Abstract
This chapter is an introduction to cyber insurance. We describe the different types or risks as well as uncertainty and ignorance related to cyber security. A framework for catastrophes on the cyber space is also presented. It is assessed which risks might be insurable or uninsurable. The evolution and challenges of cyber insurance are discussed and finally we propose some thoughts for the further development of cyber insurance markets.
This is a preview of subscription content, log in via an institution.
References
Ackerman, G., & Potter, W. (2011). Catastrophic nuclear terrorism. A preventable peril. In N. Bostrom & M. Cirkovic (Eds.), Global catastrophic risks. New York: Oxford University Press.
Actuarial Standard Board. (2000). Treatment of catastrophe losses in property/casualty insurance ratemaking actuarial standard of practice no. 39.
Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40–46.
Akerlof, G. A. (1970). The market for “lemons”: Quality uncertainty and the market mechanism. The quarterly journal of economics, 84(3), 488–500.
Anderson, R. (2003a). Cryptography and competition policy issues with trusted computing. In Proceedings of PODC’03, Boston, MA, pp. 3–10.
Anderson, R. (2003b). ‘Trusted computing’ and competition policy – Issues for computing professionals. Upgrade. The European Journal for the Informatics Professional, 4(3), 35–41.
Anderson, R., Bhme, R., Clayton, R., & Moor, T. (2009). Security economics and european policy. In N. Pohlmann, H. Reimer, & W. Schneider (Eds.), ISSE 2008 securing electronic Business processes (pp. 57–76). Wiesbaden: Vieweg+Teubner.
Anderson, R., Bohme, R., Clayton, R., & Moore, T. (2007). Security economics and the internal market. Heraklion: ENISA.
Anderson, R., & Moore, T. (2007). Information security economics and beyond. Advances in Cryptology – CRYPTO07.
Anderson, R., & Moore, T. (2009). Information security: Where computer science, economics and psychology meet. Philosophical Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, 367(1898), 2717–2727.
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: Current state of research. International journal of Internet and enterprise management, 6(4), 279–314.
Arrow, K. J. (1963). Uncertainty and the welfare economics of medical care. The American economic review, 53(5), 941–973.
Baddeley, M. (2011). Information security: Lessons from behavioural economics. In Workshop on the Economics of Information Security.
Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why it managers don’t go for cyber-insurance products. Communications of the ACM, 52(11), 68–73.
Baxter, G., & Sommerville, I. (2011). Socio-technical systems: From design methods to systems engineering. Interacting with Computers, 23(1), 4–17.
BBC. (2015, January 3). Sony cyber-attack: North Korea faces new US sanctions. http://www.bbc.co.uk/news/world-us-canada-30661973.
BBC. (2012, August 31). Computer virus hits second energy firm. http://www.bbc.co.uk/news/technology-19434920.
BIS. (2014). Cyber essentials scheme. Technical report, UK Department for Business Innovation and Skills.
Bohme, R. (2006). A comparison of market approaches to software vulnerability disclosure. In Emerging trends in information and communication security (pp. 298–311). Berlin: Springer.
Bohme, R. (2010a). Security metrics and security investment models. In Advances in information and computer security (pp. 10–24). Berlin: Springer.
Bohme, R. (2010b). Towards insurable network architectures. Information Technology, 52(5), 290–293.
Bohme, R., & Kataria, G. (2006). Models and measures for correlation in cyber-insurance. In Workshop on the Economics of Information Security (WEIS).
Bohme, R., & Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. In Workshop on the Economics of Information Security (WEIS).
Bolot, J.-C., & Lelarge, M. (2008). A new perspective on internet security using insurance. In INFOCOM 2008. The 27th Conference on Computer Communications, IEEE.
Bostrom, N. (2013). Existential risk prevention as global priority. Global Policy, 4, 15–31.
Bostrom, N., & Cirkovic, M. (Eds.). (2011). Global catastrophic risks. New York: Oxford University Press.
Cabinet. (2011). The UK cyber security strategy: Protecting and promoting the UK in a digital world. Technical report, UK Cabinet Office.
CESG. (2012). 10 steps to cyber security: Information risk management regime. Technical report, UK Department for Business Innovation and Skills.
Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26(1), 63–72.
