Skip to main content

CYBER Security InSURancE — A Framework for Liability Based Trust

Periodic Reporting for period 1 - CyberSure (CYBER Security InSURancE — A Framework for Liability Based Trust)

Reporting period: 2017-01-01 to 2018-12-31

Issues addressed in the project:
The CyberSure project aims to develop, monitor, and manage cyber-insurance policies so as to help reduce the risk that cyber systems face and at the same time help educate both insurance companies and system owners of the existing risks and their magnitude and the ways they can reduce them (leading to lowering the insurance cost). The CyberSure goal is to offer a platform of integrated tools, which solves two main problems. Firstly, how to dynamically certify systems continuously that they possess required security properties and/or identify when they do not – similar to adding a GPS tracker on a vehicle to constantly verify that its drivers behave responsibly. Secondly, how to use the information obtained by this continuous, dynamic certification to allow both insurance companies and system owners to improve their understanding of how secure a system really is and thus be able to better calculate the risks associated with security failures.

Importance for Society:
Cyber crime is a fast-growing area of crime in modern society consecutively becoming more aggressive and confrontational. Although cyber insurance’s contribution is considered crucial to the holistic addressing of cyber crime, the yet immature respective market faces a number of unique challenges on its way of development. This low maturity of the cyber insurance market leads to poor policy differentiation and customization as well. CyberSure comes to enable cyber insurance market differentiation in the EU, by providing a platform to automate, compare and customize cyber insurance contracts and by facilitating the generation and collection of actuarial data referring to them. Data collection and pooling among insurers and cyber system providers, in particular, is regarded as a prerequisite to generate the knowledge required to differentiate the cyber insurance offer for consumers. By coupling risk assessment to automated certification tools in an automated cyber insurance framework, CyberSure will facilitate the definition of policies and pricing schema making it feasible to be verified and updated dynamically, based on the real time data provided by the risk assessment and hybrid certification mechanisms.

Overall objectives:
The overall aim of CyberSure is to develop an innovative framework supporting the creation and management of cyber insurance policies and offering a sound liability basis for establishing trust in cyber systems and services. To achieve its overall aim, CyberSure undertakes innovation and development activities driven by the following objectives:
Objective 1: To establish a process centric framework for automating the creation and management of cyber insurance policies for cyber systems, based on integrating proven techniques for the certification, audit and risk assessment of security and privacy (S&P) for such systems.
Objective 2: To develop a TRL‐7 platform supporting the creation, monitoring and adaptation of cyber insurance policies for cyber systems and the services available through them.
Objective 3: To demonstrate the use of the CyberSure framework in real world trials in the areas of e‐health and cloud services and, through them, carry a comprehensive evaluation covering technical, business and legal aspects, and demonstrating technology readiness at TRL‐7.
Objective 4: To create conditions for improving cyber insurance practice and the trustworthiness of cyber systems and commercializing the use of the CyberSure platform and framework.
Reporting Period: 01/01/2017 - 31/12/2018
• WP1: Kick-off meeting was held 16-17 February 2017 in Heraklion, Greece.
• WP1: Deliverable D1.1 - Project website and communication infrastructure, has been successfully completed and delivered, as part of work done in Tasks 1.1 and 1.2.
• WP1: Deliverable D1.2 - Project Quality Assurance and Ethics Plan, has been successfully completed and delivered, as part of work done in Tasks 1.3 and 1.4.
• WP2: Deliverable D2.1 - Scenarios and requirements for cyber insurance, has been successfully completed and delivered, as part of work done in Task 2.1.
• WP1: 2nd Consortium meeting was held 28-29 September 2017 in Hersonissos, Greece.
• WP1: Deliverable D1.3 - Progress Report, has been successfully completed and delivered, as part of work done in Tasks 1.1 and 1.2.
• WP5: Deliverable D5.1 - Exploitation, Innovation, Dissemination and Standardization Plan, has been successfully completed and delivered, as part of work done in Tasks 5.1 5.2 and 5.3.
• WP3: Milestone 1 - Basic Certification/Risk/Insurance models, has been achieved.
• WP1: 3rd Consortium meeting was held 15-16 January 2018 in London, UK.
• WP1: 4th Consortium meeting was held 15 February 2018 in Heraklion, Greece.
• WP1: CyberSure Mid-term meeting was help 16 February 2018, Heraklion, Greece.
• WP1: Deliverable D1.5 - Mid-term meeting report, has been successfully completed and delivered, as part of work done in Tasks 1.1 and 1.2.
• WP2: Deliverable D2.2 - CyberSure Validation Framework, has been successfully completed and delivered, as part of work done in Task 2.4.
• WP4: Deliverable D4.1 - CyberSure platform requirements, architecture and design, has been successfully completed and delivered, as part of work done in Task 4.1.
• WP2: Deliverable D2.3 - e-health and Cloud pilots, has been successfully completed and delivered, as part of work done in Tasks 2.2 and 2.3.
• WP5: Deliverable D5.2 - Initial Exploitation, Innovation, Dissemination and Standardization Report, has been successfully completed and delivered, as part of work done in Tasks 5.1 5.2 and 5.3.
• WP4, WP5: Milestone 2 - Initial CyberSure Tools, has been achieved.
• WP2: Milestone 3 - Pilots, has been achieved.
• Total Secondments for this period: 163,6 person months.
For insuring Cyber Systems, the Risk evaluation process methodology needs to be quantitative and dynamic due to the frequent and fast changes of operational conditions. The CyberSure framework represents a progress beyond the state of the art in regards to Risk Management tools, methodologies and functions. CyberSure aims to develop, monitor, and manage cyber-insurance policies so as to help reduce the risk that cyber systems face and at the same time help educate both insurance companies and system owners of the existing risks and their magnitude and the ways they can reduce them (leading to lowering the insurance cost). The direct potential users of project outcomes includes Cyber Insurers, Cyber System Providers, Certification Authorities as well as the Scientific and Research community, which represent consumers of outcomes for research purposes. It also includes other stakeholders, who may be indirectly affected or have an indirect interest in CyberSure outcomes, including Cyber System user groups, Policy makers and the general public.
CyberSure poster for dissemination at various events
Presentations during the CyberSure Mid-Term Review Meeting
Consortium Meeting hosted by FORTH
CyberSure @ENISA-FORTH Network information Security Summer School 2018 (NIS2018)
CyberSure @ FORTH Researcher's Night 2019