Zusammenfassung
Der Beitrag untersucht vor dem Hintergrund einer hochdynamischen, extrem wandlungsfähigen Risikolandschaft in den Unternehmen den Status quo der Versicherung von Cyberrisiken sowie den Umgang mit solchen Gefahren im Risikomanagement. Angesichts der Neuartigkeit und Komplexität des Themas sowie der bisherigen unzureichenden Betrachtung im Schrifttum werden Interviews mit Experten aus Versicherungs- und Beratungsunternehmen sowie Interessenverbänden geführt. Die Untersuchungsergebnisse zeigen, dass in der Unternehmenspraxis ein mangelndes Risikobewusstsein für Cyberbedrohungen einen bedeutenden Einflussfaktor für die IT-Sicherheit darstellt und Cyberrisiken im Risikomanagement häufig unzureichend berücksichtigt werden. Zudem bieten Cyber-Policen aktuell keine Allgefahrendeckung für Cyberschäden und der deutsche Cyber-Versicherungsmarkt ist bislang wenig erschlossen.
Abstract
This paper examines the status quo of insurance coverage and risk management of cyber threats. Cyber risks face the issues of innovative and complex character, thus we conducted interviews with experts from insurance companies and management consultancy firms as well as interest associations and evaluated them using the qualitative content analysis of Mayring. We found that insufficient cyber security awareness is a key factor influencing the IT security and the diverse risk potentials of cyber threats are inadequate included in the risk management. Likewise many insurance policies provide limited coverage for losses caused by cyber risks.
Notes
Siehe zu den unterschiedlichen mit der Nutzung des WWW verknüpften Risiken Kim et al. (2011).
Siehe zur Klassifizierung von Sicherheitsbedrohungen für IT-Systeme Jouini et al. (2014).
So beläuft sich in der Gesamtschaden für Unternehmen in Deutschland als Folge digitaler Wirtschaftsspionage, Sabotage und Datendiebstahl laut einer repräsentativen Umfrage des Bundesverbandes Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) nach konservativen Berechnungen auf ca. 43,4 Mrd. € in den letzten beiden Jahren (Bitkom 2018). Im Jahr 2017 betrugen die durchschnittlichen Kosten eines einzelnen Datenverlustereignisses für deutsche Unternehmen ca. 3,42 Mio. € (Ponemon Institute, LLC 2017). Zur Problematik der Schätzung wirtschaftlicher Kosten von Cyberkriminalität siehe insbesondere Anderson et al. (2013) sowie Hyman (2013).
Literatur
Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)
Adler, S.B., Sand, R.A.: Internet insurance whitepaper how to build insurable Internet business. Geneva Pap. Risk Insur. Issues Pract. 23(1), 81–102 (1998)
Albrechtsen, E.: A qualitative study of users’ view on information security. Comput. Secur. 26(4), 276–289 (2007)
Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput. Secur. 29(4), 432–445 (2010)
Anderson, R.J.: Liability and computer security: nine principles. In: Gollmann, D. (Hrsg.) Computer Security ESORICS 94: Third European Symposium on Research in Computer Security, Brighton, United Kingdom, November 7–9, 1994. Proceedings, S. 231–245. Springer, Berlin, Heidelberg (1994)
Anderson, R.J., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)
Anderson, R.J., Barton, C., Böhme, R., Clayton, R., Van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Böhme, R. (Hrsg.) The Economics of Information Security and Privacy, S. 265–300. Springer, Heidelberg, New York, Dordrecht, London (2013)
Ashby, S.G., Buck, T., Nöth-Zahn, S., Peisl, T.: Emerging IT risks: insights from German banking. Geneva Pap. Risk Insur. Issues Pract. 43(2), 180–207 (2018)
Aytes, K., Connolly, T.: Computer security and risky computing practices: a rational choice perspective. J. Organ. End User Comput. 16(3), 22–40 (2004)
Baban, C.P., Barker, T., Gruchmann, Y., Paun, C., Peters, A.C., Stuchtey, T.H.: Cyberversicherungen als Beitrag zum IT-Risikomanagement – Eine Analyse der Märkte für Cyberversicherungen in Deutschland, der Schweiz, den USA und Großbritannien. Standpunkt zivile Sicherheit Nr. 8. Brandenburgisches Institut für Gesellschaft und Sicherheit gGmbH (BIGS), Potsdam (2017). http://www.bigs-potsdam.org/images/weitere_Publikationen/Standpunkt_8_2017%20Online.pdf, Zugegriffen: 7. Dez. 2018
Baer, W.S.: Rewarding IT security in the marketplace. Contemp. Secur. Policy 24(1), 190–208 (2003)
