Policy discussions often assume that wider adoption of cyber insurance will promote information security best practice. However, this depends on the process that applicants need to go through to apply for cyber insurance. A typical process would require an applicant to fill out a proposal form, which is a self-assessed questionnaire. In this paper, we examine 24 proposal forms, offered by insurers based in the UK and the US, to determine which security controls are present in the forms. Our aim is to establish whether the collection of security controls mentioned in the analysed forms corresponds to the controls defined in ISO/IEC 27002 and the CIS Critical Security Controls; these two control sets are generally held to be best practice. This work contains a novel research direction as we are the first to systematically analyse cyber insurance proposal forms. Our contributions include evidence regarding the assumption that the insurance industry will promote security best practice. To address the problem of adverse selection, we suggest the number of controls that proposal forms should include to be in alignment with the two information security frameworks. Finally, we discuss the incentives that could lead to this disparity between insurance practice and information security best practice, emphasising the importance of information security economics in studying cyber insurance.
The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public-private partnership. This paper rectifies this omission and presents a framework to help underpin such a partnership, giving particular consideration to possible government interventions that might affect the cyber insurance market. We have undertaken a qualitative analysis of reports published by policy-making institutions and organisations working in the cyber insurance domain; we have also conducted interviews with cyber insurance professionals. Together, these constitute a stakeholder analysis upon which we build our framework. In addition, we present a research roadmap to demonstrate how the ideas described might be taken forward.
The transmission of airborne sound into high-impedance media is of interest in several applications. For example, sonic booms in the atmosphere may impact marine life when incident on the ocean surface, or affect the integrity of existing structures when incident on the ground. Transmission across high impedance-difference interfaces is generally limited by reflection and refraction at the surface, and by the critical angle criterion. However, spatially decaying incident waves, i.e., inhomogeneous or evanescent plane waves, may transmit energy above the critical angle, unlike homogeneous plane waves. The introduction of a decaying component to the incident trace wavenumber creates a nonzero propagating component of the transmitted normal wavenumber, so energy can be transmitted across the interface. A model of evanescent plane waves and their transmission across fluid-fluid and fluid-solid interfaces is developed here. Results are presented for both air-water and air-solid interfaces. The effects of the incident wave parameters (including the frequency, decay rate, and incidence angle) and the interfacial properties are investigated. Conditions for which there is no reflection at the air-solid interface, due to impedance matching between the incident and transmitted waves, are also considered and are found to yield substantial transmission increases over homogeneous incident waves.
Thousands of incidents each year are now managed by external law firms. Victim firms call a hotline and delegate incident response to external counsel without a pre-existing relationship. We assemble preliminary evidence on how this model breaks from conventional incident response and outline questions for future research.
Cyber insurance could achieve public policy goals for cybersecurity with private-sector means. Insurers assess organizational security postures, prescribe security procedures and controls, and provide post-incident services. We evaluate how such mechanisms impact security, identify market dynamics restricting their effectiveness, and sketch out possible futures for cyber insurance as governance.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.