Visible to the public EAGER: Theory and Practice of Risk-Informed Cyber Insurance Policies: Risk Dependency, Risk Aggregation, and Active Threat LandscapeConflict Detection Enabled

Submitted by Mingyan Liu on Tue, 08/13/2019 - 11:54am
Project Details

Lead PI

Performance Period

Oct 01, 2019 - Sep 30, 2021

Institution(s)

University of Michigan Ann Arbor

Sponsor(s)

National Science Foundation

Award Number

1939006

This project aims to tackle some of the most significant challenges facing the design and adoption of risk-informed cyber insurance policies; these challenges include cyber risk interdependence, correlated risk and value-at-risk, and a fast-changing threat landscape. The research has the potential to bring about a paradigm shift in the design of cyber insurance policies so that they are used as effective economic and incentive mechanisms consistent with cyber risk realities; in doing so it also introduces new ways of thinking about cybersecurity in a holistic, risk management context. Consequently, the research has a direct impact on the current practice by cyber insurance carriers and thus the potential to dramatically change the status quo. It has broader impacts on public policy and incentive mechanism design aimed at encouraging the adoption of better cybersecurity frameworks.

The research agenda focuses on challenges including risk interdependence, correlated risk and value-at-risk, and a fast-changing threat landscape, and is organized into four thrust areas. The first is on risk-informed insurance policies, which is focused on establishing a solid theoretical foundation for a new family of cyber insurance policies by using contract theory and the modeling of dependent risks. The second is on the modeling of correlated risk and risk aggregation, aimed at quantifying the aggregated risk of a portfolio of insurance policies, by using the notion of conditional value-at-risk (CVaR) developed in the financial engineering field. The third is on the development of a set of stress test benchmarks, with the goal of standardizing how insurance policies should be evaluated in terms of their risk exposure. The fourth is on technology transition and adoption efforts, which includes the education of insurance practitioners, building partnerships and identifying early adopters of our methods as pilots. The research has the potential to bring about a paradigm shift in the design of cyber insurance policies so that they are used as effective economic and incentive mechanisms matched with cyber risk realities, and in introducing new ways of thinking about cybersecurity in a holistic, risk management context.

Mingyan Liu

Related Artifacts

No related artifacts found.