Baer, W.S., Parkinson, A.: Cyberinsurance in IT security management. IEEE. Secur. Priv. 5(3), 50–56 (2007)
Bandyopadhyay, T., Jacob, V., Raghunathan, S.: Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Inf. Technol. Manage. 11(1), 7–23 (2010)
Bandyopadhyay, T., Shidore, S.: Towards a Managerial Decision Framework for Utilization of Cyber Insurance Instruments in IT security. In: Proceedings of the 17th Americas Conference on Information Systems (AMCIS), Detroit, August 4–7, 2011 (2011)
Bandyopadhyay, T.: Organizational Adoption of Cyber Insurance Instruments in IT Security Risk Management—A Modeling Approach. In: Proceedings of the 15th Annual Conference of the Southern Association for Information Systems (SAIS), Atlanta, March 23–24, 2012 (2012)
Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)
Bauer, J.M., Van Eeten, M.J.G.: Cybersecurity: stakeholder incentives, externalities, and policy options. Telecomm. Policy 33(10–11), 706–719 (2009)
Bendovschi, A.: Cyber-attacks—trends, patterns and security countermeasures. Procedia Econ. Financ. 28, 24–31 (2015)
Biener, C., Eling, M., Matt, A., Wirfs, J.H.: Cyber Risk: Risikomanagement und Versicherbarkeit. I•VW HSG Schriftenreihe, Bd. 54. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2015a)
Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk: an empirical analysis. Geneva Pap. Risk Insur. Issues Pract. 40(1), 131–158 (2015b)
Blakley, B., McDermott, E., Geer, D.: Information Security is Information Risk Management. In: Proceedings of the New Security Paradigms Workshop (NSPW), Cloudcroft, September 10–13, 2001 (2001)
Bley, K., Leyh, C., Schäffer, T.: Digitization of German Enterprises in the Production Sector—Do they know how “digitized” they are?. In: Proceedings of the 22nd Americas Conference on Information Systems (AMCIS), San Diego, August 11–14, 2016 (2016)
Blind, K.: Eine Analyse der Versicherung von Risiken der Informationssicherheit in Kommunikationsnetzen. Z. Ges. Versicherungswiss. 85(1), 81–101 (1996)
Blind, K.: Insuring risks to information safety in communication systems in Germany. J. Insur. Regul. 19(3), 466–490 (2001)
Bogner, A., Littig, B., Menz, W.: Interviews mit Experten: Eine praxisorientierte Einführung. Springer VS, Wiesbaden (2014)
Böhme, R.: Cyber-Insurance Revisited. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005a)
Böhme, R.: IT-Risiken im Schadenversicherungsmodell: Implikationen der Marktstruktur. In: Federrath, H. (Hrsg.) Sicherheit 2005: Sicherheit – Schutz und Zuverlässigkeit, Beiträge der 2. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), Regensburg, 5.–8. April 2005, S. 27–40. Köllen, Bonn (2005b)
Böhme, R., Kataria, G.: Models and Measures for Correlation in Cyber-Insurance. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS), Cambridge, June 26–28, 2006 (2006a)
Böhme, R., Kataria, G.: On the limits of cyber-insurance. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (Hrsg.) Trust and Privacy in Digital Business: Third International Conference, TrustBus 2006, Kraków, Poland, September 4–8, 2006. Proceedings, S. 31–40. Springer, Berlin, Heidelberg (2006b)
Böhme, R., Schwartz, G.: Modeling Cyber-Insurance: Towards A Unifying Framework. In: Proceedings of the 9th Workshop on the Economics of Information Security (WEIS), Cambridge, June 7–8, 2010 (2010)
Bolot, J., Lelarge, M.: Cyber insurance as an incentive for Internet security. In: Johnson, M.E. (Hrsg.) Managing Information Risk and the Economics of Security, S. 269–290. Springer, Boston (2009)
Brancheau, J.C., Janz, B.D., Wetherbe, J.C.: Key issues in information systems management: 1994–95 SIM Delphi results. MIS Q. 20(2), 225–242 (1996)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) (Hrsg.): IT-Risiko- und Chancenmanagement im Unternehmen: Ein LEITFADEN für kleine und mittlere Unternehmen (2006). https://www.bitkom.org/noindex/Publikationen/2006/Leitfaden/Leitfaden-IT-Risiko-und-Chancenmanagement-fuer-kleine-und-mittlere-Unternehmen/060601-Bitkom-Leitfaden-IT-Risikomanagement-V10-final.pdf, Zugegriffen: 7. Dez. 2018
Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) (Hrsg.): Spionage, Sabotage und Datendiebstahl – Wirtschaftsschutz in der Industrie: Studienbericht 2018 (2018). https://www.bitkom.org/sites/default/files/file/import/181008-Bitkom-Studie-Wirtschaftsschutz-2018-NEU.pdf, Zugegriffen: 7. Dez. 2018
