Abstract
In this paper we present the results of an exploratory qualitative study with experts. The aim of the study was the identification of potential rating variables which could be used to calculate a premium for Cyberinsurance coverages. For this purpose we have conducted semi-structured qualitative interviews with a sample of 36 experts from the DACH region. The gathered statements have been consolidated and further reduced to a subset of indicators which are available and difficult to manipulate. The reduced set of indicators has been presented again to the 36 experts in order to rank them according to their relative importance. In this paper we describe the results of this exploratory qualitative study and conclude by discussing implications of our findings for both research and practice.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
AAA (American Academy of Actuaries Committee – Committee on Risk Classification): Risk Classification Statement of Principles (2008)
AICPCU (American Institute for CPCU/Insurance Institute of America): Foundations of Risk Management, Insurance, and Professionalism (Course Leader Handbook) CPCU 510 Appendix A (2006)
Baer, W.S.: Rewarding IT security in the marketplace. In: TPRC. (2003)
Betterley, R.S.: Cyberrisk Market Survey 2008 (June 2008) The Betterley Report.
Böhme, R.: Cyber-insurance revisited. In: Proceedings of the 4thWorkshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)
Böhme, R., Nowey, T.: 15 economic security metrics. In: Eusgeld, I., Freiling, F., Reussner, R. (eds.) Dependability Metrics, LNCS, vol. 4909, pp. 176–187. Springer, Berlin Heidelberg (2008)
Bouska, A.S.: In: Proceedings of the Casualty Actuarial Society Casualty Actuarial Society LXXVI, Part 1(145), 1–23 (1989)
BSI (British Standards Institution): BS 7799-3:2006 Information security management systems – Part 3: Guidelines for information security risk management (2006)
B¨’uchel, M., Favre, R., Wiest, R.: Law, insurance and the Internet: the new perils of cyberspace. Technical report, Swiss Re Publishing (2000)
Cashell, B., Jackson, W., Jickling, M., Webel, B.: The economic impact of cyber-attacks. Congressional Research Service Documents, CRS RL32331 (2004)
Cummings, J.: S&P rolls out ERM review (2008). http://businessfinancemag. com/article/sp-rolls-out-erm-review-0513
Daley, B.: Using concept maps in qualitative research. In: Concept Maps: Theory, Methodology, Technology: Proceedings of the First International Conference on Concept Mapping, pp. 191–197. (2004)
Deloitte Touche Tohmatsu: Protecting what matters: The 6th annual global security survey (2009)
Ernst & Young: Moving beyond compliance: Ernst & Young’s 2008 global information security survey (2008)
Finger, R.: Risk classification, chapter 6. In: Foundations of Casualty Actuarial Science, pp. 287–342. Casualty Actuarial Society (2001)
Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85 (2003)
Herath, H., Herath, T.: Cyber-insurance: copula pricing framework and implications for risk management. In: Proceedings of the 6thWorkshop on the Economics of Information Security (WEIS). Pittsburgh, PA (2007)
Imriyas, K., Pheng, L.S., Teo, E.A.L.: A framework for computing workers’ compensation insurance premiums in construction. Construction Management and Economics 25(6), 563– 584 (2007)
Innerhofer-Oberperfler, F., Breu, R.: An empirically derived loss taxonomy based on publicly known security incidents. In: Proceedings of the Fourth International Conference on Availability, Reliability and Security. Fukuoka, Japan (2009)
ISO (International Organization for Standardization): ISO/IEC 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)
ISO (International Organization for Standardization): ISO/IEC 73:2002 Risk management – Vocabulary – Guidelines for use in standards (2002)
Jackson, K., Trochim, W.: Concept mapping as an alternative approach for the analysis of open-ended survey responses. Organizational Research Methods 5(4), 307 (2002)
Jiang, J., Klein, G., Ellis, T.: A measure of software development risk. Project Management Journal 33(3), 20–41 (2002)
Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)
Kotulic, A.G., Clark, J.G.: Why there aren’t more information security research studies. Information & Management 41(5) (2004) 597–607
Kovacs, P., Markham, M., Sweeting, R.: Cyber-incident risk in Canada and the role of insurance. ICLR Research Paper Series 38, ICLR (Institute for Catastrophic Loss Reduction) (2004)
Krcmar, H.: Informationsmanagement, 4., überarb. und erw. Aufl. Springer (2005)
Mattiacci, G.D.: The economics of pure economic loss and the internalisation of multiple externalities. In: Pure Economic Loss, vol. 9 of Tort and Insurance Law, 167–190. Springer, New York (2004)
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e-Risk management with insurance: a framework using copula aided Bayesian belief networks. In: HICSS. IEEE Computer Society (2006)
Myers, M., Newman, M.: The qualitative interview in IS research: Examining the craft. Information and Organization 17(1), 2–26 (2007)
Novak, J.D., Cañas, A.J.: The theory underlying concept maps and how to construct them. Technical Report Technical Report IHMC CmapTools 2006-01, Florida Institute for Human and Machine Cognition (2006)
Official Journal of the European Communities: Council Directive 2004/113/EC of 13 December 2004 implementing the principle of equal treatment between men and women in the access to and supply of goods and services (2004)
Ogut, H., Raghunathan, S., Menon, N.: Information security risk management through selfprotection and insurance (2005)
Power, M.: The invention of operational risk. Review of International Political Economy 12(4), 577–599 (2005)
Schmidt, R., Lyytinen, K., Keil, M., Cule, P.: Identifying software project risks: an international delphi study. Journal of Management Information Systems 17(4), 5–36 (2001)
Schneier, B.: The insurance takeover. Information Security (2001)
Sherer, S., Alter, S.: Information system risks and risk factors: are they mostly about information systems? Communications of the Association for Information Systems 29(64), 29 (2004)
Tipton, H., Krause, M.: Information Security Management Handbook. Auerbach Publishers (2007)
Trochim, W., Kane, M.: Concept mapping: an introduction to structured conceptualization in health care. International Journal for Quality in Health Care 17(3), 187–191 (2005)
Trowbridge, C.: Fundamental concepts of actuarial science. Actuarial Education and Research Fund (1989)
Turban, E., Leidner, D.,McLean, E.,Wetherbe, J.: Information Technology forManagement: Transforming Organizations in the Digital Economy. John Wiley & Sons (2008)
Wiegers, W.A.: The use of age, sex, and marital status as rating variables in automobile insurance. The University of Toronto Law Journal 39(2), 149–210 (1989)
Wollnik, M.: Ein Referenzmodell des Informationsmanagements. Information Management 3(3), 34–43 (1988)
Yurcik, W., Doss, D.: CyberInsurance: a market solution to the Internet security market failure. In: Proceedings of the 1st Workshop on the Economics of Information Security (WEIS). Berkeley, CA (2002)
Zimmermann, H.: OSI reference model – the ISO model of architecture for open systems interconnection. IEEE Transactions on Communications 28(4), 425–432 (1980)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Innerhofer-Oberperfler, F., Breu, R. (2010). Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_13
Download citation
DOI: https://doi.org/10.1007/978-1-4419-6967-5_13
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-6966-8
Online ISBN: 978-1-4419-6967-5
eBook Packages: Computer ScienceComputer Science (R0)