Skip to main content
SpringerLink
Log in
Book cover

Economics of Information Security and Privacy pp 249–278Cite as

Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study

  • Conference paper
  • First Online:

Abstract

In this paper we present the results of an exploratory qualitative study with experts. The aim of the study was the identification of potential rating variables which could be used to calculate a premium for Cyberinsurance coverages. For this purpose we have conducted semi-structured qualitative interviews with a sample of 36 experts from the DACH region. The gathered statements have been consolidated and further reduced to a subset of indicators which are available and difficult to manipulate. The reduced set of indicators has been presented again to the 36 experts in order to rank them according to their relative importance. In this paper we describe the results of this exploratory qualitative study and conclude by discussing implications of our findings for both research and practice.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AAA (American Academy of Actuaries Committee – Committee on Risk Classification): Risk Classification Statement of Principles (2008)

    Google Scholar 

  2. AICPCU (American Institute for CPCU/Insurance Institute of America): Foundations of Risk Management, Insurance, and Professionalism (Course Leader Handbook) CPCU 510 Appendix A (2006)

    Google Scholar 

  3. Baer, W.S.: Rewarding IT security in the marketplace. In: TPRC. (2003)

    Google Scholar 

  4. Betterley, R.S.: Cyberrisk Market Survey 2008 (June 2008) The Betterley Report.

    Google Scholar 

  5. Böhme, R.: Cyber-insurance revisited. In: Proceedings of the 4thWorkshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)

    Google Scholar 

  6. Böhme, R., Nowey, T.: 15 economic security metrics. In: Eusgeld, I., Freiling, F., Reussner, R. (eds.) Dependability Metrics, LNCS, vol. 4909, pp. 176–187. Springer, Berlin Heidelberg (2008)

    Google Scholar 

  7. Bouska, A.S.: In: Proceedings of the Casualty Actuarial Society Casualty Actuarial Society LXXVI, Part 1(145), 1–23 (1989)

    Google Scholar 

  8. BSI (British Standards Institution): BS 7799-3:2006 Information security management systems – Part 3: Guidelines for information security risk management (2006)

    Google Scholar 

  9. B¨’uchel, M., Favre, R., Wiest, R.: Law, insurance and the Internet: the new perils of cyberspace. Technical report, Swiss Re Publishing (2000)

    Google Scholar 

  10. Cashell, B., Jackson, W., Jickling, M., Webel, B.: The economic impact of cyber-attacks. Congressional Research Service Documents, CRS RL32331 (2004)

    Google Scholar 

  11. Cummings, J.: S&P rolls out ERM review (2008). http://businessfinancemag. com/article/sp-rolls-out-erm-review-0513

    Google Scholar 

  12. Daley, B.: Using concept maps in qualitative research. In: Concept Maps: Theory, Methodology, Technology: Proceedings of the First International Conference on Concept Mapping, pp. 191–197. (2004)

    Google Scholar 

  13. Deloitte Touche Tohmatsu: Protecting what matters: The 6th annual global security survey (2009)

    Google Scholar 

  14. Ernst & Young: Moving beyond compliance: Ernst & Young’s 2008 global information security survey (2008)

    Google Scholar 

  15. Finger, R.: Risk classification, chapter 6. In: Foundations of Casualty Actuarial Science, pp. 287–342. Casualty Actuarial Society (2001)

    Google Scholar 

  16. Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85 (2003)

    Google Scholar 

  17. Herath, H., Herath, T.: Cyber-insurance: copula pricing framework and implications for risk management. In: Proceedings of the 6thWorkshop on the Economics of Information Security (WEIS). Pittsburgh, PA (2007)

    Google Scholar 

  18. Imriyas, K., Pheng, L.S., Teo, E.A.L.: A framework for computing workers’ compensation insurance premiums in construction. Construction Management and Economics 25(6), 563– 584 (2007)

    Google Scholar 

  19. Innerhofer-Oberperfler, F., Breu, R.: An empirically derived loss taxonomy based on publicly known security incidents. In: Proceedings of the Fourth International Conference on Availability, Reliability and Security. Fukuoka, Japan (2009)

    Google Scholar 

  20. ISO (International Organization for Standardization): ISO/IEC 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)

    Google Scholar 

  21. ISO (International Organization for Standardization): ISO/IEC 73:2002 Risk management – Vocabulary – Guidelines for use in standards (2002)

    Google Scholar 

  22. Jackson, K., Trochim, W.: Concept mapping as an alternative approach for the analysis of open-ended survey responses. Organizational Research Methods 5(4), 307 (2002)

    Google Scholar 

  23. Jiang, J., Klein, G., Ellis, T.: A measure of software development risk. Project Management Journal 33(3), 20–41 (2002)

    Google Scholar 

  24. Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)

