Mapping the Coverage of Security Controls in Cyber Insurance Proposal Forms

Policy discussions often assume that wider adoption of cyber insurance will promote information security best practice. However, this depends on the process that applicants need to go through to apply for cyber insurance. A typical process would require an applicant to fill out a proposal form, which is a self-assessed questionnaire. In this paper, we examine 24 proposal forms, offered by insurers based in the UK and the US, to determine which security controls are present in the forms. Our aim is to establish whether the collection of security controls mentioned in the analysed forms corresponds to the controls defined in ISO/IEC 27002 and the CIS Critical Security Controls; these two control sets are generally held to be best practice. This work contains a novel research direction as we are the first to systematically analyse cyber insurance proposal forms. Our contributions include evidence regarding the assumption that the insurance industry will promote security best practice. To address the problem of adverse selection, we suggest the number of controls that proposal forms should include to be in alignment with the two information security frameworks. Finally, we discuss the incentives that could lead to this disparity between insurance practice and information security best practice, emphasising the importance of information security economics in studying cyber insurance

Multi-stakeholder enquiry for securing e-Business environments : A socio-technical security framework.

Increasing the security of e-Business is best achieved by considering the environment in which e-Business applications need to be implemented and used; this implies that e-Business should be viewed as a complex socio-technical system with three interconnected and interacting elements: stakeholders, enabling technology, and business processes. This multiple perspective has rarely been captured by previous studies of e-Business security which perceive security from a narrow, single-sided technical view. This thesis argues that the predominant technical security approaches consider neither the multifaceted nature of e-Business security nor the requirements and influences of the various stakeholders involved in its context. In Jordan e-Business adoption is still in its early stages and is gaining the attention of several parties. Therefore, the primary approach in this research is an interpretive stakeholder analysis in which notions of a socio-technical perspective are employed as required in order to develop a conceptual framework for better understanding of e-Business security in the context of Jordan. In other words, an interpretive approach has been adopted as a mean of inquiry aiming at developing a holistic understanding of e-Business security in relation to its context as well as considering all the stakeholders in the problem area. This methodological choice was influenced by three factors: the nature of the research problem, the researcher's theoretical lens, and the degree of uncertainty in the study environment. Consequently, four major stakeholders were identified and their security implications were explored. The study's findings provide rich insights into the security of e-Business by identifying and interpreting the roles, the perceptions, and the interactions of several groups of security stakeholders. The theoretical contributions include: an explanatory framework of organisational, legal, human and technical factors affecting security in e-Business environments which was developed by employing an inductive stakeholder analysis as well as the identification of several organisational aspects, such as governance, communication, power conflict, awareness, and resistance to change, and their relationships to security as well as their practical implications at individual, organisational, and national levels. Additionally, the findings provide insights into the customers' side of the security problem and explain its relationships with other stakeholders, including government, business and technology providers. This is a sound practical contribution which can help these stakeholders to design better security approaches based on a deeper understanding of customers' security requirements