supporting cyberinsurance from a behavioural choice
play

Supporting Cyberinsurance from a Behavioural Choice Perspective Dr. - PowerPoint PPT Presentation

Supporting Cyberinsurance from a Behavioural Choice Perspective Dr. Katsiaryna (Kate) Labunets 1 Outline Who am I? Definitions Project details Research questions 2 Dr. Kate Labunets MSc in Mathematics PhD Candidate


  1. Supporting Cyberinsurance from a Behavioural Choice Perspective Dr. Katsiaryna (Kate) Labunets 1

  2. Outline • Who am I? • Definitions • Project details • Research questions 2

  3. Dr. Kate Labunets MSc in Mathematics PhD Candidate Postdoc in Cyber insurance Belarusian State University, University of Trento, Italy TBM, TU Delft, Netherlands Minsk, Belarus Nov 2011 - April 2016 June 2017 - Present 2004 - 2010 Business Systems Analyst Postdoc in Empirical Security Outsourcing software development DISI, University of Trento, Italy company in Minsk, Belarus June 2016 - May 2017 2008 - 2011 3

  4. Research background • PhD Thesis : Security Risk Assessment (SRA) Methods: An Evaluation Framework and Theoretical Model of the Criteria Behind Methods’ Success. • Research interests : security risk assessment, cyber insurance, empirical methods, comprehensibility of risk models 4

  5. Definitions 5

  6. Definitions [1/2] • Risk is the likelihood of an incident and its impact for an asset (e.g., organizational processes, functions, reputation). • Cyberspace is the complex environment resulting from the interaction of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. [ISO 27032] Cyberspace + Risk = Cyber Risk 6

  7. Definitions [2/2] • Cyber insurance (CI) is "protection against losses related to cyber risks, such as data theft/loss, business interruption caused by a computer malfunction or virus, and fines or lost income because of system downtime, network intrusion and/or information security breaches" [Gartner, 2015]. • Insured is a "party that asks for insurance and would like to transfer its risk" [Marotta et al., 2017]. • Insurer (insurance company) is a "party that assumes risks of another party in exchange for payment" [Marotta et al., 2017]. Gartner, “ Five Tips for Companies Considering Cyber Insurance, ” 2015. Available: http://blogs.gartner.com/john-wheeler/five-tips-for-companies- considering-cyber-insurance/ Marotta et al., "Cyber-insurance survey". Computer Science Review , 2017 7

  8. CYBECO project 8

  9. Motivation [1/3] World Economic Forum "The Global Risks Interconnections Map 2017". Link: 9 http://reports.weforum.org/global-risks-2017/global-risks-landscape-2017/

  10. Motivation [1/3] World Economic Forum "The Global Risks Interconnections Map 2017". Link: 10 http://reports.weforum.org/global-risks-2017/global-risks-landscape-2017/

  11. Motivation [1/3] World Economic Forum "The Global Risks Interconnections Map 2017". Link: 11 http://reports.weforum.org/global-risks-2017/global-risks-landscape-2017/

  12. Motivation [2/3] Extreme cyber-attack could cost as much as Superstorm Sandy in 2012: $53bn of economic losses Lloyd's, “Counting the cost: cyber exposure decoded”, 2017. https://goo.gl/fSFq9B 12

  13. Motivation [3/3] Demand is growing Advisen, “Information Security and Cyber Liability Risk Management”, 2015. http://bit.ly/1M9Gyp0 13

  14. Challenges • Dealing with intelligent adversaries and intentionality – Not well covered in standard cyber risk management • Lack of data about cyber attacks – new regulations are coming (in 2018) • General Data Protection Regulation (GDPR) • Directive on security of network and information systems (NIS) – alleviate by using Structured Expert Judgment • Poor support of cyber insurance within current cyber risk management frameworks • Poor guidance and lack of a proper information for companies looking for cyber insurance 14

  15. Project details • Title: Supporting Cyberinsurance from a Behavioural Choice Perspective • Duration: May 2017 - April 2019 (2 years) • Program: H2020 • 7 partners: – 1 coordinator company (Greece), – 2 universities (NL + UK), – 2 scientific companies (both from Spain), – 1 software development company (supposed to be from Luxembourg, but in reality... Greece ), – 1 cyber insurance provider (AXA France) 15

  16. The structure of CYBECO goals Choice behaviour Choice behaviour Choice behaviour of insurance of cyber threats of IT owners companies Risk generation Risk Insurance Risk assessment contracts transfer Risk reduction 16

