Possibilities of modelling the impact of cyber threats in cyber risk insurance

— In the last few years, we could see that a lot of world organizations are contested by different ways, which we are called as cyber threats or cyber risks. Many of organizations are well secured, but the most of them admitted that they are not able to successfully prevent these attacks and they tried to find other ways to mitigate the risk. This paper describes a possible approach to modeling the impact of selected cyber threats in the field of providing cyber-risk insurance. It compares predefined organizational parameters in relation to cyber threats scenarios. The main results include modeling the impact of selected cyber threats on the organization's parameters. Based on these results, it is possible to quantify possible financial impacts and, on the basis of this, to propose an optimal amount of insurance cover.


Introduction
In the recent years, we could see many examples of data breaches amongst the high profile companies such as RSA, Global Payments, Sony or LinkedIn that resulted in a significant financial loss [1,2,3].In spite of the fact that these organizations had probably all state of the art security controls in place, the intruders were able to breach them and steal the data that were mission critical for some of these companies.Because many of today's businesses are dependent on the confidence of their customers and on their goodwill, they are aware of the fact that just a single occurrence of the data breach could put them out of the business.In order to protect their investments, they therefore look for a new approach to risk management which could bring them some kind of payout in case that all the internal security controls fail.[14,16] Cyber risk insurance is a relatively new issue in the field of insurance and information security.It is a transdisciplinary area of scientific interest that combines many different disciplines, such as economics, informatics, security and law.In recent years, the number of cyber attacks on major information systems worldwide has grown considerably.This rise is due to the fact that information is a very valuable asset, and attacks on organizations are moving into the cyberspace these days.Moreover, many existing organizations do not have sufficient security system protecting them against cyber attacks.Many research papers and monographs have been published dealing with the area of cyber risk insurance and the establishment of optimum financial investments in important assets of the organization [4,6,13].However, only a few publications focus on the methodology of valuing important assets of an organization that should be covered by cyber risk insurance.[4,5] The aim of the presented paper is to investigate the magnitude of the risk between the cyber threat scenarios and selected assets, the importance of which is significant to the organization's information system.[12]

Current approaches to cyber insurance
Current approaches mainly deal with a problem of creating the efficient cyber insurance market based on a game theory and creating maximal social welfare.In current works, the cyber-insurance premiums usually depend only on general client features (ex.employee number, sales volume), i.e., premiums reflect no client security practices [7].This is connected with a fact that cyber insurance is affected by the classic insurance problems of adverse selection (higher risk users seek more protection) and moral hazard (users lower their investment in self-protection after being insured).Therefore, the insurance companies need to somehow mitigate the informtion asymmetry and calculate the premium fees with these considerations in mind.[8].
The information asymmetry can be mitigated in many ways -for example the certifying authority can classify clients based on whether or not they have made security investments, and ensures that certified users get adequate compensation in case of a security incident.Another theoretically attractive incentive mechanism that may result in optimal levels of investment is the liability rule, where users are required to compensate others for the damages caused by their under-investment in security.However, these mechanisms are costly in that it is difficult to accurately determine the cause of a damage.[9,10,11]

Methods
To determine the impact of cyber threats on the organization's information system, selected risk analysis methods were used.A scale of 1 to 5 was used to determine the significance of parametr that are considered here.The value 1 represents the least meaningful parameter and 5 the most important parameter.
For the purpose of modeling cyber threats, 10 possible cyber threats have been identified that can cover cyber-threat insurance.These scenarios were determined on the basis of AIG insurance statistics.Parameters that may be affected by the impact of cyber-threatened risks were determined by the article author's research, which was conducted in thirteen organizations in Czech Republic.These organizations include both insurance companies, manufacturing companies and state institutions.
A risk matrix has been developed from the available data to illustrate the degree of cyber risk of the identified assets.The final step was to create the following risk analysis table which illustrates the probability of a cyber threat to the asset and the impact of that threat on the asset.These results were obtained on the basis of the following mathematical calculation.

R = PI x T x H
(1)

Results
The aim of the analyses was to determine the vulnerability of individual factors to selected cybernetic threats.For this purpose, seven most common cyber threats with which organizations are threatened were selected.

