Cyber insurance can fulfill a key role in the economics of cybersecurity by keeping the risk manageable for the insured companies by transferring it to the insurance provider, while providing incentives for improving security.
Cyber insurance has not taken off yet, since it is difficult for insurance companies to create an overall risk picture for the domain and design their offerings accordingly while it is also difficult for companies to decide on whether to buy insurance or not. CYBECO focused on two aspects of choice behavior to fill these gaps by including behavior of cyber threats in risk assessment through adversarial risk analysis, in order to support insurance companies in estimating risks and setting premiums, and using behavioral experiments to improve insurance decisions of IT owners, thereby enhancing decision support on risk transfer. By properly modeling and combining the choice behavior of cyber threats (risk generation), the choice behavior of insurance companies (risk assessment) and the choice behavior of IT owners (risk transfer options as cyber insurance), CYBECO aimed at globally mitigating cyber risks, as indicated in Figure 1. The objective of CYBECO was achieved through the following:
• CYBECO covered not only technical cyber security aspects but also behavioral, economic and policy issues, providing a renewed and more global view on the topic.
• CYBECO facilitated identification of optimal cyber security investments. Through experiments, it identified effective designs of cyber insurance and behavioral nudges for incorporating better cybersecurity practices.
• CYBECO incorporated SEJ and MAUT methods to address the lack of cyber-attacks data and evaluate relevant aspects in relation with an organization. CYBECO models incorporated ARA (Adversarial Risk Analysis) aspects and, therefore, took into account attacker behavior and possible deterrence measures to be included in the security portfolio.
• CYBECO incorporated behavioral findings into the models. Through the experiments, expert reviews and focus groups evaluations, models were validated and tested with potential customers. The final aim of the model was to suggest the optimal IT security investment portfolio to an organization with cyber insurance as a major ingredient.
• The CYBECO Toolbox wasa developed to be the sustainable infrastructure to maintain the indicators and parameters required by the models. It has been the sustainable source of recommendations and point of engagement for policy makers, companies interested in alternative models of securing against cybersecurity threats and insurance companies interested in the development of alternative product portfolios for cybersecurity. It has also been a common information space for stakeholder engagement, model demonstration and collection of feedback.
• CYBECO performed a back to back comparison of the proposed approach with current institutional and governance frameworks to identify potential gaps in the frame of providing policy recommendations focusing on cyber insurance aspects.