Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis
Abstract
:1. Introduction
- Risk avoidance.
- Risk transfer.
- Risk mitigation.
- We study the problem of optimizing expenses in security and insurance premium through the latest breach function introduced in the literature;
- We mathematically analyze for which values a solution exists and when it makes sense to invest in security;
- We examine the optimal security investment and the total expenditure as the fundamental parameters vary.
2. Investment Optimization
2.1. The Wang Transform Class Function
- ;
- ;
- ;
- ;
- .
2.2. Mixed Insurance and Investment in Security Strategy
- Investment z: This term represents the amount of money invested in security measures by the company to mitigate cyber risks. These investments aim to reduce the probability of successful attacks and limit potential losses.
- Insurance premium P: The insurance premium is the amount paid by the company to the insurer to obtain insurance coverage. The premium is typically related to the overall policy liability, which in this case corresponds to the potential amount of money that could be lost in the event of a cyber attack.
3. Optimization Problem
3.1. Existence of the Optimal Investment Solution
3.2. Validity of the Optimal Investment Solution
- Low insurance premium P;
- Low discount rate r associated with security investments;
- Low effectiveness of security investments ;
- Low probability of an attack t or low loss in the case of a successful attack.
4. Results
4.1. Optimal Investment as a Function of the Expected Loss
4.2. Optimal Investment as a Function of the Vulnerability
4.3. Total Expense as a Function of the Expected Loss and Vulnerability
5. Conclusions
Funding
Data Availability Statement
Conflicts of Interest
References
- Allodi, Luca, and Fabio Massacci. 2017. Security events and vulnerability data for cybersecurity risk estimation. Risk Analysis 37: 1606–27. [Google Scholar] [CrossRef] [PubMed]
- Anderson, Ross, Chris Barton, Rainer Böhme, Richard Clayton, Michel J. G. Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The Economics of Information Security and Privacy. Berlin and Heidelberg: Springer, pp. 265–300. [Google Scholar]
- Arcuri, Maria Cristina, Marina Brogi, and Gino Gandolfi. 2017. How does cyber crime affect firms? The effect of information security breaches on stock returns. Paper presented at First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy, January 17–20; pp. 175–93. [Google Scholar]
- Aven, Terje. 2011. Quantitative Risk Assessment: The Scientific Platform. Cambridge: Cambridge University Press. [Google Scholar]
- Aven, Terje, and Roger Flage. 2020. Foundational challenges for advancing the field and discipline of risk analysis. Risk Analysis 40: 2128–36. [Google Scholar] [CrossRef] [PubMed]
- Bojanc, Rok, and Borka Jerman-Blažič. 2008. An economic modelling approach to information security risk management. International Journal of Information Management 28: 413–22. [Google Scholar] [CrossRef]
- Bryce, Robert. 2001. Hack Insurer Adds Microsoft Surcharge. Interactive Week, August 22. [Google Scholar]
- Cashell, Brian, William D. Jackson, Mark Jickling, and Baird Webel. 2004. The Economic Impact of Cyber-Attacks. Congressional Research Service Documents, CRS RL32331. Washington, DC: Government and Finance Division, p. 2. [Google Scholar]
- Chong, Wing Fung, Runhuan Feng, Hins Hu, and Linfeng Zhang. 2022. Cyber Risk Assessment for Capital Management. arXiv. [Google Scholar] [CrossRef]
- Dieye, Rokhaya, Ahmed Bounfour, Altay Ozaygen, and Niaz Kammoun. 2020. Estimates of the macroeconomic costs of cyber-attacks. Risk Management and Insurance Review 2: 183–208. [Google Scholar] [CrossRef]
- Eling, Martin, and Jan Wirfs. 2019. What are the actual costs of cyber risk events? European Journal of Operational Research 272: 1109–19. [Google Scholar] [CrossRef]
- Feng, Shaohan, Zehui Xiong, Dusit Niyato, Ping Wang, Shaun Shuxun Wang, and Xuemin Sherman Shen. 2020. Joint pricing and security investment in cloud security service market with user interdependency. IEEE Transactions on Services Computing 15: 1461–72. [Google Scholar] [CrossRef]
- Franke, Ulrik. 2017. The cyber insurance market in Sweden. Computers & Security 68: 130–44. [Google Scholar]
- Furnell, Steven, Harry Heyburn, Andrew Whitehead, and Jayesh Navin Shah. 2020. Understanding the full cost of cyber security breaches. Computer Fraud & Security 12: 6–12. [Google Scholar]
- Ghelani, Diptiben. 2022. Cyber security, cyber threats, implications and future perspectives: A Review. Authorea Preprints, September 22, 1461–72. [Google Scholar]
- Goovaerts, Marc, Rob Kaas, Jan Dhaene, and Michel Denuit. 2001. Modern Actuarial Risk Theory. Dordrecht: Kluwer Academic. [Google Scholar]
- Gordon, Lawrence A., and Martin P. Loeb. 2002. The economics of information security investment. ACM Transactions on Information and System Security (TISSEC) 5: 438–57. [Google Scholar] [CrossRef]
- Hausken, Kjell. 2006. Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8: 338–49. [Google Scholar] [CrossRef]
- Hovav, Anat, and John D’Arcy. 2003. The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6: 97–121. [Google Scholar] [CrossRef]