Cirincione, J. (2011). The continuing threat of nuclear war. In N. Bostrom & M. Cirkovic (Eds.), Global catastrophic risks. New York: Oxford University Press.
Constantin, L. (2013). FBI and Microsoft takedown program blunts most citadel botnets. Computer World.
Crowley J. (2011). 10 most costly cyber attacks in history. BusinessPundit.com. http://www.businesspundit.com/10-most-costly-cyber-attacks-in-history/.
Europol. (2014). The Internet Organised Crime Treat Assessment (iOCTA) 2014. European Police Office.
Friedman, A. (2011). Economic and policy frameworks for cybersecurity risks. Center for Technology Innovation at Brookings.
Gracie, A. (2015). Cyber resilience: A financial stability perspective. Cyber Defence and Network Security Conference, London.
Hall, C., Clayton, R., Anderson, R., & Ouzounis, E. (2011). Inter-x: Resilience of the internet interconnection ecosystem. ENISA.
Halse, H. R. and Hoemsnes, J. (2013). Cyber-insurance and endogenous network formation. Master’s thesis. Norwegian Unievrsity of Science and Technology.
Harris, J. K. (2006). Ethical perspectives in information security education. Issues in Information Systems VII, 1, 181.
Hofmann, A. (2007). Internalizing externalities of loss prevention through insurance monopoly: An analysis of interdependent risks. The Geneva Risk and Insurance Review, 32(1), 91–111.
Insurance Information Institute. (2015). Catastrophes and insurance issues. http://www.iii.org/publications/insurance-handbook/insurance-and-disasters/catastrophes-and-insurance-issues.
Jaffee, D. M., & Russell, T. (1997). Catastrophe insurance, capital markets, and uninsurable risks. The Journal of Risk and Insurance, 64(2), 205–230. Symposium on Financial Risk Management in Insurance Firms (June, 1997).
Johnson, B., Böhme, R., & Grossklags, J. (2011). Security games with market insurance. In Decision and game theory for security (pp. 117–130). Berlin: Springer.
Johnson, B., Laszka, A., & Grossklags, J. (2014). The complexity of estimating systematic risk in networks. In 27th Computer Security Foundations Symposium (CSF), IEEE, pp. 325–336.
Juels, A., Kosba, A., & Shi, E. (2015). The ring of gyges: Using smart contracts for crime. Aries, 40, 54.
Keohane, R., & Nye, J. (1977). Power and interdependence: World politics in transition. Boston: Little, Brown.
Keohane, R., & Nye, J. (1998). Power and interdependence in the information age. Foreign Affairs, 77(5), 81–94.
Kesan, J., Majuca, R., & Yurcik, W. (2005). Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study. In Workshop on the Economics of Information Security (WEIS).
Kleindorfer, P., & Kunreuther, H. (1999). Challenges facing the insurance industry in managing catastrophic risk. In K. A. Froot (Ed.), The financing of catastrophe risk. Chicago: University of Chicago Press.
Knight, F. (1921). Risk, uncertainty, and profit. Boston, MA: Houghton Mifflin Co.
Kunreuther, H., & Heal, G. (2003). Interdependent security. Journal of Risk and Uncertainty, 26(2–3), 231–249.
Lelarge, M., & Bolot, J. (2009). Economic incentives to increase security in the internet: The case for insurance. In INFOCOM 2009, IEEE, pp. 1494–1502.
MacDonald A., & King C. (2015, June 17). Canadian government servers hit by Cyberattack, minister says hacking group anonymous takes credit for the attack, which appeared to have affected several government websites. Wall Street Journal. http://www.wsj.com/articles/canadian-government-servers-hit-by-cyberattack-minister-says-1434565899.
Maillart, T., & Sornette, D. (2010). Heavy-tailed distribution of cyber-risks. The European Physical Journal B, 75(3), 357–364.
Majuca, R. P., Yurcik, W., & Kesan, J. P. (2006). The evolution of cyberinsurance. arXiv preprint cs/0601020.
Marsh. (2015). UK cyber security: The role of insurance in managing and mitigating the risk. Technical report, UK HM Government.
Marsh, & Zurich. (2015). UK 2015 cyber risk survey report. Technical report, Marsh Insights.
Mason, J., & Hosenball, M. (2015, June 8) Obama vows to boost U.S. cyber defenses amid signs of China hacking. Reuters.
