Abstract
Malicious external attackers commonly use cyber threats (such as virus attacks, denial-of-service (DoS) attacks, financial fraud, system penetration, and theft of proprietary information), while internal attackers resort to unauthorized access to compromise the confidentiality, integrity, and availability (CIA) of the data of individuals, organizations, and nations. This results in an opportunity cost, a loss of market capitalization, and a loss of brand equity for organizations. Organizations and nations spend a substantial portion of their information technology (IT) budgets on IT security (such as perimeter and core security technologies). Yet, security breaches are common. In this paper, we propose a cyber-risk assessment and mitigation (CRAM) framework to (i) estimate the probability of an attack using generalized linear models (GLM), namely logit and probit, and validate the same using Computer Security Institute–Federal Bureau of Investigation (CSI–FBI) time series data, (ii) predict security technology required to reduce the probability of attack to a given level in the next year, (iii) use gamma and exponential distribution to best approximate the average loss data for each malicious attack, (iv) calculate the expected loss due to cyber-attacks using collective risk modeling, (v) compute the net premium to be charged by cyber insurers to indemnify losses from a cyber-attack, and (vi) propose either cyber insurance or self-insurance, or self-protection, as a strategy for organizations to minimize losses.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security, 26(3), 219–228.
Austin, R.D., Darby, C.R.A. (2003). The myth of secure computing. Harvard Business Review on Point Enhanced Edition.
Baer, W. S., & Parkinson, A. (2007). Cyber insurance in IT security management. IEEE Security and Privacy, 5(3), 50–56.
Bagchi, K., & Udo, G. (2003). An Analysis of the growth of the computer and internet security breaches. Communications of the AIS, 12, 684–700.
Bandyopadhyay, T., Mookerjee, V. (2017). A model to analyze the challenge of using cyber insurance. Information Systems Frontiers, 1–25. https://doi.org/10.1007/s10796-017-9737-3.
Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why it managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68–73.
Baskerville, R. L. (1993). Information systems security design methods: implication for information systems development. ACM Computing Surveys, 25(4), 375–414.
Baskerville, R. L. (2008). Strategic information security risk management. In W. D. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security, policy, processes and practices (pp. 112–122). Routledge: M E Sharpe.
McCann, E. (2014). Breach alert: Hackers swipe data of 4.5M. http://www.healthcareitnews.com/news/breach-alert-hackers-swipe-data-45m. Accessed 7 Nov 2007
Bell, E. D. (1974). Secure computer systems: A refinement of the mathematical model. Bedford: NTIS U.S. Department of Commerce, Mitre Corporation.
Biba, J. K. (1977). Integrity considerations for secure computer systems. MTR-3153, The Mitre Corporation, April 1977.
Biswas B., Mukhopadhyay A. (2017). Phishing detection and loss computation hybrid model: A machine-learning approach. ISACA Journal, 1, 22–29
Biswas B., Pal S., Mukhopadhyay A. (2016). AVICS-Eco framework: An approach to attack prediction and vulnerability assessment in a cyber Ecosystem. Proceedings of the 22nd Americas Conference on Information Systems. San Diego: Association for Information Systems.
Biswas, B., Mukhopadhyay, A., Dhillon, G. (2017). GARCH-based risk assessment and mean-variance-based risk mitigation framework for software vulnerabilities. In Proceedings of 23rd Americas Conference on Information Systems. Association for Information Systems.
Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the workshop on New security paradigms (NSPW '01) (pp. 97–104). New York: ACM.
Böhme, R. (2005). Cyber-insurance revisited. Harvard: Workshop on the Economics of Information Security (WEIS).
Böhme, R., Kataria, G. (2006). Models and measures for correlation in cyber-insurance. UK: Workshop on the Economics of Information Security (WEIS) University of Cambridge, 2006, June.
Böhme, R., Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. Harvard: Workshop on the Economics of Information Security (WEIS), 2010, June.
Bolot, J., & LeLarge, M. (2008). Cyber insurance as an incentive for internet security. Hanover: Workshop on the Economics of Information Security (WEIS).
