Information Systems Security and Privacy


Organizations live with residual IT security risk since technological controls are imperfect. This underlines the importance of cyber insurance in the management of IT security risk. Despite the obvious advantages, cyber insurance instruments are scarcely utilized in practice. Extant research mostly considers the economic aspects of the rational purchase of cyber insurance. In contrast, we take an organizational perspective and attempt to isolate the paradigms, contexts and constituent forces that shape the organizational decision making process towards utilization of cyber insurance. Prescriptive and descriptive decisional models are analyzed, organizational decision constituencies are explained and domain specific contexts are included before we propose an integrated decision framework for organizational utilization of cyber insurance.