Pricing cyber-insurance for systems via maturity models

Risks associated with information technology systems present a complex modelling challenge, combining the disciplines of operations management, security, and economics. The challenge is to establish a representation of an organization's operational and systems architecture that allows an assessment of the security postures of its various components able to support an assessment of its insurance risk. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, thereby linking systems-type and economic approaches to cyber-security assessments. The concept of a cyber-loss-adjuster is introduced, who reconciles cyber-incidents with economic losses. The work aims to bridge a number of disciplines to partly address a longstanding research challenge of accounting for organizational structure in the design and pricing of cyber-insurance. It is important to note the following: insurance companies have long experience of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. The contribution of the methodology proposed here is to provide a framework for calculating the effects of cyber-based risk on the frequency and magnitude of losses. This is achieved through a security analysis of the relationship between the operational structure of an organization and its information systems. It also provides a consistent means for those seeking insurance to describe and understand their security posture and for an insurance company to price its offer of coverage.