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Bureau of Justice Assistance. (2009). 2009 internet crime report. Washington, D.C: U.S. Department of Justice.
Calandro, J., Matrejek, E., Pollard, N. (2014). Managing cyber risks with insurance: key factors to consider when evaluating how cyber insurance can enhance your security program. Price Water House Publication number BS-14-0534-A.0614. Available at http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-managing-cyber-risks-with-insurance.pdf.
Campbell, K., Gordon, L. A., & Loeb, M. P. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11, 431–448.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69–105.
Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2008). Security patch management: share the burden or share the damage? Management Science, 54(4), 657–670.
CCTA. (1991). SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. London: Central Computer and Telecommunications Agency, IT Security and Privacy Group, Her Majesty’s Government.
Clark, D., Wilson, D. (1988). Evolution of a model for computer integrity. 11th National Computer Security Conference, Postscript to Proceedings, NIST/NCSC (pp. 14–27). October 1998.
Cleman, T. R., & Reilly, T. (1999). Correlations and copulas for decision and risk analysis. Management Science, 45(2), 28–224.
Courtney, R. (1977). Security risk assessment in electronic data processing (pp. 97–104). Arlington: AFIPS.
Cutler, D. M., & Zeckhauser, R. (2003). Extending the theory to meet the practice of insurance. Brookings-Wharton Papers on Financial Services (pp. 1–53). Washington, DC: Brookings Institution Press.
Das, S., Mukhopadhyay, A., & Anand, M. (2012). The stock Market response to public announcement of information security breach on a firm: an Exploratory study using firm and attack characteristics. Journal of Information Privacy and Security JIPS, 7(4), 27–55.
Das, S., Mukhopadhyay, A., Shukla, G. K. (2013). i-HOPE framework for predicting cyber breaches: a logit approach. Proceedings of the 46th Hawaii International Conference on System Sciences (HICSS) (pp. 3008–3017). Hawaii: IEEE. https://doi.org/10.1109/HICSS.2013.256.
Dash, E. (2011). City data theft points up a nagging problem. New York Times, June 9, 2011.
Dhillon, G., & Backhouse, J. (2000). Information system security management in the new millennium. Communications of the ACM, 43(7), 125–127.
Dhillon, G., & Moores, S. (2001). Computer crimes: theorizing about the enemy within. Computers & Security, 20(8), 715–723.
Dhillon, G., & Torkzadeh, G. (2006). Value focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314.
Di, R., Hillairet, M., Picard, M., Rifaut, A., Bernard, C., Hagen, D., Maar, P., & Reinard, D. (2007). Operational risk management in financial institutions: process assessment in concordance with Basel II. Software Process: Improvement and Practice, 12(4), 321–330.
Dutta, K., & Perry, J. (2011). A tale of tails: an empirical analysis of loss distribution models for estimating operational risk capital. Working paper No.06–13, Federal Reserve Bank of Boston.
Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3), 399–416.
FBI. (2009). High-tech heist: 2,100 ATMs worldwide hit at once. Available at: http://www.fbi.gov/news/stories/2009/november/atm_111609.
Finkle, J. Freifeld, K. (2014). http://www.reuters.com/article/2014/04/03/us-experian-databreach-idUSBREA321SL20140403. April 2014.
Geer Jr., D., Hoo, K. S., & Jaquith, A. (2003). Information security: why the future belongs to the quants. IEEE Security and Privacy, 99(4), 24–32. https://doi.org/10.1109/MSECP.2003.1219053
Gordon, L. A., & Loeb, M. P. (2002). Return on information security investments, myths vs realities. Strategic Finance, 84(5), 26–31.
Gordon, L. A., Loeb, M. P., & Sohai, T. L. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81–85.
Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R. (2009). CSI/FBI computer crime and security survey. GoCSI.com.
Gorman, S. (2012). Alert on hacker power play: U.S. official signals growing concern over anonymous group's capabilities. http://online.wsj.com/article_email/SB10001424052970204059804577229390105521090-lMyQjAxMTAyMDIwMDEyNDAyWj.html.
