Periodic Reporting for period 2 - CYBECO (Supporting Cyberinsurance from a Behavioural Choice Perspective)
Okres sprawozdawczy: 2018-05-01 do 2019-04-30
Cyber insurance can fulfill a key role in the economics of cybersecurity by keeping the risk manageable for the insured companies by transferring it to the insurance provider, while providing incentives for improving security.
Cyber insurance has not taken off yet, since it is difficult for insurance companies to create an overall risk picture for the domain and design their offerings accordingly while it is also difficult for companies to decide on whether to buy insurance or not. CYBECO focused on two aspects of choice behavior to fill these gaps by including behavior of cyber threats in risk assessment through adversarial risk analysis, in order to support insurance companies in estimating risks and setting premiums, and using behavioral experiments to improve insurance decisions of IT owners, thereby enhancing decision support on risk transfer. By properly modeling and combining the choice behavior of cyber threats (risk generation), the choice behavior of insurance companies (risk assessment) and the choice behavior of IT owners (risk transfer options as cyber insurance), CYBECO aimed at globally mitigating cyber risks, as indicated in Figure 1. The objective of CYBECO was achieved through the following:
• CYBECO covered not only technical cyber security aspects but also behavioral, economic and policy issues, providing a renewed and more global view on the topic.
• CYBECO facilitated identification of optimal cyber security investments. Through experiments, it identified effective designs of cyber insurance and behavioral nudges for incorporating better cybersecurity practices.
• CYBECO incorporated SEJ and MAUT methods to address the lack of cyber-attacks data and evaluate relevant aspects in relation with an organization. CYBECO models incorporated ARA (Adversarial Risk Analysis) aspects and, therefore, took into account attacker behavior and possible deterrence measures to be included in the security portfolio.
• CYBECO incorporated behavioral findings into the models. Through the experiments, expert reviews and focus groups evaluations, models were validated and tested with potential customers. The final aim of the model was to suggest the optimal IT security investment portfolio to an organization with cyber insurance as a major ingredient.
• The CYBECO Toolbox wasa developed to be the sustainable infrastructure to maintain the indicators and parameters required by the models. It has been the sustainable source of recommendations and point of engagement for policy makers, companies interested in alternative models of securing against cybersecurity threats and insurance companies interested in the development of alternative product portfolios for cybersecurity. It has also been a common information space for stakeholder engagement, model demonstration and collection of feedback.
• CYBECO performed a back to back comparison of the proposed approach with current institutional and governance frameworks to identify potential gaps in the frame of providing policy recommendations focusing on cyber insurance aspects.
Cyber insurance has not taken off yet, since it is difficult for insurance companies to create an overall risk picture for the domain and design their offerings accordingly while it is also difficult for companies to decide on whether to buy insurance or not. CYBECO focused on two aspects of choice behavior to fill these gaps by including behavior of cyber threats in risk assessment through adversarial risk analysis, in order to support insurance companies in estimating risks and setting premiums, and using behavioral experiments to improve insurance decisions of IT owners, thereby enhancing decision support on risk transfer. By properly modeling and combining the choice behavior of cyber threats (risk generation), the choice behavior of insurance companies (risk assessment) and the choice behavior of IT owners (risk transfer options as cyber insurance), CYBECO aimed at globally mitigating cyber risks, as indicated in Figure 1. The objective of CYBECO was achieved through the following:
• CYBECO covered not only technical cyber security aspects but also behavioral, economic and policy issues, providing a renewed and more global view on the topic.
• CYBECO facilitated identification of optimal cyber security investments. Through experiments, it identified effective designs of cyber insurance and behavioral nudges for incorporating better cybersecurity practices.
• CYBECO incorporated SEJ and MAUT methods to address the lack of cyber-attacks data and evaluate relevant aspects in relation with an organization. CYBECO models incorporated ARA (Adversarial Risk Analysis) aspects and, therefore, took into account attacker behavior and possible deterrence measures to be included in the security portfolio.
