Geodesic
Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises
Stefano Chiaradonna1 ; Nicolas Lanchier1
1 School of Mathematical and Statistical Sciences, Arizona State University, Tempe, AZ 85287, USA
Mathematical modelling of natural phenomena, Tome 17 (2022), article no. 40.

Voir la notice de l'article provenant de la source EDP Sciences

As cyber attacks have become more frequent, cyber insurance premiums have increased, resulting in the need for better modeling of cyber risk. Toward this direction, Jevtić and Lanchier [Insur. Math. Econ. 91 (2020) 209–223] proposed a dynamic structural model of aggregate loss distribution for cyber risk of small and medium-sized enterprises under the assumption of a tree-based local-area-network topology that consists of the combination of a Poisson process, homogeneous random trees, bond percolation processes, and cost topology. Their model assumes that the contagion spreads through the edges of the network with the same fixed probability in both directions, thus overlooking a dynamic cyber security environment implemented in most networks, and their results give an exact expression for the mean of the aggregate loss but only a rough upper bound for the variance. In this paper, we consider a bidirectional version of their percolation model in which the contagion spreads through the edges of the network with a certain probability of moving toward the lower level assets of the network but with another probability of moving toward the higher level assets of the network, which results in a more realistic cyber security environment. In addition, our mathematical approach is quite different and leads to exact expressions for both the mean and the variance of the aggregate loss, and therefore an exact expression for the insurance premiums.
DOI : 10.1051/mmnp/2022041

Stefano Chiaradonna 1 ; Nicolas Lanchier 1

1 School of Mathematical and Statistical Sciences, Arizona State University, Tempe, AZ 85287, USA 
@article{MMNP_2022_17_a40,
     author = {Stefano Chiaradonna and Nicolas Lanchier},
     title = {Exact {Insurance} {Premiums} for {Cyber} {Risk} of {Small} and {Medium-Sized} {Enterprises}},
     journal = {Mathematical modelling of natural phenomena},
     eid = {40},
     publisher = {mathdoc},
     volume = {17},
     year = {2022},
     doi = {10.1051/mmnp/2022041},
     language = {en},
     url = {http://geodesic.mathdoc.fr/articles/10.1051/mmnp/2022041/}
}
TY  - JOUR
AU  - Stefano Chiaradonna
AU  - Nicolas Lanchier
TI  - Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises
JO  - Mathematical modelling of natural phenomena
PY  - 2022
VL  - 17
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/articles/10.1051/mmnp/2022041/
DO  - 10.1051/mmnp/2022041
LA  - en
ID  - MMNP_2022_17_a40
ER  - 
%0 Journal Article
%A Stefano Chiaradonna
%A Nicolas Lanchier
%T Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises
%J Mathematical modelling of natural phenomena
%D 2022
%V 17
%I mathdoc
%U http://geodesic.mathdoc.fr/articles/10.1051/mmnp/2022041/
%R 10.1051/mmnp/2022041
%G en
%F MMNP_2022_17_a40
Stefano Chiaradonna; Nicolas Lanchier. Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises. Mathematical modelling of natural phenomena, Tome 17 (2022), article  no. 40. doi : 10.1051/mmnp/2022041. http://geodesic.mathdoc.fr/articles/10.1051/mmnp/2022041/

[1] I. Aldasoro , L. Gambacorta , P. Giudici and T. Leach , The drivers of cyber risk (2020). Available at https://www.bbc.com/news/technology-59612917 (accessed 06 December 2021).

[2] Z. Amin A practical road map for assessing cyber risk 2019 32 43

[3] Y. Antonio, S. Indratno Cyber insurance rate making based on markov model for regular networks topology 2021 012002

[4] Australian Cyber Security Centre, Restricting Administrative Privileges (2021). Available at https://www.cyber.gov.au/acsc/view-all-content/publications/restricting-administrative-privileges (accessed 16 December 2021).