Grzebiela, T. (2002). Insurability of electronic commerce risks. Proceedings of the Hawaii International Conference on System Sciences, 35, USA.
Guarrao, S. (1987). Principles and procedures of the LRAM approach to information systems risk analysis and management. Computers & Security, 6(6), 493–504.
Harmantzis, C.F. (2003). Operational risk management. ORMS Today, 30(1).
Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks: the growing threat (pp. 1–27). USA: Insurance Information Institute.
Herath, H., Herath, T. (2011). Copula based actuarial model for pricing cyber, insurance policies insurance markets and companies: analyses and actuarial computations, 2.
Hoffman, J. et al. (1978). SECURATE—security evaluation and analysis using fuzzy metrics (pp. 531–540). Proceedings of the AFIPS National Conference Proceedings, Arlingtion
Hossack, B. I., Pollard, J., & Zehnwirth, B. (1983). Introduction to statistics with applications to general insurance. Cambridge: Cambridge University Press.
Identity Theft Center. (2007). http://www.idtheftcenter.org/. Last consulted 5–6-2007.
Jensen, F. V. (1996). Introduction to Bayesian networks. Secaucus: Springer-Verlag New York, Inc.
Jueneman, R.R. (1989). Integrity controls for military and commercial applications CSC professional. Report CSC/PR-89/3001.
Kahane, Y., Neumann, S., & Taperio, S. C. (1988). Computer backup pools, disaster recovery, and default risk. Communications of the ACM, 31(1), 78–83.
Kahneman, D., & Tversky, A. (1979). Prospect theory: an analysis of decision under risk. Economterica, 47(2), 263–292.
Keily, G. (2014). eBay suffers massive security breach, all users must change their passwords. http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/.
Kesan, J. P., & Majuca, R. (2005). Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study. Harvard: Fourth Workshop on the Economics of Information Security (WEIS).
Kesan, J.P., Ruperto, P.M., Willam, J.Y. (2004). The economic case for cyber insurance. Working Paper Series No. Paper No. LE04–004, Illinois Law and Economics.
Kunreuther, H. (1997). Managing catastrophic risks through insurance and mitigation. Proceedings of the 5th Alexander Howden Conference on Financial Risk Management for Natural Catastrophes, August 24–26, 1997.
Majuca, P., Yurcik, W., Kesan, J.P. (2005). The evolution of cyber insurance. Available at: http://arxiv.org/ftp/cs/papers/0601/0601020.pdf.
Mann, S. (1998). Netcrime: more change in the organization of thieving. British Journal of Criminology, 38, 201–229.
McLeod, D. (2015). Increased cyber losses means more litigation over claim. Business Insurance. Available at http://www.businessinsurance.com/article/20150222/NEWS06/303019999/1248.
Meland, P. H., Inger, A. T., & Solhaug, B. (2015). Mitigating risk with cyber insurance. IEEE Security and Privacy, 6, 38–43.
Miccolis, J., Shaw, S.( 2000). Enterprise Risk Management: An Analytic Approach. New York:Tillinghast – Towers Perrin
Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.
Moore, R. (2005). Cybercrime: Investigating high-technology computer crime. Cleveland: Anderson Publishing.
Mukhopadhyay, A. Chakrabarti, B. B., Saha, D., Mahanti, A. (2007a). e-Risk management through self-insurance: an option model. Proceedings of the Hawaii International Conference on System Sciences, 40. Washington, DC: IEEE Computer Society.
Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan S. K. (2007b). Insuring big losses due to security breaches through insurance: A business model 2014. Proceedings of the 47th Hawaii International Conference on System Sciences. Hawaii: IEEE. https://doi.org/10.1109/HICSS.2007.280
Mukhopadhyay, A., Das, S., Sadhukhan, S. K. (2013a). Vulnerable path determination in mobile ad-hoc networks using Markov Model. Proceedings of the 19th Conference Amercias Conference on Information Systems (AMCIS).
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukan, S. K. (2013b). Cyber-Risk Decision Models: To Insure IT or Not?. Decision Support Systems, 56(1), 11–26.
McCullagh, P., & Nelder, J. A. (1989). Generalized linear models, 2nd edition. London: Chapman & HaI/~CRC.