Cachia, M., Millward, L.: The telephone medium and semi-structured interviews: a complementary fit. Qual. Res. Organ. Manage. Int. J. 6(3), 265–277 (2011)
Camillo, M.: Cyber risk and the changing role of insurance. J. Cyber Policy 2(1), 53–63 (2017)
Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT security management: four improvements to current security practices. Commun. AIS 14, 65–75 (2004)
Cavusoglu, H., Cavusoglu, H., Son, J.-Y., Benbasat, I.: Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Inf. Manage. 52(4), 385–400 (2015)
Cebula, J.J., Popeck, M.E., Young, L.R.: A Taxonomy of Operational Cyber Security Risks Version 2. Technical Note CMU/SEI-2014-TN-006. Software Engineering Institute. Carnegie Mellon University, Pittsburgh (2014). http://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_91026.pdf, Zugegriffen: 7. Dez. 2018
Cepeda, G., Martin, D.: A review of case studies publishing in Management Decision 2003–2004: guides and criteria for achieving quality in qualitative research. Manage. Decis. 43(6), 851–876 (2005)
Chertoff, M.: The cybersecurity challenge. Regul. Gov. 2(4), 480–484 (2008)
Chief Risk Officer (CRO) Forum: Cyber resilience—The cyber risk challenge and the role of insurance (2014). https://www.thecroforum.org/wp-content/uploads/2015/01/Cyber-Risk-Paper-version-24-1.pdf, Zugegriffen: 7. Dez. 2018
Choi, N., Kim, D., Goo, J., Whitmore, A.: Knowing is doing: an empirical validation of the relationship between managerial information security awareness and action. Inf. Manage. Comput. Secur. 16(5), 484–501 (2008)
Choo, K.-K.R.: The cyber threat landscape: challenges and future research directions. Comput. Secur. 30(8), 719–731 (2011)
Choudhry, U.: Der Cyber-Versicherungsmarkt in Deutschland: Eine Einführung. Springer Gabler, Wiesbaden (2014)
Christmann, G.B.: Expert interviews on the telephone: a difficult undertaking. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 157–183. Palgrave Macmillan, London (2009)
Cox, J.: Information systems user security: a structured model of the knowing–doing gap. Comput. Hum. Behav. 28(5), 1849–1858 (2012)
Deane, J.K., Ragsdale, C.T., Rakes, T.R., Rees, L.R.: Managing supply chain risk and disruption from IT security incidents. Oper. Manage. Res. 2(1–4), 4–12 (2009)
De Smidt, G.A., Botzen, W.J.W.: Perceptions of corporate cyber risks and insurance decision-making. Geneva Pap. Risk Insur. Issues Pract. 43(2), 239–274 (2018)
Diekmann, A.: Empirische Sozialforschung: Grundlagen, Methoden, Anwendungen, 18. Aufl. Rowohlt, Reinbek (2007)
Dong, L., Tomlin, B.: Managing disruption risk: the interplay between operations and insurance. Manage. Sci. 58(10), 1898–1915 (2012)
Eisenhardt, K.M.: Building theories from case study research. Acad. Manage. Rev. 14(4), 532–550 (1989)
Eisenhardt, K.M., Graebner, M.E.: Theory building from cases: opportunities and challenges. Acad. Manage. J. 50(1), 25–32 (2007)
Eling, M.: Cyber risk and cyber risk insurance: status quo and future research. Geneva Pap. Risk Insur. Issues Pract. 43(2), 175–179 (2018)
Eling, M., Schnell, W.: Ten Key Questions on Cyber Risk and Cyber Risk Insurance. The Geneva Association, Zurich (2016a). https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public//cyber-risk-10_key_questions.pdf, Zugegriffen: 7. Dez. 2018
Eling, M., Schnell, W.: What do we know about cyber risk and cyber risk insurance?. J. Risk Financ. 17(5), 474–491 (2016b)
Eling, M., Wirfs, J.H.: Cyber Risk: Too Big to Insure?—Risk Transfer Options for a Mercurial Risk Class. I•VW HSG Schriftenreihe, Bd. 59. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2016). http://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/studien/cyberrisk2016.pdf, Zugegriffen: 7. Dez. 2018
Eling, M., Wirfs, J.H.: What are the actual costs of cyber risk events?. Eur. J. Oper. Res. 272(3), 1109–1119 (2019)
European Union Agency for Network and Information Security (ENISA): Incentives and barriers of the cyber insurance market in Europe (2012). https://www.enisa.europa.eu/publications/incentives-and-barriers-of-the-cyber-insurance-market-in-europe/at_download/fullReport, Zugegriffen: 7. Dez. 2018
