Incentive Mechanisms for Managing and Controlling Cyber Risks: The Role of Cyber Insurance and Resource Pooling

Faced with a myriad of costly and frequent cyber threats, organizations not only invest in software security mechanisms such as firewalls and intrusion detection systems but increasingly also turn to cyber insurance which has emerged as an accepted risk mitigation mechanism and allows purchasers of insurance policies to transfer their risks to the insurer. Insurance is fundamentally a method of risk transfer, which in general does not reduce the overall risk and may provide disincentives for firms to strengthen their security; an insured may lower its effort after purchasing coverage, a phenomenon known as moral hazard. As cyber insurance is a common method for cyber risk management, it is critical to be able to use cyber insurance as both a risk transfer mechanism and an incentive mechanism for firms to increase their security efforts. This is the central focus and main goal of this dissertation. Specifically, we consider two features of cybersecurity and their impact on the subsequent insurance contract design problem. The first is the interdependent nature of cybersecurity, whereby one entity's state of security depends not only on its own effort but also on the effort of others in the same eco-system (e.g., vendors and suppliers). The second is our ability to perform an accurate quantitative assessment of security posture at a firm-level by combining recent advances in Internet measurement and machine learning techniques. The first feature, i.e., the risk interdependence among firms is an interesting aspect that makes this contract problem different from what is typically seen in the literature: how should policies be designed for firms with dependent risk relationships? We show security interdependence leads to a profit opportunity for the insurer, created by the inefficient effort levels exerted by the insureds who do not account for risk externalities when insurance is not available. Security pre-screening then enables effective premium discrimination: firms with better security conditions may get a discount on their premium payment. This type of contract allows the insurer to take advantage of the profit opportunity by incentivizing insureds to increase their security effort and improve the state of network security. We show this conclusion holds even when an insurer has the ability to seek loss recovery when an incident can be attributed to a third party. By embedding these concepts in a practical rate-schedule based underwriting framework we show that these results can be readily implemented in existing practice. While pre-screening is an effective method to incentivize effort, the insureds may lower their efforts after the pre-screening and post-contract, within the policy period, in yet another manifestation of moral hazard. We show that this can be mitigated through periodic screening combined with premium adjustment, effectively resulting in an active policy that has built-in contingencies, and the actual premium payable is realized over time based on the screening results. Outside the context of insurance, the study of inefficient security investment and how to design incentives is commonly formulated as an interdependent security game. In a departure from typical taxation and subsidy based mechanisms, we consider resource pooling as a way to incentivize effort in a network of interdependent agents, by allowing agents to invest in themselves as well as in other agents. We show that the interaction of strategic and selfish agents under resource pooling improves the agents' efforts as well as their utilities.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/155236/1/khalili_1.pd

INFORMATION SECURITY RISK AND BOUNDARY CHANGING BEHAVIOR

The escalating information security threats and their impacts have made firms pay careful attention to potential risks they face and the actions they can take to mitigate such risks. We explore if and how the information security risk perceptions of firms shape their boundary-changing behaviors. We argue that organizations have risk transfer, risk avoidance, risk reduction, risk acceptance options, and combine these options in their attempts to reduce the perceived effects of information security risks. Organizations through risk transfer could transfer some effects of information security risks to third parties, while boundary changing behaviors could alter the potential vulnerabilities of a firm, and hence decisions to alter firm boundaries are likely to be shaped by risk perceptions. By fine-tuning 11 state-of-the-art NLP models with causal extraction, we find that organizations’ information security risk perception is positively associated with their information security risk transfer behavior, and less-risky boundary changing actions

The Politics of Uncertainty

"Why is uncertainty so important to politics today? To explore the underlying reasons, issues and challenges, this book’s chapters address finance and banking, insurance, technology regulation and critical infrastructures, as well as climate change, infectious disease responses, natural disasters, migration, crime and security and spirituality and religion. The book argues that uncertainties must be understood as complex constructions of knowledge, materiality, experience, embodiment and practice. Examining in particular how uncertainties are experienced in contexts of marginalisation and precarity, this book shows how sustainability and development are not just technical issues, but depend on deeply political values and choices. What burgeoning uncertainties require lies less in escalating efforts at control, but more in a new – more collective, mutualistic and convivial – politics of responsibility and care. If hopes of much-needed progressive transformation are to be realised, then currently-blinkered understandings of uncertainty need to be met with renewed democratic struggle. Written in an accessible style and illustrated by multiple case studies from across the world, this book will appeal to a wide cross-disciplinary audience in fields ranging from economics to law to science studies to sociology to anthropology and geography, as well as professionals working in risk management, disaster risk reduction, emergencies and wider public policy fields.

