Integrated Framework for Information Security Investment and Cyber Insurance

Abstract

This paper presents analytical models for optimizing firm’s cybersecurity spending and cyber insurance based on the effectiveness of spending in reducing cyber threats, vulnerability and impact, respectively. At the macro-level, the paper shows how private-sector contribution toward countering cybercrimes can reduce the overall cyber loss and create economic value. At the micro level, a firm’s effectiveness of security spending can be high in addressing specific cyber threats, but can be reduced when other co-dependent security measures are not put in place. The paper derives an optimal mix of cybersecurity investments in “knowledge and expertise” versus “deploying mitigation measures”. The paper proposes customizing cyber insurance for firms with itemized threat-specific coverage with a portion of the premium used to train clients with risk knowledge and nudge clients in risk mitigation services. Small and Mid-Sized Enterprises can stand benefit the most from such innovative cyber insurance.