Information Systems Frontiers

, Volume 21, Issue 5, pp 997–1018 | Cite as

Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance

  • Arunabha MukhopadhyayEmail author
  • Samir Chatterjee
  • Kallol K. Bagchi
  • Peteer J. Kirs
  • Girja K. Shukla


Malicious external attackers commonly use cyber threats (such as virus attacks, denial-of-service (DoS) attacks, financial fraud, system penetration, and theft of proprietary information), while internal attackers resort to unauthorized access to compromise the confidentiality, integrity, and availability (CIA) of the data of individuals, organizations, and nations. This results in an opportunity cost, a loss of market capitalization, and a loss of brand equity for organizations. Organizations and nations spend a substantial portion of their information technology (IT) budgets on IT security (such as perimeter and core security technologies). Yet, security breaches are common. In this paper, we propose a cyber-risk assessment and mitigation (CRAM) framework to (i) estimate the probability of an attack using generalized linear models (GLM), namely logit and probit, and validate the same using Computer Security Institute–Federal Bureau of Investigation (CSI–FBI) time series data, (ii) predict security technology required to reduce the probability of attack to a given level in the next year, (iii) use gamma and exponential distribution to best approximate the average loss data for each malicious attack, (iv) calculate the expected loss due to cyber-attacks using collective risk modeling, (v) compute the net premium to be charged by cyber insurers to indemnify losses from a cyber-attack, and (vi) propose either cyber insurance or self-insurance, or self-protection, as a strategy for organizations to minimize losses.


Cyber-risk quantification IS security Security breach E-commerce Logit and probit models Cyber insurance Self-insurance 