European Union Agency for Network and Information Security (ENISA): Cyber Insurance: Recent Advances, Good Practices and Challenges (2016). https://www.enisa.europa.eu/publications/cyber-insurance-recent-advances-good-practices-and-challenges/at_download/fullReport, Zugegriffen: 7. Dez. 2018
Faisst, U., Prokein, O., Wegmann, N.: Ein Modell zur dynamischen Investitionsrechnung von IT-Sicherheitsmaßnahmen. Z. Betriebswirtsch. 77(5), 511–538 (2007)
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Support. Syst. 86, 13–23 (2016)
Finfgeld-Connett, D.: Use of content analysis to conduct knowledge-building and theory-generating qualitative systematic reviews. Qual. Res. 14(3), 341–352 (2014)
Firestone, W.A.: Alternative arguments for generalizing from data as applied to qualitative research. Educ. Researcher 22(4), 16–23 (1993)
Flagmeier, W., Heidemann, J.: Sonderheft: Cyber-Versicherungen, 4. Aufl. Wolters Kluwer, Münster (2018)
Franke, U.: The cyber insurance market in Sweden. Comput. Secur. 68, 130–144 (2017)
Gaudenzi, B., Siciliano, G.: Just do it: managing IT and cyber risks to protect the value creation. J. Promot. Manage. 23(3), 372–385 (2017)
Gläser, J., Laudel, G.: Experteninterviews und qualitative Inhaltsanalyse als Instrumente rekonstruierender Untersuchungen, 4. Aufl. VS, Wiesbaden (2010)
Goodhue, D.L., Straub, D.W.: Security concerns of system users: a study of perceptions of the adequacy of security. Inf. Manage. 20(1), 13–27 (1991)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81–85 (2003)
Grace, M.F., Leverty, J.T., Phillips, R.D., Shimpi, P.: The value of investing in enterprise risk management. J. Risk Insur. 82(2), 289–316 (2015)
Groleau, D., Zelkowitz, P., Cabral, I.E.: Enhancing generalizability: moving from an intimate to a political voice. Qual. Health Res. 19(3), 416–426 (2009)
Grzebiela, T.: Versicherbarkeit von Risiken des E‑Commerce. In: Buhl, H.U., Huther, A., Reitwiesner, B. (Hrsg.) Information Age Economy: 5. Internationale Tagung Wirtschaftsinformatik 2001, S. 409–423. Physica, Heidelberg (2001)
Grzebiela, T.: Insurability of Electronic Commerce Risks. In: Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), Big Island, January 7–10, 2002 (2002a)
Grzebiela, T.: Internet-Risiken: Versicherbarkeit und Alternativer Risikotransfer, 1. Aufl. Deutscher Universitäts-Verlag, Wiesbaden (2002b)
Guy Carpenter & Company, LLC: Tomorrow Never Knows: Emerging Risks Report September 2013 (2013). http://www.curie.org/sites/default/files/Emerging-Risks-Report-Sept-2013.pdf, Zugegriffen: 7. Dez. 2018
Haas, A., Hofmann, A.: Risiken aus der Nutzung von Cloud-Computing-Diensten: Fragen des Risikomanagements und Aspekte der Versicherbarkeit. Z. Ges. Versicherungswiss. 103(4), 377–407 (2014)
Hartley, J.F.: Case studies in organizational research. In: Cassell, C., Symon, G. (Hrsg.) Qualitative Methods in Organizational Research: A Practical Guide, S. 209–229. SAGE, London (1994)
Harvey, C.D.H.: Telephone survey techniques. Can. Home Econ. J. 38(1), 30–35 (1988)
Herath, H.S.B., Herath, T.C.: Copula-based actuarial model for pricing cyber-insurance policies. Insur. Mark. Co. Anal. Actuar. Comput. 2(1), 7–20 (2011)
Hiller, J.S., Russell, R.S.: The challenge and imperative of private sector cybersecurity: an international comparison. Comput. Law Secur. Rev. 29(3), 236–245 (2013)
Hopf, C.: Qualitative Interviews – Ein Überblick. In: Flick, U., Von Kardorff, E., Steinke, I. (Hrsg.) Qualitative Forschung: Ein Handbuch, 10. Aufl., S. 349–360. Rowohlt, Reinbek (2013)
Hoyt, R.E., Liebenberg, A.P.: The value of enterprise risk management. J. Risk Insur. 78(4), 795–822 (2011)
Hsieh, H.-F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005)
Hu, Q., Hart, P., Cooke, D.: The role of external and internal influences on information systems security—a neo-institutional perspective. J. Strateg. Inf. Syst. 16(2), 153–172 (2007)
Hyman, P.: Cybercrime: it’s serious, but exactly how serious?. Commun. ACM 56(3), 18–20 (2013)
Innerhofer-Oberperfler, F., Breu, R.: Potential rating indicators for cyberinsurance: an exploratory qualitative study. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 249–278. Springer, Boston (2010)
Institute of Risk Management: Cyber Risk: Resources for Practitioners (2014). https://www.iia.org.uk/media/560694/irm_cyber_risk_for_practioners.pdf, Zugegriffen: 7. Dez. 2018
