With the cyber security landscape changing drastically, security executives and actuaries have for the last few years been trying to figure out if there is a viable business model in which, given the right conditions, both sides can find a mutually beneficial value proposition.
This paper is an interesting study on a contract design problem where both insurers and organizations benefit in an interdependent security ecosystem with risk-averse organizations opting to buy cyber insurance. The insurers benefit because of the variance in security hygiene across enterprises and also through risk assessments as part of the prescreening that identifies areas in which organizations have to improve in order to buy coverage. As a result, the organization also ends up improving its security program and gains better assurance on the overall cyber security risk profile.
While the simulations and proofs are present in an online appendix, the paper shares key theorems for various combinations considered during the development of the model.
The explanation of various other efforts that this work builds upon, although brief, is helpful for a new researcher or an industry practitioner exploring the subject for real-life applications. However, it should be noted that the work described in the paper is far from ready for experimentation or adoption by insurers. The generalizations, especially around comprehensive and accurate measurements of security posture, are theoretical. Even with artificial intelligence/machine learning (AI/ML) there is wide agreement that security is not an exact science and measuring it is much more nuanced than it appears.
The model’s strengths lie in its consideration of risk-neutral as well as risk-averse organizations and in formulating the interdependence aspects of the industry.
While more needs to be done, this work is clearly a step forward in addressing a key requirement of key stakeholders in the industry.