- Including behaviour of cyber threats in risk assessment through adversarial risk analysis, in order to better support insurance companies in estimating (dependent) risks and setting premiums, and
- Using behavioural experiments to simulate and improve insurance decisions of IT owners, thereby enhancing decision support on risk transfer.
CYBECO aims at facilitating the actual take off of cyber insurance which can fulfil a key role in the economics of cybersecurity, on one hand by keeping risk manageable for the insured companies by transferring it, while at the same time providing incentives for improving security and, thereby, reducing overall risk.
Globally, CYBECO aims at providing a model that facilitates optimal cyber security investments to your organisation, including cyber insurance. CYBECO builds upon the simple template of the basic modelling approach based on Multi agent influence diagrams. Through them CYBECO may depict the decision-making problem faced by an IT owner who needs to decide its IT security portfolio and cyber insurance, in face of several threats, including some due to potential adversaries.
Once the problem is structured, data and judgements are gathered from the IT owner by analysts. Once the model is populated, CYBECO considers the attackers’ decision-making problems and simulates them to obtain better forecasts of the attackers’ decisions. This is a key insight of Adversarial Risk Analysis. The forecasts are then incorporated in the defender problem to find the optimal security portfolio, including the appropriate cyber insurance policy. Sensitivity analysis then serves to check investment robustness to the IT owner. Likewise, sensitivity analysis may serve the insurer to set up appropriate prices.
This model will be implemented in a prototype tool, the CYBECO Toolbox, which will demonstrate the CYBECO model building, assessment and solution, providing advice to the IT owner about the appropriate IT security portfolio and cyber insurance.
To cope with the cyber security paradox, the assessment of the tools will be supported by the design and analysis of online behavioural economic experiments and investigations of those factors affecting cybersecurity and cyber insurance adoption. Experiments will be performed with the model and tool dealing with issues like willingness to pay and policy compliance by IT owners, pricing and segmentation for insurance companies, so as to eventually refine the model and tool, as well as identify the most appropriate cyber insurance policies.
The model will be compared with some of the current standards, directives and frameworks to identify gaps and propose additions in such documents and suggest policy recommendations.