[5] R. Betterley , Cyber privacy insurance market survey: a tough market for larger insureds, but smaller insureds finding eager insurers (2016). Available at http://betterley.com/samples/cpims16_nt.pdf (accessed 12 December 2021).

[6] Cybersecurity and Infrastructure Security Agency, Securing network infrastructure devices (2018). Available at https://www.cisa.gov/uscert/ncas/tips/ST18-001 (accessed 12 December 2021).

[7] Cynet, 2022 Survey of CISOs with small cyber security teams (2022). Available at https://go.cynet.com/hubfs/2022%20CISO%20Survey%20of%20Small%20Cyber%20Security%20Teams.pdf (accessed 08 August 2022).

[8] Department of Homeland Security, The increasing threat to network infrastructure devices and recommended mitigations (2016). Available at https://cyber.dhs.gov/assets/report/ar-16-20173.pdf (accessed: 16 November 2021).

[9] Department of Justice: Southern District of New York, California man pleads guilty to hacking websites for the Combating Terrorism Center at West Point and the New York City Comptroller (2018). Available at https://www.justice.gov/usao-sdny/pr/california-man-pleads-guilty-hacking-websites-combating-terrorism-center-west-point-and (accessed: 21 November 2021).

[10] M. Eling, K. Jung Copula approaches for modeling cross-sectional dependence of data breach losses 2018 167 180

[11] M. Eling, K. Jung, J. Shim Unraveling heterogeneity in cyber risks using quantile regressions 2022 222 242

[12] M. Eling and J. Wirfs , Modelling and management of cyber risk. Int. Actuar. Assoc. Life Section (2015).

[13] M. Eling, J. Wirfs What are the actual costs of cyber risk events? 2019 1109 1119

[14] S. Farkas, O. Lopez, M. Thomas Cyber claim analysis using generalized Pareto regression trees with applications to insurance 2021 92 105

[15] Federal Bureau of Investigation, Indicators of compromised associated with Diavol (2022). Available at https://www.ic3.gov/Media/News/2022/220120.pdf (accessed: 03 December 2021).

[16] H. Ferraiolo , D.A. Cooper , A.R. Regenscheid , K. Scarfone and M.P. Souppaya , Best practices for privileged user PIV authentication (2016). Available at https://www.nist.gov/publications/best-practices-privileged-user-piv-authentication?pub_id=920826 (accessed 25 August 2021).

[17] P. Georgi , L. Morrow and T. Highfill , Updated and expanded small business statistics: Wages, employment, and gross output by industry and enterprise size, 2012–2017 (2021). Available at https://apps.bea.gov/scb/2021/11-november/pdf/1121-small-business.pdf (accessed 16 December 2021).

[18] H. Herath, T. Herath Copula-based actuarial model for pricing cyber-insurance policies 2011 7 20

[19] P. Jevtić, N. Lanchier Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology 2020 209 223

[20] P. Jevtić and N. Lanchier , Systems and methods for a simulation program of a percolation model for the loss distribution caused by a cyber attack. uS Patent No. 11,354,752 (2022).

[21] K. Jung Extreme data breach losses: an alternative approach to estimating probable maximum loss for data breach risk 2021 580 603

[22] I. Kovačević, S. Groš, A. Derek Automatically generating models of IT systems 2022 13536 13554

[23] Marsh, U.K. cyber insurance trends 2020 (2021). Available at https://www.marsh.com/uk/services/cyber-risk/insights/uk-cyber-insurance-trends-2020.html (accessed 16 December 2021).

[24] N. Mhaskar, M. Alabbad, R. Khedri A formal approach to network segmentation 2021 102162

[25] T.J. Moore, J.-H. Cho Applying percolation theory Cyber Resilience of Systems and Networks Springer 2019 107 133

[26] National Institute of Standards and Technology, Intrusion (2021). Available at https://csrc.nist.gov/glossary/term/intrusion (accessed 16 December 2021).