Moore, T., Pym, D., & Ioannidis, C. (Eds.). (2010). Economics of information security and privacy. New York: Springer.
Moran, J., Beeson, B., Mulligan, C., Sage, O., & Menapace, M. (2015). Examining the evolving cyber insurance marketplace. Homeland security digital library.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: To insure it or not? Decision Support Systems, 56, 11–26.
Naghizadeh, P., & Liu, M. (2014). Voluntary participation in cyber-insurance markets. In Workshop on the Economics of Information Security (WEIS).
NAIC. (2015). Principles for effective cybersecurity: Insurance regulatory guidance. National Association of Insurance Commissioners.
NATO. (2013). The history of cyber attacks – A timeline. http://www.nato.int/docu/review/2013/cyber/timeline/EN/index.htm.
Niccolai, J. (2000, February 10). Analyst puts hacker damage at $1.2 billion and rising, InfoWorld. Archived from the original on 12 November 2007. Retrieved 22 March 2007.
Nye, J., & Owens, W. (1996). America’s information edge. Foreign Affairs, 75(2), 20–36.
Ogut, H., Menon, N., & Raghunathan, S. (2005). Cyber insurance and it security investment: Impact of interdependence risk. In Workshop on the Economics of Information Security (WEIS).
Ord, T., Hillerbrand, R., & Sandberg, A. (2010). Probing the improbable: Methodological challenges for risks with low probabilities and high stakes. Journal of Risk Research, 13(2). Special Issue: The Philosophy of Risk.
Overill, R. E., & Silomon, J. A. (2011). Single and double power Laws for cyber-crimes. Journal of Information Warfare, 10(3), 29–36.
Oxford Economics. (2014). Cyber-attacks: Effects on UK companies. Technical report, Oxford Economics (A report for Centre for the Protection of National Infrastructure).
Pal, R. (2012). Cyber-insurance for cyber-security: A solution to the information asymmetry problem. In SIAM Annual Meeting. Citeseer.
Pal, R. (2014). Improving network security through cyber-insurance. PhD thesis, University of Southern California.
Pal, R., & Golubchik, L. (2010). Analyzing self-defense investments in internet security under cyber-insurance coverage. In IEEE 30th International Conference on Distributed Computing Systems (ICDCS), pp. 339–347.
Pal, R. and Golubchik, L. (2011). Pricing and investments in internet security: A cyber-insurance perspective. CoRR, abs/1103.1552.
PWC. (2015). 2015 Information security breaches survey. Technical report, UK HM Government.
Ramirez, R., & Selin, C. (2014). Plausibility and probability in scenario planning. Foresight, 16(1), 54–74.
Ranger, S. (2014, June 9). Organised cybercrime groups are now as powerful as nations. ZDNet.
Roy D., & Zeckhauser R. (2013). Ignorance: Lessons from the Laboratory of Literature. M-RCBG Faculty working paper series 2010-11.
Sasse, M. A., Brostoff, S., & Weirich, D. (2001). Transforming the weakest linka human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3), 122–131.
Schneier, B. (2002). Computer security: Its the economics, stupid. In Workshop on the Economics of Information Security (WEIS).
Shetty, N., Schwartz, G., Felegyhazi, M., & Walrand, J. (2010a). Competitive cyber-insurance and internet security. In T. Moore, D. Pym, & C. Ioannidis (Eds.), Economics of information security and privacy (pp. 229–247). New York: Springer.
Shetty, N., Schwartz, G., & Walrand, J. (2010b). Can competitive insurers improve network security? In A. Acquisti, S. Smith, & A.-R. Sadeghi (Eds.), Trust and trustworthy computing, Lecture notes in computer science (Vol. 6101, pp. 308–322). Berlin: Springer.
Siegel, C. A., Sagalow, T. R., & Serritella, P. (2002). Cyber-risk management: Technical and insurance controls for enterprise-level security. Information Systems Security, 11(4), 33–49.
Sifalakis, M., Fry, M., & Hutchison, D. (2010). Event detection and correlation for network environments. IEEE Journal on Selected Areas in Communications, 28(1), 60–69.
Sommerville, I., Cliff, D., Calinescu, R., Keen, J., Kelly, T., Kwiatkowska, M., Mcdermid, J., & Paige, R. (2012). Large-scale complex it systems. Communications of the ACM, 55(7), 71–77.