Järveläinen, J.: IT incidents and business impacts: validating a framework for continuity management in information systems. Int. J. Inf. Manage. 33(3), 583–590 (2013)
Jouini, M., Rabai, L.B.A., Aissa, A.B.: Classification of security threats in information systems. Procedia Comput. Sci. 32, 489–496 (2014)
Kaiser, R.: Qualitative Experteninterviews: Konzeptionelle Grundlagen und praktische Durchführung. Springer VS, Wiesbaden (2014)
Kankanhalli, A., Teo, H.-H., Tan, B.C.Y., Wei, K.-K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manage. 23(2), 139–154 (2003)
Kayworth, T., Whitten, D.: Effective information security requires a balance of social and technology factors. MIS Q. Exec. 9(3), 163–175 (2010)
Keegan, C.: Cyber security in the supply chain: a perspective from the insurance industry. Technovation 34(7), 380–381 (2014)
Kesan, J.P., Majuca, R.P., Yurcik, W.J.: The Economic Case for Cyberinsurance. Working Paper. University of Illinois at Urbana-Champaign. Urbana-Champaign (2004). http://law.bepress.com/cgi/viewcontent.cgi?article=1001&context=uiuclwps, Zugegriffen: 7. Dez. 2018
Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity—A case study. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, June 2–3, 2005 (2005)
Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Three economic arguments for cyberinsurance. In: Chander, A., Gelman, L., Radin, M.J. (Hrsg.) Securing Privacy in the Internet Age, S. 345–366. Stanford University Press, Stanford (2008)
Kim, W., Jeong, O.-R., Kim, C., So, J.: The dark side of the Internet: attacks, costs and responses. Inf. Syst. 36(3), 675–705 (2011)
Kirkpatrick, K.: Cyber policies on the rise. Commun. ACM 58(10), 21–23 (2015)
Königs, H.-P.: IT-Risikomanagement mit System: Praxisorientiertes Management von Informationssicherheits‑, IT- und Cyberrisiken, 5. Aufl. Springer Vieweg, Wiesbaden (2017)
Kosub, T.: Components and challenges of integrated cyber risk management. Z. Ges. Versicherungswiss. 104(5), 615–634 (2015)
KPMG AG Wirtschaftsprüfungsgesellschaft: e‑Crime in der deutschen Wirtschaft 2017 – Computerkriminalität im Visier (2017a). http://hub.kpmg.de/hubfs/LandingPages-PDF/e-crime-studie-2017-KPMG.pdf, Zugegriffen: 7. Dez. 2018
KPMG AG Wirtschaftsprüfungsgesellschaft: Neues Denken, Neues Handeln – Versicherungen im Zeitalter von Digitalisierung und Cyber Studienteil B: Cyber (2017b). https://assets.kpmg.com/content/dam/kpmg/ch/pdf/neues-denken-neues-handeln-cyber-de.pdf, Zugegriffen: 7. Dez. 2018
Kritzinger, E., Smith, E.: Information security management: an information security retrieval and awareness model for industry. Comput. Secur. 27(5–6), 224–231 (2008)
Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006)
Krummaker, S., Graf von der Schulenburg, J.-M.: Die Versicherungsnachfrage von Unternehmen: Eine Empirische Untersuchung der Sachversicherungsnachfrage deutscher Unternehmen. Z. Ges. Versicherungswiss. 97(1), 79–97 (2008)
Kuckartz, U.: Qualitative Inhaltsanalyse. Methoden, Praxis, Computerunterstützung, 3. Aufl. Beltz Juventa, Weinheim, Basel (2016)
Lai, C., Medvinsky, G., Neuman, C.B.: Endorsements, Licensing, and Insurance for Distributed System Services. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (CCS), Fairfax, November 2–4, 1994 (1994)
Lambrinoudakis, C., Gritzalis, S., Hatzopoulos, P., Yannacopoulos, A.N., Katsikas, S.: A formal model for pricing information systems insurance contracts. Comput. Stand. Interf. 27(5), 521–532 (2005)
Lamnek, S.: Qualitative Sozialforschung: Lehrbuch, 4. Aufl. Beltz, Weinheim, Basel (2005)
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manage. Res. Rev. 37(12), 1049–1092 (2014)
Legner, C., Eymann, T., Hess, T., Matt, C., Böhmann, T., Drews, P., Mädche, A., Urbach, N., Ahlemann, F.: Digitalization: opportunity and challenge for the business and information systems engineering community. Bus. Inf. Syst. Eng. 59(4), 301–308 (2017)
Lesch, T., Richter, A.: Risiken aus kommerzieller Nutzung des Internet – Möglichkeiten der Schadenverhütung und Versicherung. Z. Ges. Versicherungswiss. 89(4), 605–633 (2000)
Liebenberg, A.P., Hoyt, R.E.: The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Manage. Insur. Rev. 6(1), 37–52 (2003)
Luftman, J., Ben-Zvi, T.: Key issues for IT executives 2009: difficult economy’s impact on IT. MIS Q. Exec. 9(1), 49–59 (2010)
