Abstract
The expansion of information technology in everyday reality through the spread of social networks and mobile devices, emerging technologies -such as cloud services and the internet of things, has led to increased vulnerability for individuals and businesses. Individuals can suffer fraud, identity theft, embarrassment and distress when critical information (such as financial or sensitive personal data) is compromised or even publicly revealed, as a result of a cybercrime. The increase of cyber-risks impacts both individuals and entities, such as businesses and governments and renders cyber-insurance -on top of other cyber security means- more necessary with the passage of time. In this paper, it is assumed that multiple cyber-incidents are possible during the (digital) life of an individual. They resemble to illness that can affect the physical life of an individual. Illness as opposed to fatality—which has been used in research so far- can occur several times within the lifetime of an individual and the same can happen during his or her digital life, as he or she may suffer several cyber-attacks (digital illnesses) and yet digitally survive. This study mimics physical illness insurance-based actuarial pricing techniques to evaluate the cost for offering financial protection against multiple cyber-attacks, in a way similar to that of pricing health insurance. Consequently, this approach further advances the research on cyber insurance valuation and development. It can be a valuable pricing tool for the interested parties and targeted audience, as is helps estimate the residual risk left after technological cyber-security safety-nets have been used.
Similar content being viewed by others
Availability of data and material
All data come from public sources.
Code availability
There is not code used; actuarial calculations have been performed by the authors in Excel.
References
ISACA (2015) State of Cybersecurity: Implications for 2015. https://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf
Lloyds of London (2017) Counting the cost. https://www.lloyds.com/news-and-insight/risk-insight/library/technology/countingthecost. Last Accessed 16 Dec 2019
Shetty S, McShane M, Zhang L, Kesan JP, Kamhoua CA, Kwiat K, Njilla LL (2018) Reducing informational disadvantages to improve cyber risk management. Geneva Papers Risk Insur Issues Pract 43:224–238. https://doi.org/10.1057/s41288-018-0078-3
Eling M (2018) Cyber risk and cyber risk insurance: status quo and future research. Geneva Papers Risk Insur Issues Pract 43(2):175–179. https://doi.org/10.1057/s41288-018-0083-6
Felici M, Wainwright N, Bisconi F, Cavallini S (2015) What’s new in the economics of cybersecurity? Observational and empirical studies. IEEE Secur Priv 13(5):12–15
Anderson R, Moore T (2006) The economics of information security. Science 314(5799):610–613
Moore T (2010) The economics of cybersecurity: principles and policy options. Int J Crit Infrastruct Prot 3(3–4):103–117
Agrafiotis I, Nurse JRC, Goldsmith M, Creese S, Upton J (2018) A taxonomy of cyber-harms: defining the impacts of cyber-attacks and understanding how they propagate. J Cybersecur 4(1):1–15
Poufinas T, Vordonis N (2018) Pricing the cost of cybercrime—a financial protection approach. iBusiness 10(3):128–143
Anderson R, Barton C, Böhme R, van Eeten MJG, Levi M, Moore T, Savage S (2013) Measuring the cost of cybercrime. Econ Inf Secur Privacy 12:265–300
Nguyen KD, Rosoff H, Richard SJ (2017) Valuing information security from a phishing attack. J Cybersecur 3(3):159–171
Axon L, Erola A, Agrafiotis I, Goldsmith M, Creese S (2019) Analysing cyber-insurance claims to design harm-propagation trees. Working Paper, Department of Computer Science, University of Oxford, UK, https://ora.ox.ac.uk/objects/uuid:496b5fb7-9da3-4305-a0b1-e4cbf0c41bfb. Last Accessed 10 Jan 2020
World Health Organization (WHO) (2018) WHO methods and data sources for global burden of disease estimates 2000–2016, Department of Information, Evidence and Research WHO, Geneva, Global Health Estimates Technical Paper WHO/HIS/IER/GHE/2018.4, https://www.who.int/healthinfo/global_burden_disease/GlobalDALY_method_2000_2016.pdf. Last Accessed 16 Dec 2019
Federal Bureau of Investigation (FBI)-Internet Crime complaint center (2018) Internet crime report. https://pdf.ic3.gov/2018_IC3Report.pdf. Last Accessed 16 Dec 2019
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
1.1 Definition of the cyber-crime types
In this section we provide a short definition of the various cybercrime types based on the definitions of FBI [14]. These are:
Advanced fee | The victim is offered a loan or reward but has to pay a fee in advance. The victim pays the fee but never receives the amount |
BEC/EEC | Business Email Compromise and Email Account Compromise are frauds towards businesses or individuals that involve the compromise of email accounts in order to transfer funds |