- Kaas, Rob, Marc Goovaerts, Jan Dhaene, and Michel Denuit. 2008. Modern Actuarial Risk Theory: Using R. Berlin and Heidelberg: Springer Science & Business Media, vol. 128. [Google Scholar]
- Kamiya, Shinichi, Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, and René M. Stulz. 2020. Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics 139: 719–49. [Google Scholar] [CrossRef]
- Khalili, Mohammad Mahdi, Parinaz Naghizadeh, and Mingyan Liu. 2018. Designing cyber insurance policies: The role of pre-screening and security interdependence. IEEE Transactions on Information Forensics and Security 13: 2226–39. [Google Scholar] [CrossRef]
- Krutilla, Kerry, Alexander Alexeev, Eric Jardine, and David Good. 2021. The benefits and costs of cybersecurity risk reduction: A dynamic extension of the Gordon and Loeb model. Risk Analysis 41: 1795–808. [Google Scholar] [CrossRef]
- Lallie, Harjinder Singh, Lynsay A. Shepherd, Jason R. C. Nurse, Arnau Erola, Gregory Epiphaniou, Carsten Maple, and Xavier Bellekens. 2021. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & Security 105: 102248. [Google Scholar]
- Maillart, Thomas, and Didier Sornette. 2010. Heavy-tailed distribution of cyber-risks. The European Physical Journal B 75: 357–64. [Google Scholar] [CrossRef]
- Marotta, Angelica, Fabio Martinelli, Stefano Nanni, Albina Orlando, and Artsiom Yautsiukhin. 2017. Cyber-insurance survey. Computer Science Review 24: 35–61. [Google Scholar] [CrossRef]
- Mastroeni, Loretta, Alessandro Mazzoccoli, and Maurizio Naldi. 2019. Service level agreement violations in cloud storage: Insurance and compensation sustainability. Future Internet 11: 142. [Google Scholar] [CrossRef]
- Mayadunne, Sanjaya, and Sungjune Park. 2016. An economic model to evaluate information security investment of risk-taking small and medium enterprises. International Journal of Production Economics 182: 519–30. [Google Scholar] [CrossRef]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2020a. Robustness of optimal investment decisions in mixed insurance/investment cyber risk management. Risk Analysis 30: 550–64. [Google Scholar] [CrossRef] [PubMed]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2020b. The expected utility insurance premium principle with fourth-order statistics: Does it make a difference? Algorithms 13: 116. [Google Scholar] [CrossRef]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2021. Optimal investment in cyber-security under cyber insurance for a multi-branch firm. Risks 9: 24. [Google Scholar] [CrossRef]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2022. An Overview of Security Breach Probability Models. Risks 10: 220. [Google Scholar] [CrossRef]
- Meland, Per Hakon, Inger Anne Tondel, and Bjornar Solhaug. 2015. Mitigating risk with cyberinsurance. IEEE Security & Privacy 13: 38–43. [Google Scholar]
- Mukhopadhyay, Arunabha, Samir Chatterjee, Kallol K. Bagchi, Peteer J. Kirs, and Girja K. Shukla. 2019. Cyber risk assessment and mitigation (cram) framework using logit and probit models for cyber insurance. Information Systems Frontiers 21: 997–1018. [Google Scholar] [CrossRef]
- Murphy, Diane R., and Richard H. Murphy. 2013. Teaching cybersecurity: Protecting the business environment. Paper presented at 2013 on InfoSecCD’13: Information Security Curriculum Development Conference, Kennesaw, GA, USA, October 12; pp. 88–93. [Google Scholar]
- Naldi, Maurizio, and Alessandro Mazzoccoli. 2018. Computation of the insurance premium for cloud services based on fourth-order statistics. International Journal of Simulation: Systems, Science and Technology 19: 1–6. [Google Scholar] [CrossRef]
- Naldi, Maurizio, Marta Flamini, and Giuseppe D’Acquisto. 2018. Negligence and sanctions in information security investments in a cloud environment. Electronic Markets 28: 39–52. [Google Scholar] [CrossRef]
- Palsson, Kjartan, Steinn Gudmundsson, and Sachin Shetty. 2020. Analysis of the impact of cyber events for cyber insurance. The Geneva Papers on Risk and Insurance-Issues and Practice 45: 564–79. [Google Scholar] [CrossRef]
- Paté-Cornell, M.-Elisabeth, Marshall Kuypers, Matthew Smith, and Philip Keller. 2018. Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis 38: 226–41. [Google Scholar] [CrossRef]
- Peterson, Kevin. 2020. What Is Risk Management? In The Professional Protection Officer. Amsterdam: Elsevier, pp. 367–72. [Google Scholar]
- Pollmeier, Santiago, Ivano Bongiovanni, and Sergeja Slapničar. 2023. Designing a financial quantification model for cyber risk: A case study in a bank. Safety Science 159: 106022. [Google Scholar] [CrossRef]
- Poufinas, Thomas, and Nikolaos Vordonis. 2018. Pricing the cost of cybercrime—A financial protection approach. iBusiness 10: 128. [Google Scholar] [CrossRef]
- Refsdal, Atle, Bjørnar Solhaug, and Ketil Stølen. 2015. Cyber-Risk Management. New York: Springer, pp. 33–47. [Google Scholar]
- Romanosky, Sasha. 2016. Examining the costs and causes of cyber incidents. Journal of Cybersecurity 2: 121–35. [Google Scholar] [CrossRef]
- Romanosky, Sasha, Lilian Ablon, Andreas Kuehn, and Therese Jones. 2017. Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2929137 (accessed on 3 April 2023).