Parameter Parameter value
Hardware 3 Fines 4 Lost yield on unprocessed products 5 Within this research, three parameters (areas) of the organization were also identified to which the implementation of some of the threats has a significant impact.To illustrate the vulnerability, the risk rating scale mentioned above were used.

Cyber threat
Probability of the threat Table 5. Risk rating scales Table 5 shows the level of vulnerability of particular organizational factors and individual cyber threats.As can be seen, hacking and data leak due to employee negligence are the threats to which the organizational factors are the most vulnerable.It should be noted that these two threats are among the most common problems in organizations that are associated with data leakage or disruption.On the contrary, the selected areas are the least vulnerable to the organization's ransomware, DDoS attack, and fraud pretensions.This is also due to the fact that these cyber threats are the least frequent and do not pose a great threat to the organization.Other organizational factors show a moderate level of vulnerability to cyber threats.
On the basis of the analyzes performed, it is possible to predict the impacts of the most likely threats to the organization and its information system.Each of these parameters should have a financial statement on the basis of which potential financial damage could be caused.This financial statement can serve as a basis for determining optimal coverage.According to available studies, it can be said that the algorithm for determining the optimal level of insurance against cybernetic threats is still absent.[13,15,16].The main objective of the author's research is to design and validate this algorithm on the general model of the organization.This work is the subject of further research in the field.

Discussion
The purpose of this paper was to design an algorithm for determining insurance coverage in the framework of cyber threat insurance.The results obtained follow on previous research and analysis [6,7,18].It was found that in order to determine the level of insurance cover more precisely, it is necessary to determine the parameters (assets) of the organization.These parameters can be represented by indicators for modeling the impact of selected cyber threats to an organization's information system as reported in [8,9,10].Based on parameters that are valued at the beginning of the entire algorithm, it is necessary to model the interaction between the parameter and the cyber threats.
Overall, the modeling and depiction of the impact of individual cyber threats, with consequent influence on the price of the parameters, are the results of this process.Depending on the impact of the most likely cyber threat, an optimal level of insurance cover should be set.However, it is important to note that the proposed procedure does not provide information about the final amount to be covered by the insurance contract.Clearly,

Value r ange Colour
Low r i sk more research is needed to clarify the impact and cost of parameters.A more accurate interaction between cyber threat and the impact on selected organization parameters (assets) is one of the challenges for future research.
Pricing the information system and information that is inserted into it is a very complex process.The determination of the key factors with subsequent assignment of values is subjective to some extent.But it is possible to say that the information as such is an equally measurable quantity.It follows physical laws so it becomes possible to objectively determine its value.This value should serve as a basis not only for the organization itself, but also for insurance companies that have chosen to provide the company insurance against cyber risk.The in-house methodologies are usually used for pricing the information system.These are the methods that have been developed by specific companies and the application of which is designed exclusively for this organization.
In conclusion, I can say that the issue of the insurance of information systems against cyber risk is a trend that has become an increasingly important field due to the increasingly frequent cyber attacks.My previous research shows that most companies and institutions are more focused on prevention rather than dealing with the consequences and harm arising from the implementation risks.On the one hand, it is good that prevention is considered one of the main pillars to prevent undesirable situations associated with the information system of the organization.On the other hand, you also need to reckon with the fact that prevention can be inadequate and can compromise the information system and information that is inserted into it.This area can be effectively resolved with the cyber insurance against risk, through which the organization can bridge the gap between the crisis caused by the disruption of the information system operations and restoring the balance that makes the information system stable and secure again.[14,15] These methodologies usually a combination of existing tools and procedures that can provide relevant data on the information system.This is e.g. the metric type COBIT in combination with the framework NIST which was developed in the USA for assessing the critical infrastructure in terms of cyber security.
The current methods for determining the optimum level of insurance coverage are based on pure actuarial mathematics.[9,10] This is not the case for information technology or security.Based on this fact, determining the amount of insurance cover can not reflect all interactions and influences that should be included in the process of calculating insurance for the organization.In practice, this is reflected in the insufficient setting of the insurance limit.[8,17] If research in this field is to continue, it should focus precisely on the implementation of IT and security in the optimal insurance calculation process for each organization.