  1. Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security, 26(3), 219–228.CrossRefGoogle Scholar
  2. Austin, R.D., Darby, C.R.A. (2003). The myth of secure computing. Harvard Business Review on Point Enhanced Edition.Google Scholar
  3. Baer, W. S., & Parkinson, A. (2007). Cyber insurance in IT security management. IEEE Security and Privacy, 5(3), 50–56.CrossRefGoogle Scholar
  4. Bagchi, K., & Udo, G. (2003). An Analysis of the growth of the computer and internet security breaches. Communications of the AIS, 12, 684–700.Google Scholar
  5. Bandyopadhyay, T., Mookerjee, V. (2017). A model to analyze the challenge of using cyber insurance. Information Systems Frontiers, 1–25.
  6. Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why it managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68–73.CrossRefGoogle Scholar
  7. Baskerville, R. L. (1993). Information systems security design methods: implication for information systems development. ACM Computing Surveys, 25(4), 375–414.CrossRefGoogle Scholar
  8. Baskerville, R. L. (2008). Strategic information security risk management. In W. D. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security, policy, processes and practices (pp. 112–122). Routledge: M E Sharpe.Google Scholar
  9. McCann, E. (2014). Breach alert: Hackers swipe data of 4.5M. Accessed 7 Nov 2007
  10. Bell, E. D. (1974). Secure computer systems: A refinement of the mathematical model. Bedford: NTIS U.S. Department of Commerce, Mitre Corporation.Google Scholar
  11. Biba, J. K. (1977). Integrity considerations for secure computer systems. MTR-3153, The Mitre Corporation, April 1977.Google Scholar
  12. Biswas B., Mukhopadhyay A. (2017). Phishing detection and loss computation hybrid model: A machine-learning approach. ISACA Journal, 1, 22–29Google Scholar
  13. Biswas B., Pal S., Mukhopadhyay A. (2016). AVICS-Eco framework: An approach to attack prediction and vulnerability assessment in a cyber Ecosystem. Proceedings of the 22nd Americas Conference on Information Systems. San Diego: Association for Information Systems.Google Scholar
  14. Biswas, B., Mukhopadhyay, A., Dhillon, G. (2017). GARCH-based risk assessment and mean-variance-based risk mitigation framework for software vulnerabilities. In Proceedings of 23rd Americas Conference on Information Systems. Association for Information Systems.Google Scholar
  15. Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the workshop on New security paradigms (NSPW '01) (pp. 97–104). New York: ACM.Google Scholar
  16. Böhme, R. (2005). Cyber-insurance revisited. Harvard: Workshop on the Economics of Information Security (WEIS).Google Scholar
  17. Böhme, R., Kataria, G. (2006). Models and measures for correlation in cyber-insurance. UK: Workshop on the Economics of Information Security (WEIS) University of Cambridge, 2006, June.Google Scholar
  18. Böhme, R., Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. Harvard: Workshop on the Economics of Information Security (WEIS), 2010, June.Google Scholar
  19. Bolot, J., & LeLarge, M. (2008). Cyber insurance as an incentive for internet security. Hanover: Workshop on the Economics of Information Security (WEIS).Google Scholar
  20. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.CrossRefGoogle Scholar
  21. Bureau of Justice Assistance. (2009). 2009 internet crime report. Washington, D.C: U.S. Department of Justice.Google Scholar
  22. Calandro, J., Matrejek, E., Pollard, N. (2014). Managing cyber risks with insurance: key factors to consider when evaluating how cyber insurance can enhance your security program. Price Water House Publication number BS-14-0534-A.0614. Available at
  23. Campbell, K., Gordon, L. A., & Loeb, M. P. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11, 431–448.CrossRefGoogle Scholar
  24. Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69–105.CrossRefGoogle Scholar
  25. Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2008). Security patch management: share the burden or share the damage? Management Science, 54(4), 657–670.CrossRefGoogle Scholar
  26. CCTA. (1991). SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. London: Central Computer and Telecommunications Agency, IT Security and Privacy Group, Her Majesty’s Government.Google Scholar
  27. Clark, D., Wilson, D. (1988). Evolution of a model for computer integrity. 11th National Computer Security Conference, Postscript to Proceedings, NIST/NCSC (pp. 14–27). October 1998.Google Scholar
  28. Cleman, T. R., & Reilly, T. (1999). Correlations and copulas for decision and risk analysis. Management Science, 45(2), 28–224.Google Scholar
  29. Courtney, R. (1977). Security risk assessment in electronic data processing (pp. 97–104). Arlington: AFIPS.Google Scholar
  30. Cutler, D. M., & Zeckhauser, R. (2003). Extending the theory to meet the practice of insurance. Brookings-Wharton Papers on Financial Services (pp. 1–53). Washington, DC: Brookings Institution Press.Google Scholar
  31. Das, S., Mukhopadhyay, A., & Anand, M. (2012). The stock Market response to public announcement of information security breach on a firm: an Exploratory study using firm and attack characteristics. Journal of Information Privacy and Security JIPS, 7(4), 27–55.Google Scholar
