- On one hand, by keeping the risk manageable for the insured companies by transferring it to the insurance provider, while at the same time
- providing incentives for improving security, requiring certain minimum protection, and thereby reducing overall risk.
Unfortunately, cyber insurance does not really take off, because
- From the supply side, it is difficult for insurance companies to create an overall risk picture for the domain and design their offerings accordingly, partly because of lack of data, and
- from the demand side, it is difficult for companies to decide on whether to buy insurance or not.
CYBECO project will focus on two aspects of choice behaviour to fill these identified gaps and help to further develop the supply and demand sides of cyber insurance services by:
- Including behaviour of cyber threats in risk assessment through adversarial risk analysis, in order to support insurance companies in estimating (dependent) risks and setting premiums, and
- Using behavioural experiments to simulate and improve insurance decisions of IT owners, thereby enhancing decision support on risk transfer.
The structure of CYBECO goals
Consequently, CYBECO aims at better facilitating risk-based information security investments and progressing beyond state of the art in information security economics models, supporting insurance companies in their cyber offerings through a risk management modelling framework and tool, thus benefitting society at large.
In a nutshell, by properly modelling and combining the choice behaviour of cyber threats (risk generation), the choice behaviour of insurance companies (risk assessment) and the choice behaviour of IT owners (which includes risk transfer options as cyber insurance), CYBECO aims at globally mitigating cyber risks.