk transfer, which in general does not reduce the overall risk and may provide disincentives for firms to strengthen their security; an insured may lower its effort after purchasing coverage, a phenomenon known as moral hazard. As cyber insurance is a common method for cyber risk management, it is critical to be able to use cyber insurance as both a risk transfer mechanism and an incentive mechanism for firms to increase their security efforts. This is the central focus and main goal of this dissertation. Specifically, we consider two features of cybersecurity and their impact on the subsequent insurance contract design problem. The first is the interdependent nature of cybersecurity, whereby one entity's state of security depends not only on its own effort but also on the effort of others in the same eco-system (e.g., vendors and suppliers). The second is our ability to perform an accurate quantitative assessment of security posture at a firm-level by combining recent advances in Internet measurement and machine learning techniques. The first feature, i.e., the risk interdependence among firms is an interesting aspect that makes this contract problem different from what is typically seen in the literature: how should policies be designed for firms with dependent risk relationships? We show security interdependence leads to a profit opportunity for the insurer, created by the inefficient effort levels exerted by the insureds who do not account for risk externalities when insurance is not available. Security pre-screening then enables effective premium discrimination: firms with better security conditions may get a discount on their premium payment. This type of contract allows the insurer to take advantage of the profit opportunity by incentivizing insureds to increase their security effort and improve the state of network security. We show this conclusion holds even when an insurer has the ability to seek loss recovery when an incident can be attributed to a third party. By embedding these concepts in a practical rate-schedule based underwriting framework we show that these results can be readily implemented in existing practice. While pre-screening is an effective method to incentivize effort, the insureds may lower their efforts after the pre-screening and post-contract, within the policy period, in yet another manifestation of moral hazard. We show that this can be mitigated through periodic screening combined with premium adjustment, effectively resulting in an active policy that has built-in contingencies, and the actual premium payable is realized over time based on the screening results. Outside the context of insurance, the study of inefficient security investment and how to design incentives is commonly formulated as an interdependent security game. In a departure from typical taxation and subsidy based mechanisms, we consider resource pooling as a way to incentivize effort in a network of interdependent agents, by allowing agents to invest in themselves as well as in other agents. We show that the interaction of strategic and selfish agents under resource pooling improves the agents' efforts as well as their utilities.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/155236/1/khalili_1.pd

Does Cyber Insurance promote Cyber Security Best Practice? An Analysis based on Insurance Application Forms

The significant rise in digital threats and attacks has led to an increase in the use of cyber insurance as a risk treatment method intended to support organisations in the event of a breach. Insurance providers are set up to assume such residual risk, but they often require organisations to implement certain security controls a priori to reduce their exposure. We examine the assertion that cyber insurance promotes cyber security best practice by conducting a critical examination of cyber insurance application forms to determine how well they align with ISO 27001, the NIST Cybersecurity Framework and the UK’s Cyber Essentials security standards. We achieve this by mapping questions and requirements expressed in insurance forms to the security controls covered in each of the standards. This allows us to identify security controls and standards that are considered – and likely most valued – by insurers and those that are neglected. We find that while there is some reasonable coverage across forms, there is an underrepresentation of best practice standards and controls generally, and particularly in some control areas (e.g., procedural/governance controls, incident response and recovery)

Developing and Validating a Behavioural Model of Cyberinsurance Adoption

Business disruption from cyberattacks is a growing concern, yet cyberinsurance uptake remains low. Using an online behavioural economics experiment with 4800 participants across four EU countries, this study tests a predictive model of cyberinsurance adoption, incorporating elements of Protection Motivation Theory (PMT) and the Theory of Planned Behaviour (TPB) as well as factors in relation to risk propensity and price. During the experiment, participants were given the opportunity to purchase different cybersecurity measures and cyberinsurance products before performing an online task. Participants likelihood of suffering a cyberattack was dependent upon their adoption of cybersecurity measures and their behaviour during the online task. The consequences of any attack were dependent upon the participants insurance decisions. Structural equation modelling was applied and the model was further developed to include elements of the wider security ecosystem. The final model shows that all TPB factors, and response efficacy from the PMT, positively predicted adoption of premium cyberinsurance. Interestingly, adoption of cybersecurity measures was associated with safer behaviour online, contrary to concerns of “moral hazard”. The findings highlight the need to consider the larger cybersecurity ecosystem when designing interventions to increase adoption of cyberinsurance and/or promote more secure online behaviour

