Perceptions of Corporate Cyber Risks and Insurance Decision-Making

  • Guido de SmidtEmail author
  • Wouter Botzen


This study provides an analysis of individual perceptions of cyber risks amongst professional decision makers. Data are collected using a survey of corporate professionals who are engaged in risk and insurance decision-making in various functional roles mainly in large companies. The study focuses on the perceived probability as well as the anticipated financial impact of cyber risks. Behavioural factors—the availability heuristic, threshold level of concern, degree of worry and trust in one’s own organisation’s capabilities—are found to have significant influences on the perceived probability and impact of cyberattacks. The probability of a successful cyberattack is overestimated, and the financial impact is underestimated. Given the high perceived expected value of cyberattack losses relative to the costs of cyber risk insurance, it appears that professional decision makers deviate from the expected value-based decision-making by being reluctant to insure for cyber risk.


availability heuristic intuitive thinking insurance demand risk perceptions 


  1. Ariely, D. (2009) Predictably Irrational: The Hidden Forces that Shape Our Decisions, New York: Harper Collins Publishers.Google Scholar
  2. Advisen (2017) 2017 Cyber Risk Preparedness and Response Survey, New York: Advisen Ltd.Google Scholar
  3. Aon (2017) 2017 Global Cyber Risk Transfer Comparison Report, London: Aon Risk Solutions Ltd.Google Scholar
  4. Aon Inpoint (2017) Global Cyber Market OverviewUncovering the Hidden Opportunities, London: Aon Plc.Google Scholar
  5. Barber, B., and Odean, T. (2001) ‘Boys will be boys: gender, overconfidence and common stock investment’, The Quarterly Journal of Economics 116(1): 261–292.CrossRefGoogle Scholar
  6. Barberis, N. (2013) ‘The psychology of tail events: Progress and challenges’, American Economic Review 103(3): 611–616.CrossRefGoogle Scholar
  7. Botzen, W.J., Kunreuther, H. and Michel-Kerjan, E. (2015) ‘Divergence between individual perceptions and objective indicators of tail risks: Evidence from floodplain residents in New York City’, Judgment and Decision Making 10(4): 365–385.Google Scholar
  8. Christensen, B.E., Glover, S.M., Omer, T.C. and Shelley, M.K. (2016) ‘Understanding audit quality: Insights from audit professionals and investors’, Contemporary Accounting Research 33(4): 1648–1684.CrossRefGoogle Scholar
  9. Deloitte (2016) Cyber value at risk in The Netherlands, Amsterdam: Deloitte.Google Scholar
  10. Dichev, I.D., Graham, J. R., Harvey, C.R. and Rajgopal, S. (2013) ‘Earnings quality: Evidence from the field’, Journal of Accounting and Economics 56(2): 1–33.CrossRefGoogle Scholar
  11. Eling, M. and Schnell, W. (2016) ‘What do we know about cyber risk and cyber risk insurance?’, The Journal of Risk Finance 17(5): 474–491.CrossRefGoogle Scholar
  12. Flynn, J., Slovic, P. and Mertz, C.K. (1993) ‘Decidedly different: Expert and public views of risks from a radioactive waste repository’, Risk Analysis 13(6): 643–648.CrossRefGoogle Scholar
  13. Gennaioli, N. and Shleifer, A. (2010) ‘What comes to mind’, The Quarterly Journal of Economics 125(4): 1399–1433.CrossRefGoogle Scholar
  14. Johnson, E.J., Hershey, J., Meszaros, J. and Kunreuther, H. (1993) ‘Framing, probability distortions and insurance decisions’ Journal of Risk and Uncertainty 7(1): 35–51.CrossRefGoogle Scholar
  15. Kahneman, D. (2011) Thinking, Fast and Slow, London: Penguin Group.Google Scholar
  16. Kahneman, D. and Tversky, A. (2000) Choices, Values and Frames, New York: Cambridge University Press.Google Scholar
  17. Kunreuther, H. and Pauly, M. (2004) ‘Neglecting disaster: Why don’t people insure against large losses?’, Journal of Risk and Uncertainty 28(1): 5–21.CrossRefGoogle Scholar
  18. Larrick, R. (2004) ‘Debiasing’, in Derek J. Koehler and Nigel Harvey (eds.) Blackwell Handbook of Judgment and Decision Making, Oxford: Blackwell Publishing Ltd, pp. 316–338CrossRefGoogle Scholar