Majuca, R.P., Yurcik, W.J., Kesan, J.P.: The evolution of cyberinsurance. Working Paper. University of Illinois at Urbana-Champaign, Urbana-Champaign (2006). https://arxiv.org/ftp/cs/papers/0601/0601020.pdf, Zugegriffen: 7. Dez. 2018
Marotta, A., Martinelli, F., Nanni, S., Yautsiukhin, A.: A Survey on Cyber-Insurance. Technical Report IIT TR-17/2015. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa (2015). http://www.iit.cnr.it/sites/default/files/TR-17-2015.pdf, Zugegriffen: 7. Dez. 2018
Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)
Marshall, B., Cardon, P., Poddar, A., Fontenot, R.: Does sample size matter in qualitative research?: a review of qualitative interviews in is research. J. Comput. Inf. Syst. 54(1), 11–22 (2013)
Mayring, P.: Qualitative Inhaltsanalyse: Grundlagen und Techniken, 12. Aufl. Beltz, Weinheim, Basel (2015)
Mayring, P.: Einführung in die qualitative Sozialforschung: Eine Anleitung zu qualitativem Denken, 6. Aufl. Beltz, Weinheim, Basel (2016)
McLellan, E., MacQueen, K.M., Neidig, J.L.: Beyond the qualitative interview: data preparation and transcription. Field Methods 15(1), 63–84 (2003)
Mehl, C.: Insurability of risks on the information highway, from the user’s point of view. Geneva Pap. Risk Insur. Issues Pract. 23(1), 103–111 (1998)
Meland, P.H., Tøndel, I.A., Moe, M.E.G., Seehusen, F.: Facing uncertainty in cyber insurance policies. In: Livraga, G., Mitchell, C. (Hrsg.) Security and Trust Management: 13th International Workshop, STM 2017, Oslo, Norway, September 14–15, 2017. Proceedings, S. 89–100. Springer, Cham (2017)
Meland, P.H., Tøndel, I.A., Solhaug, B.: Mitigating risk with cyberinsurance. IEEE. Secur. Priv. 13(6), 38–43 (2015)
Merkens, H.: Stichproben bei qualitativen Studien. In: Friebertshäuser, B., Prengel, A. (Hrsg.) Handbuch Qualitative Forschungsmethoden in der Erziehungswissenschaft, S. 97–106. Juventa, Weinheim, München (1997)
Meuser, M., Nagel, U.: The expert interview and changes in knowledge production. In: Bogner, A., Littig, B., Menz, W. (Hrsg.) Interviewing Experts, S. 17–42. Palgrave Macmillan, London (2009)
Modrow-Thiel, B.: Qualitative Interviews – Vorgehen und Probleme. Z. Personalforsch. Sonderheft: EMPIRISCHE PERSONALFORSCHUNG, 129–146 (1993)
Moore, T.: The economics of cybersecurity: principles and policy options. Int. J. Crit. Infrastruct. Prot. 3(3–4), 103–117 (2010)
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e‑Risk Management with Insurance: A framework using Copula aided Bayesian Belief Networks. In: Proceedings of the 39th Hawaii International Conference on System Sciences (HICSS), Kauai, January 4–7, 2006 (2006)
Mukhopadhyay, A., Chakrabarti, B.B., Saha, D., Mahanti, A.: E‑Risk Management through Self Insurance: An Option Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007a)
Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan, S.K.: Insuring Big Losses Due to Security Breaches through Insurance: A Business Model. In: Proceedings of the 40th Hawaii International Conference on System Sciences (HICSS), Waikoloa, January 3–6, 2007 (2007b)
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: Cyber-risk decision models: to insure IT or not?. Decis. Support. Syst. 56, 11–26 (2013)
Mukhopadhyay, A., Saha, D., Chakrabarti, B.B., Mahanti, A., Podder, A.: Insurance for cyber-risk: a utility model. Decision 32(1), 153–169 (2005)
Myers, M.D., Newman, M.: The qualitative interview in IS research: examining the craft. Inf. Organ. 17(1), 2–26 (2007)
Ng, B.-Y., Kankanhalli, A., Xu, Y.(C.): Studying users’ computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4), 815–825 (2009)
Njegomir, V., Marović, B.: Contemporary trends in the global insurance industry. Procedia Soc. Behav. Sci. 44, 134–142 (2012)
Nosworthy, J.D.: Implementing information security in the 21st century—Do you have the balancing factors?. Comput. Secur. 19(4), 337–347 (2000)
Organisation for Economic Co-operation and Development (OECD): Enhancing the Role of Insurance in Cyber Risk Management (2017). https://www.oecd.org/daf/fin/insurance/Enhancing-the-Role-of-Insurance-in-Cyber-Risk-Management.pdf, Zugegriffen: 7. Dez. 2018
Osborn, E., Simpson, A.: On small-scale IT users’ system architectures and cyber security: a UK case study. Comput. Sci. 70, 27–50 (2017)