Coastal management and adaptation: an integrated data-driven approach

Coastal regions are some of the most exposed to environmental hazards, yet the coast is the preferred settlement site for a high percentage of the global population, and most major global cities are located on or near the coast. This research adopts a predominantly anthropocentric approach to the analysis of coastal risk and resilience. This centres on the pervasive hazards of coastal flooding and erosion. Coastal management decision-making practices are shown to be reliant on access to current and accurate information. However, constraints have been imposed on information flows between scientists, policy makers and practitioners, due to a lack of awareness and utilisation of available data sources. This research seeks to tackle this issue in evaluating how innovations in the use of data and analytics can be applied to further the application of science within decision-making processes related to coastal risk adaptation. In achieving this aim a range of research methodologies have been employed and the progression of topics covered mark a shift from themes of risk to resilience. The work focuses on a case study region of East Anglia, UK, benefiting from the input of a partner organisation, responsible for the region’s coasts: Coastal Partnership East. An initial review revealed how data can be utilised effectively within coastal decision-making practices, highlighting scope for application of advanced Big Data techniques to the analysis of coastal datasets. The process of risk evaluation has been examined in detail, and the range of possibilities afforded by open source coastal datasets were revealed. Subsequently, open source coastal terrain and bathymetric, point cloud datasets were identified for 14 sites within the case study area. These were then utilised within a practical application of a geomorphological change detection (GCD) method. This revealed how analysis of high spatial and temporal resolution point cloud data can accurately reveal and quantify physical coastal impacts. Additionally, the research reveals how data innovations can facilitate adaptation through insurance; more specifically how the use of empirical evidence in pricing of coastal flood insurance can result in both communication and distribution of risk. The various strands of knowledge generated throughout this study reveal how an extensive range of data types, sources, and advanced forms of analysis, can together allow coastal resilience assessments to be founded on empirical evidence. This research serves to demonstrate how the application of advanced data-driven analytical processes can reduce levels of uncertainty and subjectivity inherent within current coastal environmental management practices. Adoption of methods presented within this research could further the possibilities for sustainable and resilient management of the incredibly valuable environmental resource which is the coast

The Politics of Uncertainty

"Why is uncertainty so important to politics today? To explore the underlying reasons, issues and challenges, this book’s chapters address finance and banking, insurance, technology regulation and critical infrastructures, as well as climate change, infectious disease responses, natural disasters, migration, crime and security and spirituality and religion. The book argues that uncertainties must be understood as complex constructions of knowledge, materiality, experience, embodiment and practice. Examining in particular how uncertainties are experienced in contexts of marginalisation and precarity, this book shows how sustainability and development are not just technical issues, but depend on deeply political values and choices. What burgeoning uncertainties require lies less in escalating efforts at control, but more in a new – more collective, mutualistic and convivial – politics of responsibility and care. If hopes of much-needed progressive transformation are to be realised, then currently-blinkered understandings of uncertainty need to be met with renewed democratic struggle. Written in an accessible style and illustrated by multiple case studies from across the world, this book will appeal to a wide cross-disciplinary audience in fields ranging from economics to law to science studies to sociology to anthropology and geography, as well as professionals working in risk management, disaster risk reduction, emergencies and wider public policy fields.

Digitale Transformation aus unternehmensübergreifender Perspektive: Management der Koevolution von Plattformbesitzern und Komplementoren in Plattformökosystemen

Digital platforms have the potential to transform how organizations are doing business in their respective ecosystems. Motivated by this transformation, the purpose of this thesis is to increase the understanding of digital transformation from an inter-organizational perspective. Therefore, this thesis clarifies the phenomenon of digital transformation, and models and analyzes multiple digital platform ecosystems. Building upon that, this dissertation reflects on multiple case studies on how platform owners can manage the co-evolution of their complementors in digital transformations in digital platform ecosystems.Digitale Plattformen haben das Potential, die Art und Weise, wie Unternehmen in ihren jeweiligen Ökosystemen Geschäfte machen, zu verändern. Motiviert durch diese Transformation, ist das Ziel dieser Arbeit, das Verständnis von digitaler Transformation aus einer inter-organisatorischen Perspektive zu erhöhen. Daher erläutert diese Arbeit das Phänomen der digitalen Transformation, und modelliert und analysiert mehrere digitale Plattformökosysteme. Darauf aufbauend reflektiert diese Dissertation in mehreren Fallstudien darüber, wie Plattformbesitzer die Koevolution ihrer Komplementoren in digitalen Transformationen in digitalen Plattformökosystemen steuern können