Cybersecurity insurance: modeling and pricing. (English) Zbl 1410.91291

Summary: Cybersecurity risk has attracted considerable attention in recent decades. However, the modeling of cybersecurity risk is still in its infancy, mainly because of its unique characteristics. In this study, we develop a framework for modeling and pricing cybersecurity risk. The proposed model consists of three components: the epidemic model, loss function, and premium strategy. We study the dynamic upper bounds for the infection probabilities based on both Markov and non-Markov models. A simulation approach is proposed to compute the premium for cybersecurity risk for practical use. The effects of different infection distributions and dependence among infection processes on the losses are also studied.


91B30 Risk theory, insurance (MSC2010)
94A62 Authentication, digital signatures and secret sharing
62P05 Applications of statistics to actuarial sciences and financial mathematics


Full Text: DOI


[1] Barrat, A.; Barthlemy, M.; Vespignani., A., Dynamical processes on complex networks, (2008), Cambridge: Cambridge University Press, Cambridge
[2] Betterley, R. S., Cyber / privacy insurance market survey: A tough market for larger insureds, but smaller insureds finding eager insurers, Betterley Report, (2016)
[3] Böhme, R.; Kataria, G., Fifth workshop on the economics of information security, “Models and measures for correlation in cyber-insurance, (2006)
[4] Böhme, R.; Schwartz, G., Nineth workshop on the economics of information security, Modeling cyber-insurance: Towards a unifying framework, (2010)
[5] Cator, E.; Bovenkamp, R.; Mieghem, P. V., Susceptible-infected-susceptible epidemics on networks with general infection and cure times, Physical Review E, 87, 6, 062816, (2013)
[6] Cator, E.; Mieghem, P. V., Nodal infection in markovian susceptible-infected-susceptible and susceptible-infected-removed epidemics on networks are non-negatively correlated, Physical Review E, 89, 5, 052802, (2014)
[7] Chapanond, A.; Krishnamoorthy, M. S.; Yener., B., Graph theoretic and spectral analysis of Enron email data, Computational & Mathematical Organization Theory, 11, 265-281, (2005) · Zbl 1108.91345
[8] Coddington, E. A., An introduction to ordinary differential equations, (2012), Indianapolis: Courier Corporation, Indianapolis
[10] Doerr, C.; Blenn, N.; Mieghem, P. V., Lognormal infection times of online information spread, PloS ONE, 8, 5, e64349, (2013)
[11] Eling, M.; Schnell., W., What do we know about cyber risk and cyber risk insurance?, Journal of Risk Finance, 17, 474-491, (2016)
[12] Gordon, L. A.; Loeb, M. P.; Sohail., T., A framework for using insurance for cyber-risk management, Communications of the ACM, 46, 81-85, (2003)
[13] Herath, V. S. B.; Herath, T. C., Copula-based actuarial model for pricing cyber-insurance policies, Insurance Markets and Companies: Analyses and Actuarial Computations, 2, 7-20, (2011)
[14] Joe, H., Dependence modeling with copulas, (2014), CRC Press: CRC Press, Boca Raton, FL
[15] Karlin, S., A first course in stochastic processes, (2014), New Pork: Academic Press, New Pork
[16] Kosub, T., Components and challenges of integrated cyber risk management, Zeitschrift für die gesamte Versicherungswissenschaft, 104, 615-634, (2015)
[17] Martens, M.; H. Asghari, H.; Eeten, M.; Mieghem, P. V., A time-dependent SIS-model for long-term computer worm evolution, IEEE Conference on Communications and network security (CNS), 207-215, (2016)
[18] Mieghem, P. V., Performance analysis of complex networks and systems, (2014), Cambridge: Cambridge University Press, Cambridge
[19] Mieghem, P. V.; Bovenkamp, R. V., Non-Markovian infection spread dramatically alters the susceptible-infected-susceptible epidemic threshold in networks, Physical Review Letters, 110, 10, 108701-1-108701-5, (2013)
[20] Mieghem, P. V.; Cator., E., Epidemics in networks with nodal self-infection and the epidemic threshold, Physical Review E, 86, 1, 016116-1-016116-10, (2012)
[21] Mukhopadhyay, A.; Chatterjee, S.; Saha, D.; Mahanti, A.; Sadhukhan, S. K., e-risk management with insurance: A framework using copula aided bayesian belief networks, Proceedings of the 39th annual Hawaii international conference on system sciences (HICSS’06), 6, 126, (2006)
[22] Nelsen, R. B., An introduction to copulas, 139, (2013), New York: Springer Science & Business Media (New York: IEEE), New York
[23] Pastor-Satorras, R.; Castellano, C.; Mieghem, P. V.; Vespignani., A., Epidemic processes in complex networks, Reviews of Modern Physics, 87, 925-979, (2015)
[24] Peng, C.; Xu, M.; Xu, S.; Hu, T., Modeling multivariate cybersecurity risks, Journal of Applied Statistics, 14, 2534-2563, (2017)
[25] Pratt, J. W., Foundations of insurance economics, Risk aversion in the small and in the large, 83-98, (1992), Springer
[26] Ross, S., Stochastic processes, (1996), New York: Wiley and Sons, New York
[27] Schwartz, G. A.; Sastry, S. S., Cyber-insurance framework for large scale interdependent networks, Proceedings of the 3rd international conference on high confidence networked systems, 145-154, (2014)
[28] Sklar, A., Fonctions de répartition à n dimensions et leurs marges, Publications de l’Institut de statistique de l’Université de Paris, 8, 229-231, (1959)
[29] Xu, M.; Da, G.; Xu., S., Cyber epidemic models with dependences, Internet Mathematics, 11, 62-92, (2015)
[30] Xu, M.; Xu., S., An extended stochastic model for quantitative security analysis of networked systems, Internet Mathematics, 8, 288-320, (2012) · Zbl 1257.68030
[31] Yang, Z.; Lui, J., Security adoption and influence of cyber-insurance markets in heterogeneous networks, Performance Evaluation, 74, 1-17, (2014)
[32] Zhang, C.; Zhou, S.; Chain., B. M., Hybrid epidemics: A case study on computer worm Conficker, PloS ONE, 10, 5, e0127478, (2015)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.