Charity | Individuals are asked to make donations to false charities |
Civil matter | Disputes formally submitted to non-criminal courts |
Confidence/romance fraud | The victim is persuaded to send money, personal or financial information, items of value, or even launder money, trusting the he or she has a relationship with the perpetrator (family, friendly or romantic) |
Corporate data breach | The leak, copy, transmission, view, theft of corporate (usually sensitive, protected or confidential) data |
Credit card fraud | Use of credit card or similar payment means to commit a fraudulent transaction |
Crimes against children | Exploitation and/or abuse of children |
Denial of service/TDoS | Flooding a network/system or telephony with multiple requests which slow down or interrupt the service |
Employment | The victim believes that he or she is legitimately employed and loses or launders money instead |
Extortion | Unlawful extraction of assets from the victim through intimidation or undue authority exercise |
Gambling | Online/internet gambling |
Government impersonation | Impersonation of a government official so as to collect money |
Hacktivist | A hacker who aims at promoting a social or political cause |
Harassment/threats of violence | The perpetrator intimidates the victim via false accusations or statements/expresses intention to harm, injure or punish the victim |
Health care related | Defrauding private or public health care programs involving health care providers, companies or individuals covering a wide range of health/insurance products and services, often initiated via spam email, social media, fraudulent websites, etc |
Intellectual property rights (IPR)/copyright and counterfeit | Stealing and using the ideas, inventions and creative expressions of others from trade secrets and proprietary products to movies, music and software |
Identity theft/account takeover | Theft of a person’s personal identification (such as social security number)/account information so as to commit fraud |
Investment | The victims make purchases/investments based on false information that promises high returns with low risk |
Lottery/sweepstakes/inheritance | The victims are fraudulently informed about winning a lottery/sweepstakes they have never entered/inheritance from a person they do not know and are asked to pay a tax or fee before receiving the relevant amount |
Malware/scareware/virus | Software or code that aims at harming computers/systems or at scaring the victims so as to solicit funds |
Misrepresentation | Merchandise that has been purchased by individuals, which is of much poorer quality than advertised/presented |
No lead value | Undetermined cyber-crime type due to incomplete complaints |
Non-payment/non-delivery | Goods and services are sent but payments in not made/payment is made but goods and services are not delivered |
Personal data breach | The leak, copy, transmission, view, theft of personal (usually sensitive, protected or confidential) data |
Phishing/vishing/smishing/pharming | Email or text message and telephone calls supposedly from a legitimate company in order to obtain personal, financial and/or login credentials |
Ransomware | Malicious software that blocks access to a computer system in exchange for money |
Re-shipping | The repackaging of merchandize that has been purchased with fraudulent means |
Real estate/rental | Fraud that involves real estate/rental or timeshare property |
Spoofing | Contact information (phone number, email and website) falsified so as to appear as coming from a legitimate source in order to mislead and potentially collect personal information |
Social media | Complaints reporting fraud conducted via social media/networking |
Tech support | Gaining access to the victim’s electronic device by fraudulently offering tech support (supposedly representing a well-known company) |
Terrorism | Violent acts that aim (usually for a political, religious, or ideological goal) at creating fear by targeting the safety of the victims |
Virtual currency | A complaint that involves a virtual cryptocurrency |
1.2 Construction of the cyber-attack morbidity table
In this section we present the cyber-attack morbidity table that has been constructed with the use of the DiDALYs for the investment cyber-crime type. We denote by lx the number of individuals who live (survive) to age x and by dx the number of individuals that die (in the sense of number of years lost due to digital death or substandard digital health as per the WHO approach) at age x (Table 9).
Rights and permissions
About this article
Cite this article
Poufinas, T., Vordonis, N. The financials of cybercrime: a health insurance pricing approach. J BANK FINANC TECHNOL 6, 17–30 (2022). https://doi.org/10.1007/s42786-022-00039-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s42786-022-00039-8