Effective cyber risk management should include the use of insurance not only to transfer cyber risk but also to provide incentives for insured enterprises to invest in cyber self-protection. Research indicates that asymmetric information, correlated loss, and interdependent security issues make this difficult if insurers cannot monitor the cybersecurity efforts of the insured enterprises. To address this problem, this paper proposes the Cyber Risk Scoring and Mitigation (CRISM) tool, which estimates cyberattack probabilities by directly monitoring and scoring cyber risk based on assets at risk and continuously updated software vulnerabilities. CRISM also produces risk scores that allow organisations to optimally choose mitigation policies that can potentially reduce insurance premiums.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
We use the terms “cyber risk insurance” and “cyber insurance” interchangeably.
See Eling and Schnell (2016).
See Ehrlich and Becker (1972).
See Schwartz et al. (2010).
See Marotta et al. (2017).
See Biener et al. (2015).
See Berliner (1982).
AIG offered the first cyber insurance policy to cover policyholders for third-party losses caused by breaches that originated from outside the company: http://www.aei.org/publication/cyber-insurance-why-is-the-market-still-largely-untapped/.
See RMS (2016).
See SANS Institute (2016).
See Aon (2017).
See Lloyds (2015).
See Cebula and Young (2010).
See Filtner (2010).
See NIST (2012).
See Jouini et al. (2014).
See NIST (2011).
This list was compiled by the authors using a website for each tool.
Traditional risk scoring tools, for example used by underwriters for determining policyholder risk for auto insurance, depend on proxy categories, such as driver age, gender, vehicle type, address, and policyholder-specific information such as credit score and claims history. CRISM can be considered analogous to the use of telematics in determining auto insurance premiums where the continuously monitored actual behaviour of the specific policyholder is added as a factor in determining the premium (Baecke and Bocca, 2017).
An attack graph models system security vulnerabilities and all potential sequences through which the vulnerabilities can be exploited.
CVSS is an open framework for estimating and quantifying software vulnerabilities of various vendors.
NVD is a repository that provides CVSS scores for all known vulnerabilities for software and operating systems. The NVD was created by the Department of Homeland Security to inform the public about common computer vulnerabilities (http://nvd.nist.gov/). It is maintained by the National Institute of Standards and Technology (NIST). Before CVSS, there was no common platform to identify the vulnerabilities, and therefore vendors used their own methods for scoring the vulnerabilities. The National Infrastructure Assurance Council (NIAC) launched CVSS in 2005 (http://www.dhs.gov/national-infrastructure-advisory-council). Several major organisations such as CERT, IBM, and Cisco were involved in the development of CVSS. These organisations also use these metrics to prioritise the response to the vulnerabilities they encounter in their day-to-day activities. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST).
CVE is a dictionary that assigns unique identifiers for all the security vulnerabilities that are publicly known (http://cve.mitre.org/about/index.html). CVE is used as the industry standard for vulnerability and exposures names. Once a vulnerability is discovered, it is assigned a unique CVE Identifier (e.g. CVE-2012-0015), which includes a brief description and references, such as advisories or vulnerability reports. CVE was quickly adopted by organisations, and its use is so widespread that organisations are producing “CVE Compatible” products and services.
For CVSS details related to these components, refer to https://www.first.org/cvss/v2/guide.
See Tøndel et al. (2016).
Aon (2017) Cyber Update: 2016 Cyber Insurance Profits and Performance, from http://thoughtleadership.aonbenfield.com/Documents/20170504-ab-cyber-naic-supplemental-study.pdf, accessed 19 August 2017.
Baecke, P. and Bocca, L. (2017) ‘The value of vehicle telematics data in insurance risk selection processes’, Decision Support Systems 98: 69–79.
Berliner, B. (1982) Limits of Insurability of Risks, Englewood Cliffs, NJ: Prentice-Hall.
Biener, C., Eling, M. and Wirfs, J.H. (2015) ‘Insurability of cyber risk: An empirical analysis’, The Geneva Papers on Risk and Insurance—Issues and Practice 40(1): 131–158.
Böhme, R. (2005) ‘Cyber-insurance revisited’, in Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS 2005), Cambridge, MA: Kennedy School of Government, Harvard University.
Cebula, J.J. and Young, L.R. (2010) A Taxonomy of Operational Cyber Security Risks, Technical Note CMU/SEI-2010-TN-028, Software Engineering Institute, Carnegie Mellon University, from http://www.dtic.mil/get-tr-doc/pdf?AD=ADA537111, accessed 18 August 2017.
