Optimisation of cyber insurance coverage with selection of cost effective security controls.

Ganbayar Uuganbayar; Artsiom Yautsiukhin; Fabio Martinelli; Fabio Massacci

doi:10.1016/j.cose.2020.102121

Optimisation of cyber insurance coverage with selection of cost effective security controls.

Ganbayar Uuganbayar^*, Artsiom Yautsiukhin, Fabio Martinelli, Fabio Massacci

^*Corresponding author for this work

Computer Systems

Research output: Contribution to Journal › Article › Academic › peer-review

Abstract

Nowadays, cyber threats are considered among the most dangerous risks by top management of enterprises. One way to deal with these risks is to insure them, but cyber insurance is still quite expensive. The insurance fee can be reduced if organisations improve their cyber security protection, i.e., reducing the insured risk. In other words, organisations need an investment strategy to decide the optimal amount of investments into cyber insurance and self-protection. In this work, we propose an approach to help a risk-averse organisation to distribute its cyber security investments in a cost-efficient way. What makes our approach unique is that next to defining the amount of investments in cyber insurance and self-protection, our proposal also explicitly defines how these investments should be spent by selecting the most cost-efficient security controls. Moreover, we provide an exact algorithm for the control selection problem considering several threats at the same time and compare this algorithm with other approximate algorithmic solutions.

Original language	English
Article number	102121
Pages (from-to)	1-21
Number of pages	21
Journal	Computers and Security
Volume	101
Early online date	27 Nov 2020
DOIs	https://doi.org/10.1016/j.cose.2020.102121
Publication status	E-pub ahead of print - 27 Nov 2020

Keywords

Cyber insurance
Dynamic programming
Genetic algorithm
Risk management
Risk treatment
Security investment

Access to Document

10.1016/j.cose.2020.102121

Fingerprint Dive into the research topics of 'Optimisation of cyber insurance coverage with selection of cost effective security controls.'. Together they form a unique fingerprint.

Cite this

@article{a88a01ac2f0747a8982212789c843542,

title = "Optimisation of cyber insurance coverage with selection of cost effective security controls.",

abstract = "Nowadays, cyber threats are considered among the most dangerous risks by top management of enterprises. One way to deal with these risks is to insure them, but cyber insurance is still quite expensive. The insurance fee can be reduced if organisations improve their cyber security protection, i.e., reducing the insured risk. In other words, organisations need an investment strategy to decide the optimal amount of investments into cyber insurance and self-protection. In this work, we propose an approach to help a risk-averse organisation to distribute its cyber security investments in a cost-efficient way. What makes our approach unique is that next to defining the amount of investments in cyber insurance and self-protection, our proposal also explicitly defines how these investments should be spent by selecting the most cost-efficient security controls. Moreover, we provide an exact algorithm for the control selection problem considering several threats at the same time and compare this algorithm with other approximate algorithmic solutions.",

keywords = "Cyber insurance, Dynamic programming, Genetic algorithm, Risk management, Risk treatment, Security investment",

author = "Ganbayar Uuganbayar and Artsiom Yautsiukhin and Fabio Martinelli and Fabio Massacci",

year = "2020",

month = nov,

day = "27",

doi = "10.1016/j.cose.2020.102121",

language = "English",

volume = "101",

pages = "1--21",

journal = "Computers & Security",

issn = "0167-4048",

publisher = "Elsevier Ltd",

}

TY - JOUR

T1 - Optimisation of cyber insurance coverage with selection of cost effective security controls.

AU - Uuganbayar, Ganbayar

AU - Yautsiukhin, Artsiom

AU - Martinelli, Fabio

AU - Massacci, Fabio

PY - 2020/11/27

Y1 - 2020/11/27

N2 - Nowadays, cyber threats are considered among the most dangerous risks by top management of enterprises. One way to deal with these risks is to insure them, but cyber insurance is still quite expensive. The insurance fee can be reduced if organisations improve their cyber security protection, i.e., reducing the insured risk. In other words, organisations need an investment strategy to decide the optimal amount of investments into cyber insurance and self-protection. In this work, we propose an approach to help a risk-averse organisation to distribute its cyber security investments in a cost-efficient way. What makes our approach unique is that next to defining the amount of investments in cyber insurance and self-protection, our proposal also explicitly defines how these investments should be spent by selecting the most cost-efficient security controls. Moreover, we provide an exact algorithm for the control selection problem considering several threats at the same time and compare this algorithm with other approximate algorithmic solutions.

AB - Nowadays, cyber threats are considered among the most dangerous risks by top management of enterprises. One way to deal with these risks is to insure them, but cyber insurance is still quite expensive. The insurance fee can be reduced if organisations improve their cyber security protection, i.e., reducing the insured risk. In other words, organisations need an investment strategy to decide the optimal amount of investments into cyber insurance and self-protection. In this work, we propose an approach to help a risk-averse organisation to distribute its cyber security investments in a cost-efficient way. What makes our approach unique is that next to defining the amount of investments in cyber insurance and self-protection, our proposal also explicitly defines how these investments should be spent by selecting the most cost-efficient security controls. Moreover, we provide an exact algorithm for the control selection problem considering several threats at the same time and compare this algorithm with other approximate algorithmic solutions.

KW - Cyber insurance

KW - Dynamic programming

KW - Genetic algorithm

KW - Risk management

KW - Risk treatment

KW - Security investment

UR - http://www.scopus.com/inward/record.url?scp=85097353427&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85097353427&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2020.102121

DO - 10.1016/j.cose.2020.102121

M3 - Article

AN - SCOPUS:85097353427

VL - 101

SP - 1

EP - 21

JO - Computers & Security

JF - Computers & Security

SN - 0167-4048

M1 - 102121

ER -