  19. Loewenstein, G.F., Weber, E.U., Hsee, C.K. and Welch, N. (2001) ‘Risk as feelings’, Psychological Bulletin 127(2): 267–286.CrossRefGoogle Scholar
  20. Marsh (2016) 2015/2016 Cyber and Data Security Risk Survey Reportfor small and midsize employers, Marsh & McLennan.Google Scholar
  21. McClelland, G.H., Schulze, W.D. and Coursey, D.L. (1993) ‘Insurance for Low-Probability Hazards: A bimodal response to unlikely events’, in C. Camerer, H. Kunreuther (eds.) Making Decisions About Liability and Insurance, Dordrecht: Springer.Google Scholar
  22. Neumann, J.V. and Morgenstern, O. (1947) The Theory of Games and Economic Behavior (2nd ed.), Princeton: Princeton University Press.Google Scholar
  23. Pfleeger, S.L. and Caputo, D.D. (2012) ‘Leveraging behavioural science to mitigate cyber security risk’, Computers & Security 31(4): 597–611.CrossRefGoogle Scholar
  24. Ponemon (2016) 2016 Cost of a Data Breach Study, Michigan: Ponemon Institute LLC.Google Scholar
  25. PWC (2017) Strengthening digital society against cyber shocksKey findings from The Global State of Information Security Survey 2018, PWC.Google Scholar
  26. Rowe, G. and Wright, G. (2001) ‘Differences in expert and lay judgments of risk: Myth or reality?’, Risk Analysis 21(2): 341–356.CrossRefGoogle Scholar
  27. Ruscio, J. (2002) Clear Thinking with Psychology: Separating Sense from Nonsense, Florence: Wadsworth Publishing.Google Scholar
  28. Scheffel, G. and Smidt, G.D. (2012) ‘Behavioral Finance and Corporate Insurance Buying: An explorative study into the applicability of behavioral finance to the working practice of Aon’, Doctoral Thesis, Nyenrode Business University.Google Scholar
  29. Shackelford, S.J. (2012) ‘Should your firm invest in cyber risk insurance?’, Elsevier Business Horizons 55(4): 349–356.CrossRefGoogle Scholar
  30. Simon, H.A. (1957) Models of Man: Social and Rational-Mathematical Essays on Rational Human Behavior in a Social Setting, New York: WileyGoogle Scholar
  31. Slovic, P. (2000) The Perception of Risk, London: Earthscan Ltd.Google Scholar
  32. Slovic, P., Finucane, M.L., Peters, E. and MacGregor, D.G. (2004) ‘Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality’, Risk Analysis 24(2): 311–322.CrossRefGoogle Scholar
  33. Slovic, P., Fischhoff, B., Lichtenstein, S., Corrigan, B. and Combs, B. (1977) ‘Preference for insuring against probable small losses: Insurance implications’, The Journal of Risk and Insurance 44(2): 237–258.CrossRefGoogle Scholar
  34. Slovic, P., Malmfors, T., Krewski, D., Mertz, C.K., Neil N. and Bartlett, S. (1995) ‘Intuitive toxicology. II. Expert and lay judgments of chemical risks in Canada’, Risk Analysis, 15(6): 661–675.CrossRefGoogle Scholar
  35. Stanovich, K.E. and West, R.F. (2000) ‘Individual differences in reasoning: Implications for the rationality debate’, Behavioral and Brain Sciences 23(5): 645–665.CrossRefGoogle Scholar
  36. Taleb, N.N. (2007) The Black Swan: The Impact of the Highly Improbable, New York: Random House Inc.Google Scholar
  37. Tversky, A. and Kahneman, D. (1973) ‘Availability: A heuristic for judging frequency and probability’, Cognitive Psychology 5(2): 207–232.CrossRefGoogle Scholar
  38. Verizon Enterprise Solutions (2015) 2015 Data Breach Investigations Report, New Jersey: Verizon.Google Scholar
  39. Willis (2017) 2017 Willis Towers Watson Cyber Risk SurveyUK Results, Willis Towers Watson.Google Scholar

Copyright information

© The Geneva Association 2018

Authors and Affiliations

  1. 1.Aon Risk SolutionsRotterdamThe Netherlands
  2. 2.Department of Environmental Economics, Institute for Environmental Studies (IVM)Vrije Universiteit AmsterdamAmsterdamThe Netherlands
  3. 3.Utrecht University School of EconomicsUtrecht UniversityUtrechtThe Netherlands
  4. 4.Risk Management and Decision Processes CenterThe Wharton School, University of PennsylvaniaPhiladelphiaUSA

Personalised recommendations