Analysis of the impact of cyber events for cyber insurance
- PDF / 1,403,549 Bytes
- 16 Pages / 439.37 x 666.142 pts Page_size
- 24 Downloads / 191 Views
Analysis of the impact of cyber events for cyber insurance Kjartan Palsson1 · Steinn Gudmundsson1 · Sachin Shetty2 Received: 16 September 2019 / Accepted: 5 May 2020 © The Geneva Association 2020
Abstract The mass adoption of cyber insurance will be predicated on the ability to conduct quantitative cyber risk assessment. This capability is crucial for not only providing insight into the cost of targeted threats but also providing incentives for insured enterprises to invest in protection aimed at preventing exploitation of targeted threats. Research indicates that asymmetric information, correlated loss and interdependent security issues make this difficult if insurers cannot monitor the cybersecurity efforts of the insured enterprises. In this paper, we present an analysis of cyber impacts based on cyber incidents reported in the Advisen cyber loss data feed. We show: (i) how exposure to cyber incidents varies between corporate sectors; (ii) how the type of incident relates to the number of entities and individuals affected by it; (iii) how the type of incident relates to the eventual financial cost; (iv) what type of information is most frequently compromised; (v) a breakdown of the main actors behind cyber incidents; and (vi) how tree-based classifiers can be used to gain insight into cyber risk indicators affecting the cost of incidents. Keywords Cyber risk modelling · Cyber risk assessment · Cyber insurance · Random forests classifier
Introduction Cyber risk assessment is paramount for organisations to conduct effective risk management and enhance resilience to cyber threats (Refsdal et al. 2015). Quantitative cyber risk assessment also benefits insurers by helping to provide affordable and comprehensive insurance coverage (Swiss Re 2017). However, current cyber risk assessment processes are primarily qualitative and lack quantitative insight. In order * Sachin Shetty [email protected] 1
Department of Computer Science, University of Iceland, Taeknigardur, Dunhagi 5, 107, Reykjavík, Iceland
2
Department of Computational Modeling and Simulation Engineering, Old Dominion University, 1030 University Blvd, Suffolk, VA 23435, USA
Vol.:(0123456789)
K. Palsson et al.
to conduct effective cyber risk assessment, it is critical to quantitatively estimate the frequency of incidents and the severity of potential losses across sectors. The process of distinguishing insureds based on cyber risk level is challenging for insurers and underwriters. Currently, in order to conduct cyber risk assessment, the insurer often requires an organisation to undergo an application process and several underwriting meetings. In addition, it is challenging for insurers to differentiate risks at first glance and they therefore charge similar premiums for organisations across and within sectors. The state-of-the-practice solution of providing rebates to policyholders that have good historical cybersecurity posture is not tenable. Although this practice can keep the risks endured by insurers manageable, the lack of convenient and pr
Data Loading...
