\
 

Start Date

16-8-2018 12:00 AM

Description

Increasing cyber-attacks and breaches lead to financial losses in organizations. Throughout this research-in-progress study, we propose the C-R-P-M-I framework to analyze the following – (i) likelihood of an expert hacker, (ii) likelihood of phishing attack on the firm, given that it has sufficiently invested in the preventive measures, (iii) likelihood of successful detection by the firm, and (iv) procure cyber insurance from 3rd party based on the possible risk-attitude of the organization - risk-averse, risk-neutral, and constant-risk. We assume that a firm with insurance enjoys more utility than the one without it. Additionally, we consider three separate function forms to represent the risk-attitudes –linear, quadratic, and logarithmic. In this manner, we outline a novel study in information security that computes the insurance premium to be paid by the firm depending on the intensity as well as the likelihood of attack, which was ignored by extant literature.

Share

COinS
 
Aug 16th, 12:00 AM

C-R-P-M-I: A framework to model cyber risk from phishing and mitigation through insurance

Increasing cyber-attacks and breaches lead to financial losses in organizations. Throughout this research-in-progress study, we propose the C-R-P-M-I framework to analyze the following – (i) likelihood of an expert hacker, (ii) likelihood of phishing attack on the firm, given that it has sufficiently invested in the preventive measures, (iii) likelihood of successful detection by the firm, and (iv) procure cyber insurance from 3rd party based on the possible risk-attitude of the organization - risk-averse, risk-neutral, and constant-risk. We assume that a firm with insurance enjoys more utility than the one without it. Additionally, we consider three separate function forms to represent the risk-attitudes –linear, quadratic, and logarithmic. In this manner, we outline a novel study in information security that computes the insurance premium to be paid by the firm depending on the intensity as well as the likelihood of attack, which was ignored by extant literature.