• CYBECO incorporated behavioral findings into the models. Through the experiments, expert reviews and focus groups evaluations, models were validated and tested with potential customers. The final aim of the model was to suggest the optimal IT security investment portfolio to an organization with cyber insurance as a major ingredient.
• The CYBECO Toolbox wasa developed to be the sustainable infrastructure to maintain the indicators and parameters required by the models. It has been the sustainable source of recommendations and point of engagement for policy makers, companies interested in alternative models of securing against cybersecurity threats and insurance companies interested in the development of alternative product portfolios for cybersecurity. It has also been a common information space for stakeholder engagement, model demonstration and collection of feedback.
• CYBECO performed a back to back comparison of the proposed approach with current institutional and governance frameworks to identify potential gaps in the frame of providing policy recommendations focusing on cyber insurance aspects.
WP1: All Ethics Requirements have been met.
WP2: Project and quality management activities took place. 5 plenary meetings took place, 2 during the 2nd year. The 1st review meeting took place on M14. Several bilateral meetings among project partners concerning technical discussions on specific tasks also took place. The DMP was developed in the 1st year and no updates were required until M24. The External Advisory Board provided 2 sets of recommendations on M12 and M18.
WP3: The modeling framework was developed providing a comprehensive modeling of the cyber risk analysis problem, including the presence of adversarial threats and standard cyber and physical threats, and the use of insurance (cyber-traditional) as part of the security portfolio. Basic catalogues for assets and threats were identified. A draft algorithm in R was developed, simulating a problem modeled under the framework to obtain the optimal security portfolio. General preference models for cyber defenders were elaborated and several computational and algorithmic refinements were produced.
WP4: The set of use cases and the set of risk scenarios developed during the 1st year were refined and improved with inputs from internal actors and cybersecurity experts.
WP5: The methodology for the development of the Toolbox was finalized, while the development of the CYBECO Toolbox 1.0 was completed. The CYBECO Toolbox v2.0 was also developed on the basis of expert reviews and focus group evaluations and it was released in two versions (expert and non-expert risk analysis).
WP6: The design of the experiments and the SW were completed. The experiments were conducted and an additional 3rd experiment was conducted.
WP7: The cybersecurity ecosystem was finalized. Qualitative studies on SMEs' decision-making and on policy usability were conducted.
WP8: The CYBECO website and social media pages were used to communicate project activities. 24 publications were produced (9 published, 7 submitted, 8 to be submitted). 8 seminars were delivered while the project was also presented in 13 conferences in the 2nd year. Exploitation planning was completed and the IPR management scheme was defined.
The Technical Report (Part B) presents analytically the work performed.
WP2: Project and quality management activities took place. 5 plenary meetings took place, 2 during the 2nd year. The 1st review meeting took place on M14. Several bilateral meetings among project partners concerning technical discussions on specific tasks also took place. The DMP was developed in the 1st year and no updates were required until M24. The External Advisory Board provided 2 sets of recommendations on M12 and M18.
WP3: The modeling framework was developed providing a comprehensive modeling of the cyber risk analysis problem, including the presence of adversarial threats and standard cyber and physical threats, and the use of insurance (cyber-traditional) as part of the security portfolio. Basic catalogues for assets and threats were identified. A draft algorithm in R was developed, simulating a problem modeled under the framework to obtain the optimal security portfolio. General preference models for cyber defenders were elaborated and several computational and algorithmic refinements were produced.
WP4: The set of use cases and the set of risk scenarios developed during the 1st year were refined and improved with inputs from internal actors and cybersecurity experts.
WP5: The methodology for the development of the Toolbox was finalized, while the development of the CYBECO Toolbox 1.0 was completed. The CYBECO Toolbox v2.0 was also developed on the basis of expert reviews and focus group evaluations and it was released in two versions (expert and non-expert risk analysis).