  32. Das, S., Mukhopadhyay, A., Shukla, G. K. (2013). i-HOPE framework for predicting cyber breaches: a logit approach. Proceedings of the 46th Hawaii International Conference on System Sciences (HICSS) (pp. 3008–3017). Hawaii: IEEE.
  33. Dash, E. (2011). City data theft points up a nagging problem. New York Times, June 9, 2011.Google Scholar
  34. Dhillon, G., & Backhouse, J. (2000). Information system security management in the new millennium. Communications of the ACM, 43(7), 125–127.CrossRefGoogle Scholar
  35. Dhillon, G., & Moores, S. (2001). Computer crimes: theorizing about the enemy within. Computers & Security, 20(8), 715–723.CrossRefGoogle Scholar
  36. Dhillon, G., & Torkzadeh, G. (2006). Value focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314.CrossRefGoogle Scholar
  37. Di, R., Hillairet, M., Picard, M., Rifaut, A., Bernard, C., Hagen, D., Maar, P., & Reinard, D. (2007). Operational risk management in financial institutions: process assessment in concordance with Basel II. Software Process: Improvement and Practice, 12(4), 321–330.CrossRefGoogle Scholar
  38. Dutta, K., & Perry, J. (2011). A tale of tails: an empirical analysis of loss distribution models for estimating operational risk capital. Working paper No.06–13, Federal Reserve Bank of Boston.Google Scholar
  39. Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3), 399–416.CrossRefGoogle Scholar
  40. FBI. (2009). High-tech heist: 2,100 ATMs worldwide hit at once. Available at:
  41. Geer Jr., D., Hoo, K. S., & Jaquith, A. (2003). Information security: why the future belongs to the quants. IEEE Security and Privacy, 99(4), 24–32.
  42. Gordon, L. A., & Loeb, M. P. (2002). Return on information security investments, myths vs realities. Strategic Finance, 84(5), 26–31.Google Scholar
  43. Gordon, L. A., Loeb, M. P., & Sohai, T. L. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81–85.CrossRefGoogle Scholar
  44. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R. (2009). CSI/FBI computer crime and security survey. Scholar
  45. Gorman, S. (2012). Alert on hacker power play: U.S. official signals growing concern over anonymous group's capabilities.
  46. Grzebiela, T. (2002). Insurability of electronic commerce risks. Proceedings of the Hawaii International Conference on System Sciences, 35, USA.Google Scholar
  47. Guarrao, S. (1987). Principles and procedures of the LRAM approach to information systems risk analysis and management. Computers & Security, 6(6), 493–504.CrossRefGoogle Scholar
  48. Harmantzis, C.F. (2003). Operational risk management. ORMS Today, 30(1).Google Scholar
  49. Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks: the growing threat (pp. 1–27). USA: Insurance Information Institute.Google Scholar
  50. Herath, H., Herath, T. (2011). Copula based actuarial model for pricing cyber, insurance policies insurance markets and companies: analyses and actuarial computations, 2.Google Scholar
  51. Hoffman, J. et al. (1978). SECURATE—security evaluation and analysis using fuzzy metrics (pp. 531–540). Proceedings of the AFIPS National Conference Proceedings, ArlingtionGoogle Scholar
  52. Hossack, B. I., Pollard, J., & Zehnwirth, B. (1983). Introduction to statistics with applications to general insurance. Cambridge: Cambridge University Press.Google Scholar
  53. Identity Theft Center. (2007). Last consulted 5–6-2007.
  54. Jensen, F. V. (1996). Introduction to Bayesian networks. Secaucus: Springer-Verlag New York, Inc.Google Scholar
  55. Jueneman, R.R. (1989). Integrity controls for military and commercial applications CSC professional. Report CSC/PR-89/3001.Google Scholar
  56. Kahane, Y., Neumann, S., & Taperio, S. C. (1988). Computer backup pools, disaster recovery, and default risk. Communications of the ACM, 31(1), 78–83.CrossRefGoogle Scholar
  57. Kahneman, D., & Tversky, A. (1979). Prospect theory: an analysis of decision under risk. Economterica, 47(2), 263–292.CrossRefGoogle Scholar
  58. Keily, G. (2014). eBay suffers massive security breach, all users must change their passwords.
  59. Kesan, J. P., & Majuca, R. (2005). Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study. Harvard: Fourth Workshop on the Economics of Information Security (WEIS).Google Scholar
  60. Kesan, J.P., Ruperto, P.M., Willam, J.Y. (2004). The economic case for cyber insurance. Working Paper Series No. Paper No. LE04–004, Illinois Law and Economics.Google Scholar
  61. Kunreuther, H. (1997). Managing catastrophic risks through insurance and mitigation. Proceedings of the 5th Alexander Howden Conference on Financial Risk Management for Natural Catastrophes, August 24–26, 1997.Google Scholar
  62. Majuca, P., Yurcik, W., Kesan, J.P. (2005). The evolution of cyber insurance. Available at:
  63. Mann, S. (1998). Netcrime: more change in the organization of thieving. British Journal of Criminology, 38, 201–229.CrossRefGoogle Scholar
  64. McLeod, D. (2015). Increased cyber losses means more litigation over claim. Business Insurance. Available at
  65. Meland, P. H., Inger, A. T., & Solhaug, B. (2015). Mitigating risk with cyber insurance. IEEE Security and Privacy, 6, 38–43.CrossRefGoogle Scholar
  66. Miccolis, J., Shaw, S.( 2000). Enterprise Risk Management: An Analytic Approach. New York:Tillinghast – Towers PerrinGoogle Scholar