New York Times. (2007). Digital fears emerge after data siege in Estonia. May 29, 2007.
New York Times. (2008). Before the gunfire, cyber -attacks twitter. August 12, 2008.
Newman, J. (2013). Adobe security breach worse than originally thought. http://www.pcworld.com/article/2059002/adobe-security-breach-worse-than-originallythought.html.
Ogut, H., & Menon, N. (2005). Cyber insurance and IT security investment: Impact of interdependent risk. Harvard: Fourth Workshop on the Economics of Information Security (WEIS).
Öğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis, 31(3), 497–512.
Ozier, W. (1989). Risk quantification problems and Bayesian decision support system solutions. Information Age, 11(4), 229–234.
Reid, R. C., & Stephen, A. F. (2001). Extending the risk analysis model to include market-insurance. Computers & Security, 20(4), 331–339.
Rejda, G. E. (2010). Principles of risk management and insurance (10th ed.). London: Pearson Publication.
Richardson, R. (2007). CSI computer crime and security survey (pp. 1–28). San Francisco: Computer Security Institute Inc..
Robertson, J. (2014). China’s hack of 4.5 million U.S medical records? This chart will make you sick. http://www.bloomberg.com/news/2014-08-21/china-s-hack-of-4-5-million-u-s-medical-records-this-chart-will-make-you-sick.html. August 2014.
Roumani, Y., Nwankpa, J. K., & Rouman, Y. F. (2015). Time series modeling of vulnerabilities. Computers & Security, 51, 32–40.
Ruohone, J., Hyrynsalmi, S., & Leppänen, V. (2015). The sigmoidal growth of operating system security vulnerabilities: an empirical revisit. Computers & Security, 55, 1–20.
Salmela, H. (2008). Analyzing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185–202.
Schneier, B. (2000). The insurance takeover. Information Security.
Schroeder, D. (2014). Cyber insurance: just one component of risk management. The Wall-Street Journal, May 27 2014. Available at http:/blogs.wsj.com/cio/2014/03/27/cyber-insurance-just-onecomponent-of-risk-management/.
Shedden, P., Smith, W. R., Ahmad, A. (2010). Information security risk assessments: towards a business practice perspective. Edith Cowan University Research Online, http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1097&context=ism.
Shetty, N., Schwartz, G., Felegyhazi, M., & Walrand, J. (2009). Competitive cyber-insurance and internet security. London: Workshop on the Economics of Information Security (WEIS).
Smith, E., & Eloff, J. H. P. (2002). A prototype for assessing information technology risks in health care. Computers & Security, 21(2), 266–284.
Smith, S.T., & Lim, J.J. (1984). An automated method for assessing the effectiveness of computer security safeguards. In Computer Security A Global Challenge (pp. 321–328). Amsterdam: North-Holland Publishing Co..
Smithson, S., Song, P. (2004). Quantifying operational risk. Risk, 57–59.
Solms, V. (2005). Information security governance - compliance management vs operational management. Computers & Security, 24(6), 443–447.
Tavani, H. (2007). Ethics and technology: Ethical issues in an age of information and communication technology. Hoboken: John Wiley.
TechFlash. (2009). Walmart, Amazon.com hit with denial of service attack. December 24, 2009. Available at: http://www.techflash.com/seattle/2009/12/walmart_amazoncom_hit_with_denial_of_service_atack.html.
Times of India. (2013). http://timesofindia.indiatimes.com/tech/tech-news/Cybercrimes-cost-India-4-billion-in-2013-Symantec/articleshow/24551193.cms. Accessed 7 Nov 2017
Straub, W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision-making. MIS Quarterly, 22(4), 441–469.
Yurcik, W. (2002). Cyber insurance: A market solution to the internet security market failure. Berkeley: Workshop on the Economics of Information Security (WEIS).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mukhopadhyay, A., Chatterjee, S., Bagchi, K.K. et al. Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance. Inf Syst Front 21, 997–1018 (2019). https://doi.org/10.1007/s10796-017-9808-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-017-9808-5