Ehrlich, I. and Becker, G.S. (1972) ‘Market insurance, self-insurance, and self-protection’, Journal of Political Economy 80(4): 623–648.
Eling, M. and Schnell, W. (2016) Ten Key Questions on Cyber Risk and Cyber Risk Insurance, The Geneva Association, from https://www.genevaassociation.org/media/954708/cyber-risk-10-key-questions.pdf, accessed 11 May 2017.
Filtner, A. (2010) Foundations of Risk Management and Insurance, CPCU Series, Malvern, PA: American Institute for Chartered Property Casualty Underwriters, p. 1.16.
Gordon, L.A., Loeb, M.P. and Sohail, T. (2003) ‘A framework for using insurance for cyber-risk management’, Communications of the ACM 46(3): 81–85.
Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S. R. and Singhal, A. (2013) ‘Aggregating vulnerability metrics in enterprise networks using attack graphs’, Journal of Computer Security 21(4): 561–597.
Jouini, M., Rabai, L.B.A. and Aissa, A.B. (2014) ‘Classification of security threats in information systems’, Procedia Computer Science 32: 489–496.
Kesan, J.P., Majuca, R.P. and Yurcik, W.J. (2004) The Economic Case for Cyberinsurance, University of Illinois Law and Economics working papers.
Lloyds (2015) Business Blackout, Lloyds of London and University of Cambridge Centre for Risk Studies, from https://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout, accessed 19 August 2017.
Majuca, R.P., Yurcik, W. and Kesan, J.P. (2006) The Evolution of Cyberinsurance, working paper, from https://arxiv.org/ftp/cs/papers/0601/0601020.pdf, accessed 18 August 2017.
Marotta, A., Martinelli, F., Nanni, S., Orlando, A. and Yautsiukhin, A. (2017) ‘Cyber-insurance survey’, Computer Science Review 24: 35–61.
NIST (2011) Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800-39, from https://dl.acm.org/citation.cfm?id=2206253, accessed 3 December 2017.
NIST (2012) Guide for Conducting Risk Assessments, NIST Special Publication 800-30, from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf, accessed 3 December 2017.
Ogut, H., Menon, N. and Raghunathan, S. (2005) ‘Cyber insurance and IT security investment: Impact of interdependent risk’, in Workshop on the Economics of Information Security (WEIS), Harvard University.
Poolsappasit, N., Dewri, R. and Ray, I. (2012) ‘Dynamic security risk management using Bayesian attack graphs’, IEEE Transactions on Dependable and Secure Computing 9 (1): 61–74.
RMS (2016) Managing Cyber Insurance Accumulation Risk, Risk Management Solutions, Inc., and the Cambridge Centre for Risk Studies, from http://cambridgeriskframework.com/getdocument/39, accessed 11 May 2017.
SANS (2016) Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey, from https://www.sans.org/reading-room/whitepapers/legal/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-37062, accessed 11 May 2017.
Schwartz, G., Shetty, N. and Walrand, J. (2010) Cyber-insurance: Missing market driven by user heterogeneity, from https://pdfs.semanticscholar.org/d1db/6af4b7c93315e48c8ab407f1f75187a88687.pdf, accessed 18 August 2017.
Tøndel, I.A., Seehusen, F., Gjære, E.A. and Moe, M.E.G. (2016) ‘Differentiating cyber risk of insurance customers: The insurance company perspective’ in Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A.M. and Weippl, E. (eds.) International Conference on Availability, Reliability, and Security, Springer, pp. 175–190.
Wang, L., Islam, T., Long, T., Singhal, A. and Jajodia, S. (2008) ‘An attack graph-based probabilistic security metric’, in Proceedings of The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, UK: pp. 283–296.
This work was supported by the Office of the Assistant Secretary of Defense for Research and Engineering [OASD (R&E)] Agreement FA8750-15-2-0120 and Department of Homeland Security Grant 2015-ST-061-CIRC01.
† Approved for public release: distribution unlimited. Case Number: 88ABW-2017-2684, dated 26 May 2017.
About this article
Cite this article
Shetty, S., McShane, M., Zhang, L. et al. Reducing Informational Disadvantages to Improve Cyber Risk Management†. Geneva Pap Risk Insur Issues Pract 43, 224–238 (2018). https://doi.org/10.1057/s41288-018-0078-3
- cyber risk management
- cyber insurance
- vulnerability assessment
- security risk scores
- Bayesian belief networks
- attack graphs