WP6: The design of the experiments and the SW were completed. The experiments were conducted and an additional 3rd experiment was conducted.
WP7: The cybersecurity ecosystem was finalized. Qualitative studies on SMEs' decision-making and on policy usability were conducted.
WP8: The CYBECO website and social media pages were used to communicate project activities. 24 publications were produced (9 published, 7 submitted, 8 to be submitted). 8 seminars were delivered while the project was also presented in 13 conferences in the 2nd year. Exploitation planning was completed and the IPR management scheme was defined.
The Technical Report (Part B) presents analytically the work performed.
Progress beyond the state of art during this period is summarized as follows:
• WP3: CYEBCO overcame standard cyber risk analysis approaches (risk matrices), integrated adversarial and non-adversarial threats and cyberinsurance products in the security portfolio, facilitating their design; It facilitated selection of cybersecurity portfolios and insurance products for an IT owner and dealing with complex cases beyond basic templates; Models were developed for re-cyber insurance and the decision of granting a cyber insurance product; ARA-related insider problems were conceptualized and ARA was compared with other SEJ methodologies; Findings were integrated in an improved framework, which was showcased and implemented in R to incorporate it in the prototype.
• WP7: The cyber insurance ecosystem was validated with researchers and stakeholders and finalized; Policy gaps were identified based on literature and cyber security and data privacy regulations; Empirically investigated perceptions around cyber insurance, policy usability and insurance adoptions at company level; Proposed a conceptual model of SME cyber insurance adoption based on the empirical study and Protection Motivation Theory; Developed an agent-based model to study the effect of cyber insurance policy options on the ecosystem; It proposed a set of policy measures supporting cyber insurance ecosystem.
• WP6: The design of the economic experiments expanded knowledge on the decision-making process behind insurance uptake. Experiments provided new insights in the processes of belief creation and decision making in the purchase and use of cyber-insurance.
• WP5: The CYBECO toolbox was implemented translating the advantages of the proposed framework to practitioners, validated by internal consortium stakeholders (AXA) and demonstrated and well-received by external relevant stakeholders during the CYBECO workshop.
• A behavioural SEM model of the adoption of cyberinsurance was developed and tested providing behavioural insights to understand the cyberinsurance adoption processes, including motivations and barriers.
• WP3: CYEBCO overcame standard cyber risk analysis approaches (risk matrices), integrated adversarial and non-adversarial threats and cyberinsurance products in the security portfolio, facilitating their design; It facilitated selection of cybersecurity portfolios and insurance products for an IT owner and dealing with complex cases beyond basic templates; Models were developed for re-cyber insurance and the decision of granting a cyber insurance product; ARA-related insider problems were conceptualized and ARA was compared with other SEJ methodologies; Findings were integrated in an improved framework, which was showcased and implemented in R to incorporate it in the prototype.
• WP7: The cyber insurance ecosystem was validated with researchers and stakeholders and finalized; Policy gaps were identified based on literature and cyber security and data privacy regulations; Empirically investigated perceptions around cyber insurance, policy usability and insurance adoptions at company level; Proposed a conceptual model of SME cyber insurance adoption based on the empirical study and Protection Motivation Theory; Developed an agent-based model to study the effect of cyber insurance policy options on the ecosystem; It proposed a set of policy measures supporting cyber insurance ecosystem.
• WP6: The design of the economic experiments expanded knowledge on the decision-making process behind insurance uptake. Experiments provided new insights in the processes of belief creation and decision making in the purchase and use of cyber-insurance.
• WP5: The CYBECO toolbox was implemented translating the advantages of the proposed framework to practitioners, validated by internal consortium stakeholders (AXA) and demonstrated and well-received by external relevant stakeholders during the CYBECO workshop.
• A behavioural SEM model of the adoption of cyberinsurance was developed and tested providing behavioural insights to understand the cyberinsurance adoption processes, including motivations and barriers.