- Rosson, Jack, Mason Rice, Juan Lopez, and David Fass. 2019. Incentivizing cyber security investment in the power sector using an extended cyber insurance framework. Homeland Security Affairs 15: 1–25. [Google Scholar]
- Scala, Natalie M., Allison C. Reilly, Paul L. Goethals, and Michel Cukier. 2019. Risk and the five hard problems of cybersecurity. Risk Analysis 39: 2119–26. [Google Scholar] [CrossRef] [PubMed]
- Smith, Zhanna Malekos, and Eugenia Lostri. 2020. The Hidden Costs of Cybercrime. Technical Report. San Jose: Center for Strategic and International Studies. [Google Scholar]
- Strupczewski, Grzegorz. 2018. Current state of the cyber insurance market. Paper presented at 10th Economics and Finance Conference, Rome, Italy, September 10–13; Number 6910062. Rome: International Institute of Social and Economic Sciences. [Google Scholar]
- Taherdoost, Hamed. 2022. Understanding cybersecurity frameworks and information security standards—A review and comprehensive overview. Electronics 11: 2181. [Google Scholar] [CrossRef]
- The Ponemon Institute. 2016. 2016 Cost of Data Breach Study: Global Analysis. Technical Report. Traverse City: The Ponemon Institute. [Google Scholar]
- Venkatachary, Sampath Kumar, Jagdish Prasad, and Ravi Samikannu. 2017. Economic impacts of cyber security in energy sector: A review. International Journal of Energy Economics and Policy, EconJournals 7: 130–44. [Google Scholar]
- Wang, Shaun. 2017. Optimal Level and Allocation of Cybersecurity Spending: Model and Formula. SSRN Preprint No. 3010029. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3010029 (accessed on 16 November 2022).
- Wang, Shaun S. 2019. Integrated framework for information security investment and cyber insurance. Pacific-Basin Finance Journal 57: 101173. [Google Scholar] [CrossRef]
- Wheatley, Spencer, Thomas Maillart, and Didier Sornette. 2016. The extreme risk of personal data breaches and the erosion of privacy. The European Physical Journal B 89: 1–12. [Google Scholar] [CrossRef]
- Wu, Yong, Gengzhong Feng, Nengmin Wang, and Huigang Liang. 2015. Game of information security investment: Impact of attack types and network vulnerability. Expert Systems with Applications 42: 6132–46. [Google Scholar] [CrossRef]
- Xu, Lu, Yanhui Li, and Jing Fu. 2019. Cybersecurity investment allocation for a multi-branch firm: Modeling and optimization. Mathematics 7: 587. [Google Scholar] [CrossRef]
- Xu, Maochao, Kristin M. Schweitzer, Raymond M. Bateman, and Shouhuai Xu. 2018. Modeling and predicting cyber hacking breaches. IEEE Transactions on Information Forensics and Security 13: 2856–71. [Google Scholar] [CrossRef]
- Young, Derek, Juan Lopez, Mason Rice, Benjamin Ramsey, and Robert McTasney. 2016. A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection 14: 43–57. [Google Scholar] [CrossRef]
Parameter | Value |
---|---|
Expected Loss | |
Attack probability t | 0.8 |
Investment effectiveness | |
Premium rate coefficient | |
Discount rate r | 0.5 |
Vulnerability v | 0.65 |
Benchmark B | 100 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Mazzoccoli, A. Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis. Risks 2023, 11, 154. https://doi.org/10.3390/risks11090154
Mazzoccoli A. Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis. Risks. 2023; 11(9):154. https://doi.org/10.3390/risks11090154
Chicago/Turabian StyleMazzoccoli, Alessandro. 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis" Risks 11, no. 9: 154. https://doi.org/10.3390/risks11090154
APA StyleMazzoccoli, A. (2023). Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis. Risks, 11(9), 154. https://doi.org/10.3390/risks11090154