Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study

Conference paper


In this paper we present the results of an exploratory qualitative study with experts. The aim of the study was the identification of potential rating variables which could be used to calculate a premium for Cyberinsurance coverages. For this purpose we have conducted semi-structured qualitative interviews with a sample of 36 experts from the DACH region. The gathered statements have been consolidated and further reduced to a subset of indicators which are available and difficult to manipulate. The reduced set of indicators has been presented again to the 36 experts in order to rank them according to their relative importance. In this paper we describe the results of this exploratory qualitative study and conclude by discussing implications of our findings for both research and practice.


Risk Management Information Security Security Incident Exposure Indicator Information Security Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AAA (American Academy of Actuaries Committee – Committee on Risk Classification): Risk Classification Statement of Principles (2008)Google Scholar
  2. 2.
    AICPCU (American Institute for CPCU/Insurance Institute of America): Foundations of Risk Management, Insurance, and Professionalism (Course Leader Handbook) CPCU 510 Appendix A (2006)Google Scholar
  3. 3.
    Baer, W.S.: Rewarding IT security in the marketplace. In: TPRC. (2003)Google Scholar
  4. 4.
    Betterley, R.S.: Cyberrisk Market Survey 2008 (June 2008) The Betterley Report.Google Scholar
  5. 5.
    Böhme, R.: Cyber-insurance revisited. In: Proceedings of the 4thWorkshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)Google Scholar
  6. 6.
    Böhme, R., Nowey, T.: 15 economic security metrics. In: Eusgeld, I., Freiling, F., Reussner, R. (eds.) Dependability Metrics, LNCS, vol. 4909, pp. 176–187. Springer, Berlin Heidelberg (2008)Google Scholar
  7. 7.
    Bouska, A.S.: In: Proceedings of the Casualty Actuarial Society Casualty Actuarial Society LXXVI, Part 1(145), 1–23 (1989)Google Scholar
  8. 8.
    BSI (British Standards Institution): BS 7799-3:2006 Information security management systems – Part 3: Guidelines for information security risk management (2006)Google Scholar
  9. 9.
    B¨’uchel, M., Favre, R., Wiest, R.: Law, insurance and the Internet: the new perils of cyberspace. Technical report, Swiss Re Publishing (2000)Google Scholar
  10. 10.
    Cashell, B., Jackson, W., Jickling, M., Webel, B.: The economic impact of cyber-attacks. Congressional Research Service Documents, CRS RL32331 (2004)Google Scholar
  11. 11.
    Cummings, J.: S&P rolls out ERM review (2008). http://businessfinancemag. com/article/sp-rolls-out-erm-review-0513Google Scholar
  12. 12.
    Daley, B.: Using concept maps in qualitative research. In: Concept Maps: Theory, Methodology, Technology: Proceedings of the First International Conference on Concept Mapping, pp. 191–197. (2004)Google Scholar
  13. 13.
    Deloitte Touche Tohmatsu: Protecting what matters: The 6th annual global security survey (2009)Google Scholar
  14. 14.
    Ernst & Young: Moving beyond compliance: Ernst & Young’s 2008 global information security survey (2008)Google Scholar
  15. 15.
    Finger, R.: Risk classification, chapter 6. In: Foundations of Casualty Actuarial Science, pp. 287–342. Casualty Actuarial Society (2001)Google Scholar
  16. 16.
    Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85 (2003)Google Scholar
  17. 17.
    Herath, H., Herath, T.: Cyber-insurance: copula pricing framework and implications for risk management. In: Proceedings of the 6thWorkshop on the Economics of Information Security (WEIS). Pittsburgh, PA (2007)Google Scholar
  18. 18.
    Imriyas, K., Pheng, L.S., Teo, E.A.L.: A framework for computing workers’ compensation insurance premiums in construction. Construction Management and Economics 25(6), 563– 584 (2007)Google Scholar
  19. 19.
    Innerhofer-Oberperfler, F., Breu, R.: An empirically derived loss taxonomy based on publicly known security incidents. In: Proceedings of the Fourth International Conference on Availability, Reliability and Security. Fukuoka, Japan (2009)Google Scholar
  20. 20.
    ISO (International Organization for Standardization): ISO/IEC 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)Google Scholar
  21. 21.
    ISO (International Organization for Standardization): ISO/IEC 73:2002 Risk management – Vocabulary – Guidelines for use in standards (2002)Google Scholar
