Risk Management Using Cyber-Threat Information Sharing and Cyber-Insurance

  • Deepak K. ToshEmail author
  • Sachin Shetty
  • Shamik Sengupta
  • Jay P. Kesan
  • Charles A. Kamhoua
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 212)


Critical infrastructure systems spanning from transportation to nuclear operations are vulnerable to cyber attacks. Cyber-insurance and cyber-threat information sharing are two prominent mechanisms to defend cybersecurity issues proactively. However, standardization and realization of these choices have many bottlenecks. In this paper, we discuss the benefits and importance of cybersecurity information sharing and cyber-insurance in the current cyber-warfare situation. We model a standard game theoretic participation model for cybersecurity information exchange (CYBEX) and discuss the applicability of economic tools in addressing important issues related to CYBEX and cyber-insurance. We also pose several open research challenges, which need to be addressed for developing a robust cyber-risk management capability.


Cybersecurity information sharing Cyber-insurance Cyber-threat intelligence Cyber Security Information Sharing Act (CISA) 


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Fischer, E., Liu, E., Rollins, J., Theohary, C.: The 2013 cybersecurity executive order: overview and considerations for congress (2013)Google Scholar
  7. 7.
    Rutkowski, A., Kadobayashi, Y., Furey, I., Rajnovic, D., Martin, R., Takahashi, T., Schultz, C., Reid, G., Schudel, G., Hird, M., Adegbite, S.: Cybex: the cybersecurity information exchange framework (x.1500). SIGCOMM Comput. Commun. Rev. 40, 59–64 (2010)CrossRefGoogle Scholar
  8. 8.
    Wang, T., Kannan, K.N., Ulmer, J.R.: The association between the disclosure and the realization of information security risk factors. Inf. Syst. Res. 24(2), 201–218 (2013)CrossRefGoogle Scholar
  9. 9.
    Dandurand, L., Serrano, O.S.: Towards improved cyber security information sharing. In: 5th International Conference on Cyber Conflict, pp. 1–16. IEEE (2013)Google Scholar
  10. 10.
    de Fuentes, J.M., González-Manzano, L., Tapiador, J., Peris-Lopez, P.: Pracis: privacy-preserving and aggregatable cybersecurity information sharing. Comput. Secur. 69, 127–141 (2016). doi: 10.1016/j.cose.2016.12.011. ISSN 0167-4048
  11. 11.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W.: Sharing information on computer systems security: an economic analysis. J. Acc. Publ. Policy 22(6), 461–485 (2003)CrossRefGoogle Scholar
  12. 12.
    Cavusoglu, H., Raghunathan, S., Yue, W.T.: Decision-theoretic and game-theoretic approaches to it security investment. J. Manag. Inf. Syst 25(2), 281–304 (2008)CrossRefGoogle Scholar
  13. 13.
    Tosh, D.K., Sengupta, S., Mukhopadhyay, S., Kamhoua, C., Kwiat, K.: Game theoretic modeling to enforce security information sharing among firms. In: IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 7–12 (2015)Google Scholar
  14. 14.
    Tosh, D.k., Molloy, M., Sengupta, S., Kamhoua, C.A., Kwiat, K.A.: Cyber-investment and cyber-information exchange decision modeling. In: IEEE 7th International Symposium on Cyberspace Safety and Security, pp. 1219–1224 (2015)Google Scholar
  15. 15.
    Hausken, K.: A strategic analysis of information sharing among cyber hackers. JISTEM-J. Inf. Syst. Technol. Manag 12(2), 245–270 (2015)Google Scholar
  16. 16.
    Gal-Or, E., Ghose, A.: The economic consequences of sharing security information. Econ. inf. secur 12, 95–105 (2004)CrossRefGoogle Scholar
  17. 17.
    Kamhoua, C., Martin, A., Tosh, D.K., Kwiat, K., Heitzenrater, C., Sengupta, S.: Cyber-threats information sharing in cloud computing: a game theoretic approach. In: IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 382–389 (2015)Google Scholar
  18. 18.
  19. 19.
    Anderson, R., Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)CrossRefGoogle Scholar
  20. 20.
    Böhme, R., Schwartz, G., et al.: Modeling cyber-insurance: towards a unifying framework. In: WEIS(2010)Google Scholar
  21. 21.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: Proceedings of the 17th international conference on World Wide Web, pp. 209–218. ACM (2008)Google Scholar
  22. 22.
    Pal, R., Golubchik, L.: Analyzing self-defense investments in internet security under cyber-insurance coverage. In: 2010 IEEE 30th International Conference on Distributed Computing Systems (ICDCS), pp. 339–347. IEEE (2010)Google Scholar
  23. 23.
    Young, D., Lopez, J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. Int. J. Crit. Infrastruct. Prot. 14, 43–57 (2016)CrossRefGoogle Scholar
  24. 24.
    Kesan, J.P., Hayes, C.M.: Creating a circle of trust to further digital privacy and cybersecurity goals, Mich. St. L. Rev., p. 1475 (2014)Google Scholar
  25. 25.
    Tosh, D.K., Sengupta, S., Kamhoua, C.A., Kwiat, K.A., Martin, A.: An evolutionary game-theoretic framework for cyber-threat information sharing. In: IEEE International Conference on Communications, ICC, pp. 7341–7346 (2015)Google Scholar
  26. 26.
    Tosh, D., Sengupta, S., Kamhoua, C.A., Kwiat, K.A.: Establishing evolutionary game models for cyber security information exchange (CYBEX). J. Comput. Syst. Sci. (19 October 2016). doi: 10.1016/j.jcss.2016.08.005. ISSN 0022-0000

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2017

Authors and Affiliations

  • Deepak K. Tosh
    • 1
    Email author
  • Sachin Shetty
    • 2
  • Shamik Sengupta
    • 3
  • Jay P. Kesan
    • 4
  • Charles A. Kamhoua
    • 5
  1. 1.Department of Computer ScienceNorfolk State UniversityNorfolkUSA
  2. 2.Virginia Modeling Analysis and Simulation CenterOld Dominion UniversityVirginiaUSA
  3. 3.Department of Computer Science and EngineeringUniversity of NevadaRenoUSA
  4. 4.College of LawUniversity of IllinoisUrbana ChampaignUSA
  5. 5.Cyber Assurance Branch, Air Force Research LaboratoryRomeUSA

Personalised recommendations