Öğüt, H., Raghunathan, S., Menon, N.: Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Anal. 31(3), 497–512 (2011)
Ponemon Institute, LLC: 2017 Cost of Data Breach Study: Germany (2017). https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130DEEN, Zugegriffen: 7. Dez. 2018
Pooser, D.M., Browne, M.J., Arkhangelska, O.: Growth in the perception of cyber risk: evidence from U.S. P&C insurers. Geneva Pap. Risk Insur. Issues Pract. 43(2), 208–223 (2018)
Porro, B., Epprecht, T.: From producing safety to managing risks. Geneva Pap. Risk Insur. Issues Pract. 26(2), 259–267 (2001)
PricewaterhouseCoopers (PwC): Insurance 2020 & beyond: Reaping the dividends of cyber resilience (2015). https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf, Zugegriffen: 7. Dez. 2018
Rakes, T.R., Deane, J.K., Rees, L.P.: IT security planning under uncertainty for high-impact events. Omega 40(1), 79–88 (2012)
Ransbotham, S., Mitra, S.: Choice and chance: a conceptual model of paths to information security compromise. Inf. Syst. Res. 20(1), 121–139 (2009)
Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer, Cham, Heidelberg, New York, Dordrecht, London (2015)
Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?. In: Proceedings of the 16th Workshop on the Economics of Information Security (WEIS), La Jolla, June 26–27, 2017 (2017)
Ruan, K.: Introducing cybernomics: a unifying economic framework for measuring cyber risk. Comput. Secur. 65, 77–89 (2017)
Salmela, H.: Analysing business losses caused by information systems risk: a business process analysis approach. J. Inf. Technol. 23(3), 185–202 (2008)
Schanz, K.-U.: Understanding and Addressing Global Insurance Protection Gaps. The Geneva Association, Zurich (2018). https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public/understanding_and_addressing_global_insurance_protection_gaps.pdf, Zugegriffen: 7. Dez. 2018
Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–115 (2001)
Schnell, R., Hill, P.B., Esser, E.: Methoden der empirischen Sozialforschung, 9. Aufl. Oldenbourg, München (2011)
Seibold, H.: IT-Risikomanagement. Oldenbourg, München (2006)
Shackelford, S.J.: Should your firm invest in cyber risk insurance?. Bus. Horiz. 55(4), 349–356 (2012)
Shetty, N., Schwarz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and Internet security. In: Moore, T., Pym, D., Ioannidis, C. (Hrsg.) Economics of Information Security and Privacy, S. 229–247. Springer, Boston (2010)
Shetty, S., McShane, M., Zhang, L., Kesan, J.P., Kamhoua, C.A., Kwiat, K., Njilla, L.L.: Reducing informational disadvantages to improve cyber risk management. Geneva Pap. Risk Insur. Issues Pract. 43(2), 224–238 (2018)
Siegel, C., Sagalow, T.R., Serritella, P.: Cyber-risk management: technical and insurance controls for enterprise-level security. Inf. Syst. Secur. 11(5), 33–49 (2002)
Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manage. Comput. Secur. 8(1), 31–41 (2000a)
Siponen, M.T.: Critical analysis of different approaches to minimizing user‐related faults in information systems security: implications for research and practice. Inf. Manage. Comput. Secur. 8(5), 197–209 (2000b)
Siponen, M.T.: Five dimensions of information security awareness. ACM SIGCAS Comput. Soc. 31(2), 24–29 (2001)
Smith, G.S.: Recognizing and preparing loss estimates from cyber-attacks. Inf. Syst. Secur. 12(6), 46–57 (2004)
Smith, G.E., Watson, K.J., Baker, W.H., Pokorski II, J.A.: A critical balance: collaboration and security in the IT-enabled supply chain. Int. J. Prod. Res. 45(11), 2595–2613 (2007)
Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI)—a practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45–56 (2006)
Spears, J.L., Barki, H.: User participation in information systems security risk management. MIS Q. 34(3), 503–522 (2010)
Srinidhi, B., Yan, J., Tayi, G.K.: Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decis. Support. Syst. 75, 49–62 (2015)
Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017)
Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)
Strupczewski, G.: The cyber insurance market in Poland and determinants of its development from the insurance broker’s perspective. Econ. Bus. Rev. 3(2), 33–50 (2017)
Sturges, J.E., Hanrahan, K.J.: Comparing telephone and face-to-face qualitative interviewing: a research note. Qual. Res. 4(1), 107–118 (2004)