  67. Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.CrossRefGoogle Scholar
  68. Moore, R. (2005). Cybercrime: Investigating high-technology computer crime. Cleveland: Anderson Publishing.Google Scholar
  69. Mukhopadhyay, A. Chakrabarti, B. B., Saha, D., Mahanti, A. (2007a). e-Risk management through self-insurance: an option model. Proceedings of the Hawaii International Conference on System Sciences, 40. Washington, DC: IEEE Computer Society.Google Scholar
  70. Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan S. K. (2007b). Insuring big losses due to security breaches through insurance: A business model 2014. Proceedings of the 47th Hawaii International Conference on System Sciences. Hawaii: IEEE.
  71. Mukhopadhyay, A., Das, S., Sadhukhan, S. K. (2013a). Vulnerable path determination in mobile ad-hoc networks using Markov Model. Proceedings of the 19th Conference Amercias Conference on Information Systems (AMCIS).Google Scholar
  72. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukan, S. K. (2013b). Cyber-Risk Decision Models: To Insure IT or Not?. Decision Support Systems, 56(1), 11–26.Google Scholar
  73. McCullagh, P., & Nelder, J. A. (1989). Generalized linear models, 2nd edition. London: Chapman & HaI/~CRC.CrossRefGoogle Scholar
  74. New York Times. (2007). Digital fears emerge after data siege in Estonia. May 29, 2007.Google Scholar
  75. New York Times. (2008). Before the gunfire, cyber -attacks twitter. August 12, 2008.Google Scholar
  76. Newman, J. (2013). Adobe security breach worse than originally thought.
  77. Ogut, H., & Menon, N. (2005). Cyber insurance and IT security investment: Impact of interdependent risk. Harvard: Fourth Workshop on the Economics of Information Security (WEIS).Google Scholar
  78. Öğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis, 31(3), 497–512.CrossRefGoogle Scholar
  79. Ozier, W. (1989). Risk quantification problems and Bayesian decision support system solutions. Information Age, 11(4), 229–234.Google Scholar
  80. Reid, R. C., & Stephen, A. F. (2001). Extending the risk analysis model to include market-insurance. Computers & Security, 20(4), 331–339.CrossRefGoogle Scholar
  81. Rejda, G. E. (2010). Principles of risk management and insurance (10th ed.). London: Pearson Publication.Google Scholar
  82. Richardson, R. (2007). CSI computer crime and security survey (pp. 1–28). San Francisco: Computer Security Institute Inc..Google Scholar
  83. Robertson, J. (2014). China’s hack of 4.5 million U.S medical records? This chart will make you sick. August 2014.
  84. Roumani, Y., Nwankpa, J. K., & Rouman, Y. F. (2015). Time series modeling of vulnerabilities. Computers & Security, 51, 32–40.CrossRefGoogle Scholar
  85. Ruohone, J., Hyrynsalmi, S., & Leppänen, V. (2015). The sigmoidal growth of operating system security vulnerabilities: an empirical revisit. Computers & Security, 55, 1–20.CrossRefGoogle Scholar
  86. Salmela, H. (2008). Analyzing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185–202.Google Scholar
  87. Schneier, B. (2000). The insurance takeover. Information Security.Google Scholar
  88. Schroeder, D. (2014). Cyber insurance: just one component of risk management. The Wall-Street Journal, May 27 2014. Available at http:/
  89. Shedden, P., Smith, W. R., Ahmad, A. (2010). Information security risk assessments: towards a business practice perspective. Edith Cowan University Research Online,
  90. Shetty, N., Schwartz, G., Felegyhazi, M., & Walrand, J. (2009). Competitive cyber-insurance and internet security. London: Workshop on the Economics of Information Security (WEIS).Google Scholar
  91. Smith, E., & Eloff, J. H. P. (2002). A prototype for assessing information technology risks in health care. Computers & Security, 21(2), 266–284.CrossRefGoogle Scholar
  92. Smith, S.T., & Lim, J.J. (1984). An automated method for assessing the effectiveness of computer security safeguards. In Computer Security A Global Challenge (pp. 321–328). Amsterdam: North-Holland Publishing Co..Google Scholar
  93. Smithson, S., Song, P. (2004). Quantifying operational risk. Risk, 57–59.Google Scholar
  94. Solms, V. (2005). Information security governance - compliance management vs operational management. Computers & Security, 24(6), 443–447.CrossRefGoogle Scholar
  95. Tavani, H. (2007). Ethics and technology: Ethical issues in an age of information and communication technology. Hoboken: John Wiley.Google Scholar
  96. TechFlash. (2009). Walmart, hit with denial of service attack. December 24, 2009. Available at:
  97. Straub, W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision-making. MIS Quarterly, 22(4), 441–469.CrossRefGoogle Scholar
  98. Yurcik, W. (2002). Cyber insurance: A market solution to the internet security market failure. Berkeley: Workshop on the Economics of Information Security (WEIS).Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  • Arunabha Mukhopadhyay
    • 1
    Email author
  • Samir Chatterjee
    • 2
  • Kallol K. Bagchi
    • 3
  • Peteer J. Kirs
    • 3
  • Girja K. Shukla
    • 4
  1. 1.Indian Institute of Management LucknowLucknowIndia
  2. 2.Claremont Graduate UniversityClaremontUSA
  3. 3.University of Texas at El PasoEl PasoUSA
  4. 4.LucknowIndia

Personalised recommendations