Decision Models for Cyber-Insurance

Cyber-attacks have evolved from being a minor nuisance to companies to becoming a serious threat to corporate profitability, national security and even critical infrastructure. The costs of a successful ransomware attack can be vast, in terms of prevention, diagnosis and recovery. Regulations such as the EU General Data Protection Regulation (GDPR) may impose financially significant penalties on organisations for lax cyber-security. A cyber-insurance market has developed to assist with the management of cyber-risks and while there is a reasonable body of related literature, there remains a lack of consensus and transparency around the appropriate models for pricing and decision making on cyber-insurance. I plan to organise my project as follows. First, I intend to present a thorough literature review of key results in insurance economics that provide the foundations of a cyber-insurance model. This will be supplemented with important developments in security economics and a thorough, critical evaluation of the existing literature on cyber-insurance. Following a review of the relevant literature, I intend to examine some broad considerations about cyber-insurance. One key concern appears to be the notion that cyber-insurance may not pay out under a plausible set of circumstances. I plan to research this question via considering the notion of cyberwar and alleged nation state involvement in cyber-attacks alongside insurance policies. A survey of professionals, if feasible, would be a valuable undertaking to assist this work. A related survey of computer security professionals in a particular industry (such as UK universities), would also be helpful for helping to calibrate models to capture decision-making trade-offs. A key parameter for an insurance model is the expected probability of a loss; in contrast to more established categories of general insurance (e.g. automotive or property), cyber-insurance lacks the long established actuarial tables and datasets that can be used to effectively calculate distributions of expected losses. Partially observable Markov decision processes are a class of models that have potential to model a penetration test of a system and potentially estimate the probability of compromise. If such a probability can be robustly estimated, it should then be possible to develop a stochastic model in which the security budget of a firm is consumed. This model should capture the intricate trade-offs around security for a variety of case studies or theoretical examples for different industries. This appears likely to be an optimisation problem, which would require consideration of different possible algorithms and methods. Finally, the supply side of cyber-insurance appears relatively poorly examined in the literature. It is hoped that a model can be developed that captures some of the factors that determine cyber- insurance pricing and formalise how individual premium quotes might be calculated, taking into account well established issues in insurance such as adverse selection and moral hazard.