Thomson, M.E., Von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6(4), 167–173 (1998)
Tøndel, I.A., Meland, P.H., Omerovic, A., Gjære, E.A., Solhaug, B.: Using Cyber-Insurance as a Risk Management Strategy: Knowledge Gaps and Recommendations for Further Research. Technical Report SINTEF A27298. SINTEF ICT, Oslo (2015). https://brage.bibsys.no/xmlui/bitstream/handle/11250/2379189/SINTEF%2bA27298.pdf?sequence=3&isAllowed=y, Zugegriffen: 7. Dez. 2018
Tøndel, I.A., Seehusen, F., Gjære, E.A., Moe, M.E.G.: Differentiating cyber risk of insurance customers: the insurance company perspective. In: Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A.M., Weippl, E. (Hrsg.) Availability, Reliability, and Security in Information Systems: IFIP WG 8.4, 8.9, TC 5 International Cross-Domain Conference, CD-ARES 2016, and Workshop on Privacy Aware Machine Learning for Health Data Science, PAML 2016, Salzburg, Austria, August 31–September 2, 2016. Proceedings, S. 175–190. Springer, Cham (2016)
Toregas, C., Zahn, N.: Insurance for Cyber Attacks: The Issue of Setting Premiums in Context. Technical Report GW-CSPRI-2014-1. Cyber Security Policy and Research Institute. The George Washington University, Washington (2014). https://cspri.seas.gwu.edu/sites/cspri.seas.gwu.edu/files/downloads/cyberinsurance_paper_pdf_0.pdf, Zugegriffen: 7. Dez. 2018
Tosh, D.K., Shetty, S., Sengupta, S., Kesan, J.P., Kamhoua, C.A.: Risk management using cyber-threat information sharing and cyber-insurance. In: Duan, L., Sanjab, A., Li, H., Chen, X., Materassi, D., Elazouzi, R. (Hrsg.) Game Theory for Networks: 7th International EAI Conference, GameNets 2017, Knoxville, TN, USA, May 9, 2017. Proceedings, S. 154–164. Springer, Cham (2017)
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing trajectories of information security awareness. Inf. Technol. People 25(3), 327–352 (2012)
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organizations. Eur. J. Inf. Syst. 24(1), 38–58 (2015)
Veit, D., Clemons, E., Benlian, A., Buxmann, P., Hess, T., Kundisch, D., Leimeister, J.M., Loos, P., Spann, M.: Business models—an information systems research agenda. Bus. Inf. Syst. Eng. 6(1), 45–53 (2014)
Von Solms, R., Van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013)
Whitman, M.E.: In defense of the realm: understanding the threats to information security. Int. J. Inf. Manage. 24(1), 43–57 (2004)
Wirfs, J.H.: How to Organize Cyber Risk Transfer?. Working Paper No. 183. Institut für Versicherungswirtschaft. Universität St. Gallen, St. Gallen (2016). http://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/wps/wp183.pdf, Zugegriffen: 7. Dez. 2018
Woods, D., Simpson, A.: Policy measures and cyber insurance: a framework. J. Cyber Policy 2(2), 209–226 (2017)
Woods, D., Agrafiotis, I., Nurse, J.R.C., Creese, S.: Mapping the coverage of security controls in cyber insurance proposal forms. J. Internet Serv. Appl. 8(1), Artikel 8 (2017). https://doi.org/10.1186/s13174-017-0059-y
Wopperer, W.: Fraud risks in e‑commerce transactions. Geneva Pap. Risk Insur. Issues Pract. 27(3), 383–394 (2002)
World Economic Forum: Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World—Principles and Guidelines. Report REF 270912, Cologny (2012). http://www3.weforum.org/docs/WEF_IT_PartneringCyberResilience_Guidelines_2012.pdf, Zugegriffen: 7. Dez. 2018
Yin, R.K.: Case Study Research: Design and Methods, 5. Aufl. SAGE, Los Angeles, London, New Delhi, Singapore, Washington (2014)
Young, D., Lopez Jr., J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Infrastruct. Prot. 14, 43–57 (2016)
Zhao, X., Xue, L., Whinston, A.B.: Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements. J. Manage. Inf. Syst. 30(1), 123–152 (2013)
Author information
Authors and Affiliations
Corresponding author
Additional information
Die Autoren vertreten im Rahmen dieses Beitrags ihre persönliche Meinung.
Rights and permissions
About this article
Cite this article
Wrede, D., Freers, T. & Graf von der Schulenburg, JM. Herausforderungen und Implikationen für das Cyber-Risikomanagement sowie die Versicherung von Cyberrisiken – Eine empirische Analyse. ZVersWiss 107, 405–434 (2018). https://doi.org/10.1007/s12297-018-0425-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12297-018-0425-2