  17. CYBECO objectives [1/2] • Understand better how the CI ecosystem works in practice – key driver behind decision making process when insureds buy CI, – behavioural aspects in CI ecosystem (e.g., how company's behaviour changes when they have a CI) . • Identify possible gaps in the key directives, standards and services in order to improve CI practice. 17

  18. CYBECO objectives [2/2] • Provide a tool support for security risk management with – new models that incorporate CI, – behavioural nudges in cyber security and insurance. 18

  19. Cyber insurance ecosystem 19

  20. RQ1: How CI ecosystem works [1/3] ● [RQ1.1] What are the key (behavioural) drivers for buying CI? ○ Initial interview + a large scale survey with two groups of companies: ■ already bought CI ■ failed to buy CI (i.e. they considered this option) 20

  21. Somebody ? might go IT company to jail Cyber risk Do you want to Company may buy a cyber Decision lose money or insurance? reputation Everybody Cyber has a cyber insurance insurance policy 21

  22. RQ1: How CI ecosystem works [2/3] ● [RQ1.2] What are the relations between risk level, client's behavior, CI policy and premiums? ○ Agent based modeling (ABM) 22

  23. ABM for Cyber Security [1/2] MSc thesis: "The Vulnerability Ecosystem: Exploring vulnerability discovery and the resulting cyberattacks through agent-based modelling" by Y. Breukers 23

  24. ABM for Cyber Security [2/2] 24

  25. RQ1: How CI ecosystem works [3/3] ● [RQ1.3] How risk perception affects insured's decision on buying CI? ○ Behavioural experiments based on ■ prospect theory ■ protection motivation theory 25

  26. Prospect theory People make decision based on the potential value of losses and gains Wikipedia "Prospect theory". Link: https://en.wikipedia.org/wiki/Prospect_theory 26

  27. Protection motivation theory People protect themselves based on four factors: a. the perceived severity of a threatening event, b. the perceived probability of the occurrence, or vulnerability, c. the efficacy of the recommended preventive behavior, d. the perceived self efficacy. Wikipedia "Protection Motivation Theory". Link: https://en.wikipedia.org/wiki/Protection_motivation_theory 27

  28. RQ2: CI policy complexity How the complexity of the policy affects insured's decision to buy CI? Simple Complex and vs. and cheap expensive HDI Cyber insurance https://www.hdi.global/nl/nl/insurance/cyber AIG CyberEdge 28 https://www.aiginsurance.nl/bedrijf/producten/financieel-lijnen/cyberedge

  29. RQ2: Simple policy HDI Global offers Internetbankierfraudeverzekering , a cyber insurance which covers the losses only from online banking fraud Premiums Deductibles HDI Cyber insurance https://www.hdi.global/nl/nl/insurance/cyber 29

  30. RQ2: Complex policy [1/2] • AIG group offers CyberEdge insurance policy that covers: – 3rd party security and privacy claims, – network business interruption, – security failure at outsourced service provider, – electronic data incidents, – cyber extortion, – etc. 30

  31. RQ2: Complex policy [2/2] Deductibles Premiums AIG CyberEdge https://www.aiginsurance.nl/bedrijf/producten/financieel-lijnen/cyberedge 31

  32. More than cyber insurance "Insurance institutions are doing something more than transferring risk—they are actively managing the underlying risk of data breach." [Talesh, 2017] Talesh, "Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses". Law & Social Inquiry , 2017 32

  33. RQ3: Risk management • What can motivate insureds to maintain a certain level of security? – Premium discounts as an incentive to implement recommended security controls • How to link premiums reduction to security controls to have a better risk reduction? – Select controls that differentiate between clients (10-70%) – Data-driven selection based on the available information about incidents and implemented (or absent) security controls 33

  34. RQ4: Interdependent security • How the implementation of a particular security control affects the risk level of other insureds? – Better security of one insured => higher risk level for others? – Is the overall level of a specific risk constant to some extent? – Where to use adversarial risk models or probabilistic models Agent-based modeling + empirical validation 34

  35. RQ5: Low-cost security evaluation • What is a cheap alternative to a thorough (and expensive) security risk assessment? – Questionnaire-based evaluation • Is it effective for cyber insurance? – Rank insureds based on information about companies that reported security incidents • Do insurers have data? – Security reputation metrics Benchmark the alternatives on the results from the real security risk assessments 35

Recommend


More recommend