Advertisement

Using Risk Assessments to Assess Insurability in the Context of Cyber Insurance

  • David Nicolas Bartolini
  • Cesar Benavente-PecesEmail author
  • Andreas Ahrens
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 990)

Abstract

In the current globalisation framework where electronic transactions and data sharing is a common activity, cyber-risks analysis, protection and avoidance have become a key aspect which must be book and prioritised on the business agenda in companies. Nevertheless, this issue is difficult to analyse given the dimension of the problem and the company units and individuals and infrastructures which are involved. In consequence, cyber-insurance is considered as the appropriate mean to avoid financial losses caused by information technologies infrastructures and procedures security breaches. This paper analyses and describes how costumers and their cyber-risks should be assessed by an insurance company in order to establish the company status and implement the required actions to fix the issue. This work describes the three phases required to complete a full cyber-risk assessment and the risks evaluation. Furthermore, the paper highlights the resources that the insurer should keep in its road-map to implement the risk assessment and, thus, to determine the company insurability, and the requirements to reach such condition. After the risk analysis completion at the customer’s premises, it must be evaluated subsequently at all levels. Among other factors, this evaluation is based on 63 question criteria. In the risk assessment criteria weights are not uniformly distributed and weighting is applied according to the relevance. In particular, criteria that should receive a special attention are referred to as showstoppers.

Keywords

Cyber risk management Cyber insurance Information security Data protection 

References

  1. 1.
    Aguilar, L.A.: Boards of directors, corporate governance and cyber-risks: sharpening the focus (2014). https://www.sec.gov/news/speech/2014-spch061014laa
  2. 2.
    Anderson, R.: Why information security is hard - an economic perspective. In: Seventeenth Annual Computer Security Applications Conference, pp. 358–365 (2001).  https://doi.org/10.1109/ACSAC.2001.991552
  3. 3.
    BSI: Bundesamt für sicherheit in der informationstechnik (BSI), 2017. leitfaden zur basis-absicherung nach IT-Grundschutz (2017). https://www.bsi.bund.de
  4. 4.
    Allianz Global Corporate & Specialty: Allianz risk barometer (2016). http://www.agcs.allianz.com/insights/white-papers-and-case-studies/allianz-risk-barometer-2016
  5. 5.
    COSO: The committee of sponsoring organizations of the treadway commission (1992). https://www.coso.org/Pages/erm-integratedframework.aspx
  6. 6.
    Eckert, C.: Concepts, Procedures and Protocols, DE GRUYTER OLDENBOURG (2014)Google Scholar
  7. 7.
    Foreman, P.: Vulnerability Management. CRC Press, Boca Raton (2009)CrossRefGoogle Scholar
  8. 8.
  9. 9.
    ISO: ISO/IEC 20000–1. Information technology – service management (2011). https://www.iso.org/standard/51986.html
  10. 10.
    ISO: ISO/IEC 27001: Information technology - security techniques - information security management systems – requirements (2013). https://www.iso.org/standard/54534.html
  11. 11.
    NIST: NIST 800–45: Guideline on electronic mail security (2007). https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-45ver2.pdf
  12. 12.
    NIST: NIST 800–123: Guide to general server security (2008). https://nvlpubs.nist.gov/ nistpubs/ legacy/sp/nistspecialpublication800-123.pdf
  13. 13.
    NIST: NIST 500–291: NIST cloud computing standards roadmap (2013). https://www.nist.gov/publications/nist-sp-500-291-nist-cloud-computing-standards-roadmap
  14. 14.
    NIST: NIST 800–40: Guide to enterprise patch management technologies (2013). https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
  15. 15.
    NIST: NIST 800–53: Security and privacy controls for federal information systems and organizations (2013). https://nvd.nist.gov/800-53
  16. 16.
  17. 17.
    Rausand, M., Høyland, A.: System Reliability Theory: Models, Statistical Methods, and Applications, Second Edition. Wiley, Hoboken (2004).  https://doi.org/10.1002/9780470316900zbMATHGoogle Scholar
  18. 18.
    Rausand, M.: Risk Assessment: Theory, Methods, and Applications. Wiley, New York (2011)CrossRefGoogle Scholar
  19. 19.
    Rolski, T., Schmidli, H., Schmidt, V., Teugels, J.: Stochastic processes for insurance and finance, p. 68 (2001)Google Scholar
  20. 20.
    Salter, C., Saydjari, O.S., Schneier, B., Wallner, J.: Toward a secure system engineering methodolgy. In: Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 2–10. ACM, New York (1998).  https://doi.org/10.1145/310889.310900
  21. 21.
    Turner II, B.L., et al.: Science and technology for sustainable development special feature: a framework for vulnerability analysis in sustainability science. Proc. Natl. Acad Sci. 100, 8074–8079 (2003)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • David Nicolas Bartolini
    • 1
  • Cesar Benavente-Peces
    • 1
    Email author
  • Andreas Ahrens
    • 2
  1. 1.Universidad Politecnica de MadridMadridSpain
  2. 2.Hochschule Wismar, University of Applied Sciences - Technology, Business and DesignWismarGermany

Personalised recommendations