Storm, D. (2015, July 8). Did hackers remotely execute “unexplained” commands on German patriot missile battery? Computerworld.
Swiss Re. (2015). Underinsurance of property risks: Closing the gap. Swiss Re.
The Economist. (2010, November 30). WikiLeaks embarrasses North Korea: A glimpse into the dark. The Economist. http://www.economist.com/blogs/banyan/2010/11/wikileaks_embarrasses_north_korea.
Thompson, M. (2014). Why cyber-insurance is the next big thing. In CNBC Report.
Toregas, C., & Zahn, N. (2014). Insurance for cyber attacks the issue of setting premiums in context. Cyber Security Policy and Research Institute, The George Washington University.
Vaidya T. (2015). 2001-2013: Survey and analysis of major cyberattacks. Working Paper. http://arxiv.org/pdf/1507.06673.pdf.
Varian, H. R. (2004). System reliability and free riding. In Economics of information security (pp. 1–15). Dordrecht: Kluwer Academic Publishers.
WEF. (2015). Global risks 2015. Technical report. World Economic Forum, Geneva.
Weston G. (2011, February 16). Foreign hackers attack Canadian government: Computer systems at 3 key departments penetrated. CBC News. http://www.cbc.ca/news/politics/foreign-hackers-attack-canadian-government-1.982618.
Yang, Z., & Lui, J. C. (2014). Security adoption and influence of cyber-insurance markets in heterogeneous networks. Performance Evaluation, 74, 1–17.
Yudkowsky, E. (2011). Artificial intelligence as a positive and negative factor in global risk. In N. Bostrom & M. Cirkovic (Eds.), Global catastrophic risks. Oxford: Oxford University Press.
Zeckhauser, R., & Visusi, K. (2008). Discounting dilemmas: Editors’ introduction. Journal of Risk and Uncertainty, 37(2), 95–106.
Zeckhauser R. (2008). Insurance. The Concise Encyclopaedia of Economics. http://www.econlib.org/library/Enc/Insurance.html.
Zeckhauser, R. (2006). Investing in the unknown and unknowable, capitalism and society. Berkeley Electronic Press, 1(2.) http://www.bepress.com/cas/vol1/iss2/art5.
Zeckhauser, R. (1996a). The economics of catastrophes. Journal of Risk and Uncertainty, 12(2), 113–140.
Zeckhauser, R. (1996b). Insurance and catastrophes. Geneva Papers on Risk and Insurance: Issues and Practice, 78, 3–21.
Zhao, X., Xue, L., & Whinston, A. B. (2009). Managing interdependent information security risks: A study of cyber-insurance, managed security service and risk pooling. ICIS 2009 Proceedings, p. 49.
Zurich. (2014). Beyond data breaches: Global interconnections of cyber risk. Risk Nexus Report of Zurich Insurance Group and Atlantic Council.
Zurich Insurance Group. (2013). Modeling natural catastrophes. Annual report 2013. http://www.zurich.com/2013/en/annual-report/risk-review/analysis-by-risk-type/insurance-risk/modeling-natural-catastrophes.html.
Acknowledgement
This work was supported by the FHI-Amlin Research Collaboration on Systemic Risk of Modelling in pursuing better understanding and management of the systemic risks associated with modeling in the insurance industry through the strategic collaboration between the Future of Humanity Institute and Amlin. We are grateful for comments and suggestions from numerous colleagues and insurance industry participants from Amlin plc, the Lloyd’s of London, and the Bank of England in several meetings and discussions among working parties.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Section Editor information
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this entry
Cite this entry
Petratos, P., Sandberg, A., Zhou, F. (2017). Cyber Insurance. In: Carayannis, E., Campbell, D., Efthymiopoulos, M. (eds) Handbook of Cyber-Development, Cyber-Democracy, and Cyber-Defense. Springer, Cham. https://doi.org/10.1007/978-3-319-06091-0_25-1
Download citation
DOI: https://doi.org/10.1007/978-3-319-06091-0_25-1
Received:
Accepted:
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-06091-0
Online ISBN: 978-3-319-06091-0
eBook Packages: Springer Reference Economics and FinanceReference Module Humanities and Social SciencesReference Module Business, Economics and Social Sciences