  22. 22.
    Jackson, K., Trochim, W.: Concept mapping as an alternative approach for the analysis of open-ended survey responses. Organizational Research Methods 5(4), 307 (2002)Google Scholar
  23. 23.
    Jiang, J., Klein, G., Ellis, T.: A measure of software development risk. Project Management Journal 33(3), 20–41 (2002)Google Scholar
  24. 24.
    Kesan, J.P., Majuca, R.P., Yurcik, W.J.: Cyberinsurance as a market-based solution to the problem of cybersecurity. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)Google Scholar
  25. 25.
    Kotulic, A.G., Clark, J.G.: Why there aren’t more information security research studies. Information & Management 41(5) (2004) 597–607Google Scholar
  26. 26.
    Kovacs, P., Markham, M., Sweeting, R.: Cyber-incident risk in Canada and the role of insurance. ICLR Research Paper Series 38, ICLR (Institute for Catastrophic Loss Reduction) (2004)Google Scholar
  27. 27.
    Krcmar, H.: Informationsmanagement, 4., überarb. und erw. Aufl. Springer (2005)Google Scholar
  28. 28.
    Mattiacci, G.D.: The economics of pure economic loss and the internalisation of multiple externalities. In: Pure Economic Loss, vol. 9 of Tort and Insurance Law, 167–190. Springer, New York (2004)Google Scholar
  29. 29.
    Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., Sadhukhan, S.K.: e-Risk management with insurance: a framework using copula aided Bayesian belief networks. In: HICSS. IEEE Computer Society (2006)Google Scholar
  30. 30.
    Myers, M., Newman, M.: The qualitative interview in IS research: Examining the craft. Information and Organization 17(1), 2–26 (2007)Google Scholar
  31. 31.
    Novak, J.D., Cañas, A.J.: The theory underlying concept maps and how to construct them. Technical Report Technical Report IHMC CmapTools 2006-01, Florida Institute for Human and Machine Cognition (2006)Google Scholar
  32. 32.
    Official Journal of the European Communities: Council Directive 2004/113/EC of 13 December 2004 implementing the principle of equal treatment between men and women in the access to and supply of goods and services (2004)Google Scholar
  33. 33.
    Ogut, H., Raghunathan, S., Menon, N.: Information security risk management through selfprotection and insurance (2005)Google Scholar
  34. 34.
    Power, M.: The invention of operational risk. Review of International Political Economy 12(4), 577–599 (2005)Google Scholar
  35. 35.
    Schmidt, R., Lyytinen, K., Keil, M., Cule, P.: Identifying software project risks: an international delphi study. Journal of Management Information Systems 17(4), 5–36 (2001)Google Scholar
  36. 36.
    Schneier, B.: The insurance takeover. Information Security (2001)Google Scholar
  37. 37.
    Sherer, S., Alter, S.: Information system risks and risk factors: are they mostly about information systems? Communications of the Association for Information Systems 29(64), 29 (2004)Google Scholar
  38. 38.
    Tipton, H., Krause, M.: Information Security Management Handbook. Auerbach Publishers (2007)Google Scholar
  39. 39.
    Trochim, W., Kane, M.: Concept mapping: an introduction to structured conceptualization in health care. International Journal for Quality in Health Care 17(3), 187–191 (2005)Google Scholar
  40. 40.
    Trowbridge, C.: Fundamental concepts of actuarial science. Actuarial Education and Research Fund (1989)Google Scholar
  41. 41.
    Turban, E., Leidner, D.,McLean, E.,Wetherbe, J.: Information Technology forManagement: Transforming Organizations in the Digital Economy. John Wiley & Sons (2008)Google Scholar
  42. 42.
    Wiegers, W.A.: The use of age, sex, and marital status as rating variables in automobile insurance. The University of Toronto Law Journal 39(2), 149–210 (1989)Google Scholar
  43. 43.
    Wollnik, M.: Ein Referenzmodell des Informationsmanagements. Information Management 3(3), 34–43 (1988)Google Scholar
  44. 44.
    Yurcik, W., Doss, D.: CyberInsurance: a market solution to the Internet security market failure. In: Proceedings of the 1st Workshop on the Economics of Information Security (WEIS). Berkeley, CA (2002)Google Scholar
  45. 45.
    Zimmermann, H.: OSI reference model – the ISO model of architecture for open systems interconnection. IEEE Transactions on Communications 28(4), 425–432 (1980)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Research Group Quality Engineering Institute of Computer ScienceUniversity of InnsbruckInnsbruckAustria

Personalised recommendations