Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling

Zhao, Xia; Xue, Ling; Whinston, Andrew B.

doi:10.2139/ssrn.1593137

Cited by 15 publications

(16 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A broader notion includes service providers who manage security investment decisions on behalf of the agents. If implementable, this can help to internalize negative externalities of interdependent security [ZXW09]. * This completes the definition of our framework.…”

Section: Security Service Providersmentioning

confidence: 69%

Insurance mechanisms in information security risk management

Борхаленко¹

2017

EATP

View full text Add to dashboard Cite

We propose a comprehensive formal framework to classify all market models of cyber-insurance we are aware of. The framework features a common terminology and deals with the specific properties of cyber-risk in a unified way: interdependent security, correlated risk, and information asymmetries. A survey of existing models, tabulated according to our framework, reveals a discrepancy between informal arguments in favor of cyber-insurance as a tool to align incentives for better network security, and analytical results questioning the viability of a market for cyber-insurance. Using our framework, we show which parameters should be considered and endogenized in future models to close this gap.

show abstract

Section: Security Service Providersmentioning

confidence: 69%

Insurance mechanisms in information security risk management

Борхаленко¹

2017

EATP

View full text Add to dashboard Cite

show abstract

“…A unifying framework is provided by Böhme et al [23], which draws a distinction between two aspects of the market. First of all, the focus on how security investments accrue benefits to all parties in a system, not just the investor-particularly, how these positive externalities can reduce the risk an insurer faces [24][25][26][27]. Secondly, there have been various considerations of systemic risk, in which many firms make claims arising from the same event because of the interdependency of networks [28][29][30].…”

Section: Related Workmentioning

confidence: 99%

Mapping the coverage of security controls in cyber insurance proposal forms

Woods

Agrafiotis

Nurse

et al. 2017

J Internet Serv Appl

View full text Add to dashboard Cite

Policy discussions often assume that wider adoption of cyber insurance will promote information security best practice. However, this depends on the process that applicants need to go through to apply for cyber insurance. A typical process would require an applicant to fill out a proposal form, which is a self-assessed questionnaire. In this paper, we examine 24 proposal forms, offered by insurers based in the UK and the US, to determine which security controls are present in the forms. Our aim is to establish whether the collection of security controls mentioned in the analysed forms corresponds to the controls defined in ISO/IEC 27002 and the CIS Critical Security Controls; these two control sets are generally held to be best practice. This work contains a novel research direction as we are the first to systematically analyse cyber insurance proposal forms. Our contributions include evidence regarding the assumption that the insurance industry will promote security best practice. To address the problem of adverse selection, we suggest the number of controls that proposal forms should include to be in alignment with the two information security frameworks. Finally, we discuss the incentives that could lead to this disparity between insurance practice and information security best practice, emphasising the importance of information security economics in studying cyber insurance.

show abstract

“…Most models of interdependence are designed with the intention to find ways to internalize the externality. The design of different models of interdependence led to literature for different contexts, including secure outsourced computation with incentive (Belenkiy et al, 2008), and secure outsourcing with and without risk transfer (Rowe, 2007;Zhao, Xue, & Whinston, 2009). Also, the availability of security audits is assumed sometimes (Shetty, Schwartz, Felegyhazi, & Walrand, 2010).…”

Section: Incentive Mechanismsmentioning

confidence: 99%