    Google Scholar 

  25. Kotulic, A.G., Clark, J.G.: Why there aren’t more information security research studies. Information & Management 41(5) (2004) 597–607

    Google Scholar 

  26. Kovacs, P., Markham, M., Sweeting, R.: Cyber-incident risk in Canada and the role of insurance. ICLR Research Paper Series 38, ICLR (Institute for Catastrophic Loss Reduction) (2004)

    Google Scholar 

  27. Krcmar, H.: Informationsmanagement, 4., überarb. und erw. Aufl. Springer (2005)

    Google Scholar 

  28. Mattiacci, G.D.: The economics of pure economic loss and the internalisation of multiple externalities. In: Pure Economic Loss, vol. 9 of Tort and Insurance Law, 167–190. Springer, New York (2004)

    Google Scholar 

  29. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e-Risk management with insurance: a framework using copula aided Bayesian belief networks. In: HICSS. IEEE Computer Society (2006)

    Google Scholar 

  30. Myers, M., Newman, M.: The qualitative interview in IS research: Examining the craft. Information and Organization 17(1), 2–26 (2007)

    Google Scholar 

  31. Novak, J.D., Cañas, A.J.: The theory underlying concept maps and how to construct them. Technical Report Technical Report IHMC CmapTools 2006-01, Florida Institute for Human and Machine Cognition (2006)

    Google Scholar 

  32. Official Journal of the European Communities: Council Directive 2004/113/EC of 13 December 2004 implementing the principle of equal treatment between men and women in the access to and supply of goods and services (2004)

    Google Scholar 

  33. Ogut, H., Raghunathan, S., Menon, N.: Information security risk management through selfprotection and insurance (2005)

    Google Scholar 

  34. Power, M.: The invention of operational risk. Review of International Political Economy 12(4), 577–599 (2005)

    Google Scholar 

  35. Schmidt, R., Lyytinen, K., Keil, M., Cule, P.: Identifying software project risks: an international delphi study. Journal of Management Information Systems 17(4), 5–36 (2001)

    Google Scholar 

  36. Schneier, B.: The insurance takeover. Information Security (2001)

    Google Scholar 

  37. Sherer, S., Alter, S.: Information system risks and risk factors: are they mostly about information systems? Communications of the Association for Information Systems 29(64), 29 (2004)

    Google Scholar 

  38. Tipton, H., Krause, M.: Information Security Management Handbook. Auerbach Publishers (2007)

    Google Scholar 

  39. Trochim, W., Kane, M.: Concept mapping: an introduction to structured conceptualization in health care. International Journal for Quality in Health Care 17(3), 187–191 (2005)

    Google Scholar 

  40. Trowbridge, C.: Fundamental concepts of actuarial science. Actuarial Education and Research Fund (1989)

    Google Scholar 

  41. Turban, E., Leidner, D.,McLean, E.,Wetherbe, J.: Information Technology forManagement: Transforming Organizations in the Digital Economy. John Wiley & Sons (2008)

    Google Scholar 

  42. Wiegers, W.A.: The use of age, sex, and marital status as rating variables in automobile insurance. The University of Toronto Law Journal 39(2), 149–210 (1989)

    Google Scholar 

  43. Wollnik, M.: Ein Referenzmodell des Informationsmanagements. Information Management 3(3), 34–43 (1988)

    Google Scholar 

  44. Yurcik, W., Doss, D.: CyberInsurance: a market solution to the Internet security market failure. In: Proceedings of the 1st Workshop on the Economics of Information Security (WEIS). Berkeley, CA (2002)

    Google Scholar 

  45. Zimmermann, H.: OSI reference model – the ISO model of architecture for open systems interconnection. IEEE Transactions on Communications 28(4), 425–432 (1980)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Research Group Quality Engineering Institute of Computer Science, University of Innsbruck, A-6020, Innsbruck, Austria

    Frank Innerhofer-Oberperfler & Ruth Breu

Authors
  1. Frank Innerhofer-Oberperfler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruth Breu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Frank Innerhofer-Oberperfler .

Editor information

Editors and Affiliations

  1. , Center for Research on Computation, Harvard University, Oxford St 33, Cambridge, 02138, USA

    Tyler Moore

  2. , King's College, University of Aberdeen, Aberdeen, Scotland, AB24 3UE, United Kingdom

    David Pym

  3. , Department of Economics, University of Bath, Claverton Down, Bath, BA2 7AY, United Kingdom

    Christos Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media, LLC

About this paper

Cite this paper

Innerhofer-Oberperfler, F., Breu, R. (2010). Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_13

Download citation

  • DOI: https://doi.org/10.1007/978-1-4419-6967-5_13

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4419-6966-8

  • Online ISBN: 978-1-4419-6967-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation