Phishing attacks contribute to a variety of cyber incidents such as data breaches, and ransomware attacks. These attackers regularly discuss cyber sensitive topics and keywords, share exploits, and ransomware kits through messages in online forums that act as communities of practice. The research on correlated cyber risk from phishing attacks is in its infancy. In this research-in progress paper, we propose a framework for the assessment of phishing risks in an organization and subsequent mitigation through balanced investments in IT security and complimentary cyber insurance. First, our framework employs binary classifiers to determine an expert phisher, who can launch phishing attacks and the misdetection of phishing URLs in an organization. Second, our framework identifies the optimal cyber insurance premium to indemnify the correlated loss from undetected phishing attacks. In this manner, the results of this study will assist CTOs to plan for balanced cybersecurity investments, and guide cyber insurers to design differentiated insurance products under various risk attitudes of organizations.
Mukhopadhyay, Arunabha; Biswas, Baidyanath; and Gupta, Gaurav, "Cyber insurance for correlated risks from phishing attacks: A decision-theoretic approach" (2018). WISP 2018 Proceedings. 32.