Maritime Robotics and Autonomous Systems Operations: Exploring Pathways for Overcoming International Techno-Regulatory Data Barriers

The current regulatory landscape that applies to maritime service robotics, aptly termed as robotics and autonomous systems (RAS), is quite complex. When it comes to patents, there are multifarious considerations in relation to vessel survey, inspection, and maintenance processes under national and international law. Adherence is challenging, given that the traditional delivery methods are viewed as unsafe, strenuous, and laborious. Service robotics, namely micro aerial vehicles (MAVs) or drones, magnetic-wheeled crawlers (crawlers), and remotely operated vehicles (ROVs), function by relying on the architecture of the Internet of Robotic Things. The aforementioned are being introduced as time-saving apparatuses, accompanied by the promise to acquire concrete and sufficient data for the identification of vessel structural weaknesses with the highest level of accuracy to facilitate decision-making processes upon which temporary and permanent measures are contingent. Nonetheless, a noticeable critical issue associated with RAS effective deployment revolves around non-personal data governance, which comprises the main analytical focus of this research effort. The impetus behind this study stems from the need to enquire whether “data” provisions within the realm of international technological regulatory (techno-regulatory) framework is sufficient, well organized, and harmonized so that there are no current or future conflicts with promulgated theoretical dimensions of data that drive all subject matter-oriented actions. As is noted from the relevant expository research, the challenges are many. Engineering RAS to perfection is not the end-all and be-all. Collateral impediments must be avoided. A safety net needs to be devised to protect non-personal data. The results here indicate that established data decision dimensions call for data security and protection, as well as a consideration of ownership and liability details. An analysis of the state-of-the-art and the comparative results assert that the abovementioned remain neglected in the current international setting. The findings reveal specific data barriers within the existing international framework. The ways forward include strategic actions to remove data barriers towards overall efficacy of maritime RAS operations. The overall findings indicate that an effective transition to RAS operations requires optimizing the international regulatory framework for opening the pathways for effective RAS operations. Conclusions were drawn based on the premise that policy reform is inevitable in order to push the RAS agenda forward before the emanation of 6G and the era of the Internet of Everything, with harmonization and further standardization being very high priority issues

Governing Cyber Security Risks and Benefits of the Internet of Things: Application to Connected Vehicles and Medical Devices

Creating trust in connectivity including confidentiality, integrity and availability will be key to achieving the promises of the IoT, at least in the automotive and medical sector. Assessing vulnerability, implementing and assessing security controls, designing appropriate standards and regulation as well as insurance and other governance arrangements will be critical elements. But the creation of trust may require that broader societal questions need to be addressed

Distributed Ledger Technologies in Supply Chain Security Management: A Comprehensive Survey

Supply chains (SC) present performance bottlenecks that contribute to a high level of costs, infiltration of product quality, and impact productivity. Examples of such inhibitors include the bullwhip effect, new product lines, high inventory, and restrictive data flows. These bottlenecks can force manufacturers to source more raw materials and increase production significantly. Also, restrictive data flow in a complex global SC network generally slows down the movement of goods and services. The use of distributed ledger technologies (DLT) in SC management (SCM) demonstrates the potentials to reduce these bottlenecks through transparency, decentralization, and optimizations in data management. These technologies promise to enhance the trustworthiness of entities within the SC, ensure the accuracy of data-driven operations, and enable existing SCM processes to migrate from a linear to a fully circular economy. This article presents a comprehensive review of 111 articles published in the public domain in the use and efficacy of DLT in SC. It acts as a roadmap for current and future researchers who focus on SC security management to better understand the integration of digital technologies such as DLT. We clustered these articles using standard descriptors linked to trustworthiness, namely, immutability, transparency, traceability, and integrity

Distributed Ledger Technologies in Supply Chain Security Management: A Comprehensive Survey

This is an accepted manuscript of an article published by IEEE in IEEE Transactions on Engineering Management, available online at: https://ieeexplore.ieee.org/document/9366288 The accepted version of the publication may differ from the final published versionSupply-chains (SC) present performance bottlenecks that contribute to a high level of costs, infltration of product quality, and impact productivity. Examples of such inhibitors include the bullwhip effect, new product lines, high inventory, and restrictive data fows. These bottlenecks can force manufacturers to source more raw materials and increase production signifcantly. Also, restrictive data fow in a complex global SC network generally slows down the movement of goods and services. The use of Distributed LedgerTechnologies (DLT) in supply chain management (SCM) demonstrates the potentials to to reduce these bottlenecks through transparency, decentralization, and optimizations in data management. These technologies promise to enhance the trustworthiness of entities within the supply chain, ensure the accuracy of data-driven operations, and enable existing SCM processes to migrate from a linear to a fully circular economy. This paper presents a comprehensive review of 111 articles published in the public domain in the use and effcacyofDLTin SC.It acts asaroadmapfor current and futureresearchers whofocus onSC Security Management to better understand the integration of digital technologies such as DLT. We clustered these articles using standard descriptors linked to trustworthiness, namely, immutability, transparency, traceability, and integrity

Glimpses of the future : Data policy, artificial intelligence and robotisation as enablers of wellbeing and economic success in Finland

Our society is moving into the 2020s in a situation where we are making more efficient use of services enabled by new technology to develop new services and business models in society and in business life. The 2020s is predicted to be a decade characterised by the clear breakthrough of artificial intelligence and robotisation in the same way as social media, cloud computing, smart phones, location and time independent working and digital services did in the 2010s. Finland has performed extremely well in international statistics in several fields of society. Finland's stability and security combined with high technology utilisation rate and education level provides an excellent platform for the creation and development of digital business. At the core of this development are citizens, businesses and data. The development of data policy and data management in a way that takes the different life situations of citizens into account is a unique innovation by global standards, and one which we believe will be a significant contributor to Finland’s success in the 2020s. In this big picture, trust plays a key role. This is a major issue that emerges in the context of the personal data processing of private citizens and customers, new business model and service development, making society more resilient, and in national and international cooperation. Trust requires continues development work in different sectors, paying due attention to the threats and risks affecting the digital environment. Here, digital security serves as the enabler of trust and of services made possible by new technology