[27] National Institute of Standards and Technology, Least privilege (2021). Available at https://csrc.nist.gov/glossary/term/least_privilege (accessed 04 December 2021).

[28] National Security Agency, Defend Privileges and Accounts (2019). Available at https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf (accessed: 26 August 2021).

[29] National Security Agency, Segment networks and deploy application-aware defenses (2019). Available at https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf (accessed 09 December 2021).

[30] NetDiligence, Cyber Claims Study (2019). Available at https://dev.networkstandard.com/wp-content/uploads/2020/05/2019_NetD_Claims_Study_Report_L2.pdf (accessed: 10 December 2021).

[31] S. Romanosky, L. Ablon, A. Kuehn, T. Jones Content analysis of cyber insurance policies: how do carriers price cyber risk? 2019 1 19

[32] SonicWall, Mid-Year Update: SonicWall Cyber Threat Report (2021). Available at https://www.sonicwall.com/2021-cyber-threat-report/ (accessed 18 December 2021).

[33] The Institute of Risk Management, Cyber risk and risk management (2018). Available at https://www.theirm.org/what-we-say/thought-leadership/cyber-risk/ (accessed 11 December 2021).

[34] U.S. Government Accountability Office, Cyber Insurance: insurers and policyholders face challenges in an evolving market (2021). Available at https://www.gao.gov/products/gao-21-477 (accessed 14 December 2021).

[35] U.S. Securities and Exchange Commission, IT specialist settles charges of insider trading on hacked nonpublic information (2016). Available at https://www.sec.gov/news/pressrelease/2016-256.html (accessed 04 December 2021).

[36] U.S. Small Business Administration, Table of small business size standards matched to North American industry classification system codes (2019). Available at https://www.sba.gov/sites/default/files/2019-08/SBA%20Table%20of%20Size%20Standards_Effective%20Aug%2019%2C%202019_Rev.pdf (accessed: 03 December 2021).

[37] Verizon, 2018 Verizon Data Breach Investigations Report (2018). Available at https://www.verizon.com/business/resources/reports/dbir/ (accessed 16 December 2021).

[38] Verizon, 2021 Verizon Data Breach Investigations Report (2021). Available at https://www.verizon.com/business/resources/reports/dbir/ (accessed 15 December 2021).

[39] N. Wagner , C.Ş. Şahin , M. Winterrose , J. Riordan , J. Pena , D. Hanson and W.W. Streilein , Towards automated cyber decision support: a case study on network segmentation for security, in 2016 IEEE Symposium Series on Computational Intelligence. IEEE (2016) 1–10.

[40] H. Wang, Z. Chen, J. Zhao, X. Di, D. Liu A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow 2018 8599 8609

[41] S. Wang, Z. Zhang, Y. Kadobayashi Exploring attack graph for cost-benefit security hardening: a probabilistic approach 2013 158 169

[42] World Economic Forum, Global cybersecurity outlook 2022 (2022). Available at https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2022.pdf (accessed 16 August 2022).

[43] X. Xie, C. Lee, M. Eling Cyber insurance offering and performance: an analysis of the U.S. cyber insurance market 2020 690 736

[44] M. Xu, L. Hua Cybersecurity insurance: modeling and pricing 2019 220 249

[45] P. Żebrowski , A. Couce-Vieira and A. Mancuso , A Bayesian framework for the analysis and optimal mitigation of cyber threats to cyber-physical systems. Risk Anal (2022). https://doi.org/10.1111/risa.13900

[46] G. Zeller, M. Scherer A comprehensive model for cyber risk based on marked point processes and its application to insurance 2022 33 85

[47] X. Zhang , M. Xu , J. Su and P. Zhao , Structural models for fog computing based internet of things architectures with insurance and risk management applications. Eur. J. Oper. Res. (2022). https://doi.org/10.1016/j.ejor.2022.07.033

Cité par Sources :