Supporting Cyberinsurance from a Behavioural Choice Perspective Dr. - - PowerPoint PPT Presentation

1

Supporting Cyberinsurance from a Behavioural Choice Perspective

• Dr. Katsiaryna (Kate) Labunets

2

Outline

• Who am I?
• Definitions
• Project details
• Research questions

3

• Dr. Kate Labunets

MSc in Mathematics

Belarusian State University, Minsk, Belarus 2004 - 2010

Business Systems Analyst

Outsourcing software development company in Minsk, Belarus 2008 - 2011

PhD Candidate

University of Trento, Italy Nov 2011 - April 2016

Postdoc in Empirical Security

DISI, University of Trento, Italy June 2016 - May 2017

Postdoc in Cyber insurance

TBM, TU Delft, Netherlands June 2017 - Present

4

Research background

• PhD Thesis: Security Risk Assessment (SRA) Methods:

An Evaluation Framework and Theoretical Model of the Criteria Behind Methods’ Success.

• Research interests: security risk assessment, cyber

insurance, empirical methods, comprehensibility of risk models

5

Definitions

6

• Risk is the likelihood of an incident and its impact for an

asset (e.g., organizational processes, functions, reputation).

• Cyberspace is the complex environment resulting from

the interaction of people, software and services on the Internet, supported by worldwide distributed physical information and communications technology (ICT) devices and connected networks. [ISO 27032] Cyberspace + Risk = Cyber Risk

Definitions [1/2]

7

Definitions [2/2]

• Cyber insurance (CI) is "protection against losses

related to cyber risks, such as data theft/loss, business interruption caused by a computer malfunction or virus, and fines or lost income because of system downtime, network intrusion and/or information security breaches" [Gartner, 2015].

• Insured is a "party that asks for insurance and would like

to transfer its risk" [Marotta et al., 2017].

• Insurer (insurance company) is a "party that assumes

risks of another party in exchange for payment" [Marotta et al., 2017].

Gartner, “Five Tips for Companies Considering Cyber Insurance,” 2015. Available: http://blogs.gartner.com/john-wheeler/five-tips-for-companies- considering-cyber-insurance/ Marotta et al., "Cyber-insurance survey". Computer Science Review, 2017

8

CYBECO project

9

Motivation [1/3]

World Economic Forum "The Global Risks Interconnections Map 2017". Link: http://reports.weforum.org/global-risks-2017/global-risks-landscape-2017/

10

Motivation [1/3]

World Economic Forum "The Global Risks Interconnections Map 2017". Link: http://reports.weforum.org/global-risks-2017/global-risks-landscape-2017/

11

Motivation [1/3]

World Economic Forum "The Global Risks Interconnections Map 2017". Link: http://reports.weforum.org/global-risks-2017/global-risks-landscape-2017/

12

Lloyd's, “Counting the cost: cyber exposure decoded”, 2017. https://goo.gl/fSFq9B

Extreme cyber-attack could cost as much as Superstorm Sandy in 2012: $53bn of economic losses

Motivation [2/3]

13

Advisen, “Information Security and Cyber Liability Risk Management”, 2015. http://bit.ly/1M9Gyp0

Demand is growing

Motivation [3/3]

14

Challenges

• Dealing with intelligent adversaries and

intentionality

– Not well covered in standard cyber risk management

• Lack of data about cyber attacks

– new regulations are coming (in 2018)

• General Data Protection Regulation (GDPR)
• Directive on security of network and information

systems (NIS) – alleviate by using Structured Expert Judgment

• Poor support of cyber insurance within current

cyber risk management frameworks

• Poor guidance and lack of a proper information

for companies looking for cyber insurance

15

Project details

• Title: Supporting Cyberinsurance from a

Behavioural Choice Perspective

• Duration: May 2017 - April 2019 (2 years)
• Program: H2020
• 7 partners:

– 1 coordinator company (Greece), – 2 universities (NL + UK), – 2 scientific companies (both from Spain), – 1 software development company (supposed to be from Luxembourg, but in reality... Greece ), – 1 cyber insurance provider (AXA France)

16

The structure of CYBECO goals

Insurance contracts Risk generation Risk transfer Risk assessment Risk reduction Choice behaviour

• f insurance

companies Choice behaviour

• f cyber threats

Choice behaviour

• f IT owners

17

CYBECO objectives [1/2]

• Understand better how the CI ecosystem works

in practice

– key driver behind decision making process when insureds buy CI, – behavioural aspects in CI ecosystem (e.g., how company's behaviour changes when they have a CI) .

• Identify possible gaps in the key directives,

standards and services in order to improve CI practice.

18

CYBECO objectives [2/2]

• Provide a tool support for security risk

management with

– new models that incorporate CI, – behavioural nudges in cyber security and insurance.

19

Cyber insurance ecosystem

20

RQ1: How CI ecosystem works [1/3]

• [RQ1.1] What are the key (behavioural) drivers for

buying CI?

○ Initial interview + a large scale survey with two groups

• f companies:

■ already bought CI ■ failed to buy CI (i.e. they considered this option)

21

IT company

Everybody has a cyber insurance Company may lose money or reputation Do you want to buy a cyber insurance? Somebody might go to jail

?

Cyber insurance policy Cyber risk

Decision

22

RQ1: How CI ecosystem works [2/3]

• [RQ1.2] What are the relations between risk

level, client's behavior, CI policy and premiums?

○ Agent based modeling (ABM)

23

ABM for Cyber Security [1/2]

MSc thesis: "The Vulnerability Ecosystem: Exploring vulnerability discovery and the resulting cyberattacks through agent-based modelling" by Y. Breukers

24

ABM for Cyber Security [2/2]

25

RQ1: How CI ecosystem works [3/3]

• [RQ1.3] How risk perception affects insured's

decision on buying CI?

○ Behavioural experiments based on ■ prospect theory ■ protection motivation theory

26

Prospect theory

People make decision based on the potential value of losses and gains

Wikipedia "Prospect theory". Link: https://en.wikipedia.org/wiki/Prospect_theory

27

Protection motivation theory

People protect themselves based on four factors:

• a. the perceived severity of a threatening event,
• b. the perceived probability of the occurrence, or

vulnerability,

• c. the efficacy of the recommended preventive behavior,
• d. the perceived self efficacy.

Wikipedia "Protection Motivation Theory". Link: https://en.wikipedia.org/wiki/Protection_motivation_theory

28

RQ2: CI policy complexity

How the complexity of the policy affects insured's decision to buy CI?

Simple and cheap Complex and expensive vs.

AIG CyberEdge https://www.aiginsurance.nl/bedrijf/producten/financieel-lijnen/cyberedge HDI Cyber insurance https://www.hdi.global/nl/nl/insurance/cyber

29

RQ2: Simple policy

HDI Global offers Internetbankierfraudeverzekering, a cyber insurance which covers the losses only from online banking fraud

Premiums Deductibles

HDI Cyber insurance https://www.hdi.global/nl/nl/insurance/cyber

30

RQ2: Complex policy [1/2]

• AIG group offers CyberEdge insurance policy that covers:

– 3rd party security and privacy claims, – network business interruption, – security failure at outsourced service provider, – electronic data incidents, – cyber extortion, – etc.

31

RQ2: Complex policy [2/2]

Premiums Deductibles

AIG CyberEdge https://www.aiginsurance.nl/bedrijf/producten/financieel-lijnen/cyberedge

32

More than cyber insurance

"Insurance institutions are doing something more than transferring risk—they are actively managing the underlying risk of data breach." [Talesh, 2017]

Talesh, "Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses". Law & Social Inquiry, 2017

33

RQ3: Risk management

• What can motivate insureds to maintain a certain

level of security?

– Premium discounts as an incentive to implement recommended security controls

• How to link premiums reduction to security

controls to have a better risk reduction?

– Select controls that differentiate between clients (10-70%) – Data-driven selection based on the available information about incidents and implemented (or absent) security controls

34

RQ4: Interdependent security

• How the implementation of a particular security

control affects the risk level of other insureds?

– Better security of one insured => higher risk level for

• thers?

– Is the overall level of a specific risk constant to some extent? – Where to use adversarial risk models or probabilistic models

Agent-based modeling + empirical validation

35

• What is a cheap alternative to a thorough (and

expensive) security risk assessment?

– Questionnaire-based evaluation

• Is it effective for cyber insurance?

– Rank insureds based on information about companies that reported security incidents

• Do insurers have data?

– Security reputation metrics

Benchmark the alternatives on the results from the real security risk assessments

RQ5: Low-cost security evaluation

36

Open questions

• What is the toolbox for?
• Who are the users of the toolbox?

– IT companies? – Insurance companies? – Both?

• What models are needed for CYBECO toolbox?

37

Questions?

38

Picture

39

CYBECO structure

WP3 WP4 WP5 WP6 WP7 WP8 WP2 WP1 Ethics requirements

40

Cognitive heuristics and biases

41

Motivation [1/3]

• Cyber risk is very different from other operational

risks [Biener et al., 2014]

Category N Mean SD Cyber risk 994 40,53 443,88 Non-cyber risk 21 081 99,65 1 160,17

Losses per risk type (in million US$)

Biener et al. "Insurability of cyber risk: an empirical analysis". Geneva Papers on Risk and Insurance: Issues and Practice, 2015.

42

Motivation [2/3]: Market is growing

Bloomberg, "Cyber Crime Fears Drive Up Demand for Anti-Hacker Insurance".

https://www.bloomberg.com/news/articles/2017-05-09/cyber-crime-fears-drive-growing-demand-for-anti-hacker-insurance

43

Experimental background