Effects of policy interventions

The previous section presented various factors impacting the cyber insurance adoption process. In this section, we discuss an Agent-Based Model (ABM) (van Dam et ah, 2013) to simulate the effects of different types of policy interventions on overall risk. In agent-based modelling, system-level effects are studied based on simulating the behaviour of individual agents and their interactions.

Simplified ecosystem for the Agent-Based Model (Sewnandan, 2018)

Figure 2.5: Simplified ecosystem for the Agent-Based Model (Sewnandan, 2018)

Study design

In order to keep the complexity of the model manageable, we used a simplified version of the cyber insurance ecosystem depicted in Figure 2.1 and its actors (i.e. the agents) as the basis for the model. This simplified ecosystem is shown in Figure 2.5 (Sewnandan, 2018).

For the agents in the simplified ecosystem, behavioural rules and parameters were defined as detailed in Sewnandan (2018) and the associated flow diagram is shown in Figure 2.6. At each “tick” of the model, representing a month in real time, agents observe their environment and execute actions. Security strength influences the risk of being attacked. Organisations conduct cyber risk management (right box), including making decisions about purchasing insurance and/or investing in improved security. Organisations also update their status (left box), including recovery from attacks and paying insurance premiums. Attackers can attack organisations (middle box), after which organisations can make insurance claims. Individual security strengths are updated through (a) effectiveness reduction over time, and (b) new security investments.

The ABM was implemented in NetLogo (Tisue and Wilenskv, 2004), with an interface as shown in Figure 2.7. Sewnandan (2018) provides details on the parameters and the results of a sensitivity analysis, which examines how the uncertainty in the output of a model or system can be attributed to different sources of uncertainty in the inputs.

The system-level variables we use to study the effects of policy interventions are:

  • 1. The average security level (on a scale of 0 from 1) in the ecosystem; and
  • 2. The global value loss in the ecosystem (total asset value lost in euros, representing the inverse of resilience).

Using the model above, we investigated the effects of the following cyber insurance policy options on the ecosystem as a whole:

  • Package options', the combination of the maximum amount in damages covered by the insurance and the insurance premium;
  • Contract length: the duration of the insurance contract (6, 12, or 24 months);
  • Risk selection: demanding improved cybersecurity levels,0 or increasing the premium for clients when an insurer believes their cybersecurity levels need improvement;
  • Incentivisation: lowering the premium for clients with high cybersecurity levels;
  • Upfront risk assessment: requiring a potential client to perform a certain type of risk assessment first[1] [2];
  • Sharing cybersecurity information: providing clients with information on security controls, threats, etc. to help enhance their cybersecurity;
  • Requiring organisations to maintain their cybersecurity levels: demanding that their initial cybersecurity levels are maintained to retain coverage.

W 'e ran simulations for an ecosystem consisting of 125 organisations.

We also conducted a synergy experiment, which involves determining whether two or more discrete policy options can have a combined effect that is greater than the sum of the effects of each on their own. In essence, whether the whole is greater than the sum of its parts. In the experiment, we investigated the effects of combining the options risk selection, incentivisation, and sharing cybersecurity control information.

Findings

We measured the effect of the different policy options on (a) the average security level in the ecosystem, (b) the global value loss in the ecosystem (i.e. the total asset value lost, or the inverse of resilience), and (c) the percentage of insured organisations, under the model assumptions and parameter settings.

We observed that the effects of the different policy options on the average security level in the ecosystem are relatively small, with the synergy experiment providing the best results. For all policy options, the average security level was in the range of 0.54 to 0.58.

In terms of the impact on global value loss, the effects are small as well. In this case, the effect of the synergy experiment is somewhere in the middle compared to individual policy options. This suggests that although the combination of policy options improves overall security, it does not necessarily improve resilience, in the sense of reducing the global value loss. This could be because high-risk organisations might not purchase cyber insurance when the risk selection and incentivisation policy options are implemented, due to not being able to purchase it at an acceptable price.

Also, the synergy experiment results in a relatively low percentage of insured organisations (less than 40 out of 125 organisations, or 32%). This is because the combined policy options make cyber insurance less attractive for some (high risk) organisations, thereby reducing adoption but improving ecosystem-level security. The detailed overview of the results is available in Sewnandan (2018).

Flow diagram of the Agent-Based Model (Sewnandan, 2018)

Figure 2.6: Flow diagram of the Agent-Based Model (Sewnandan, 2018)

Interface of the Agent-Based Model in NetLogo (Sewnandan, 2018)

Figure 2.7: Interface of the Agent-Based Model in NetLogo (Sewnandan, 2018)

Discussion

Overall, we found that various individual insurance policy options had positive but rather small effects. The combination of several policy options into a synergetic design provided results with more observable effects at the ecosystem level.

More specifically, the following conclusions can be drawn from the Agent-Based Model and its results described above:

  • 1. Under the assumptions in this experiment, the overall effect of individual policy options on the average security level and on resilience (as measured by global value loss) at the ecosystem level is small.
  • 2. Combining different policy options results in a modest increase in the average security level but does not necessarily improve resilience, because high risk organisations may be discouraged from purchasing insurance.
  • 3. Cyber insurance policy interventions can only have a large effect on the ecosystem in case of widespread adoption under the baseline condition. Some policy measures will actually be effective precisely because they reduce the number of insured organisations. For example, this might be by employing risk selection to avoid moral hazard (i.e. the risk that an insured company will engage in riskier behaviour because they have insurance).

As in any agent-based modelling exercise, assumptions had to be made regarding behavioural structures of the agents as well as model parameters. The model has been run with different variations of the parameters, and the insights above seem relatively robust. Nevertheless, further studies can investigate the effects of different assumptions on the ecosystem.

In terms of policy recommendations, we can derive that (a) policymakers should be aware that, depending on the circumstances, their key role may be in preventing negative impacts of cyber insurance rather than stimulating positive ones; and (b) policy measures that improve resilience may weaken overall security, because increasing the number of insured organisations may worsen the moral hazard problem. This trade-off is a key factor in decision-making.

Conclusions

In this chapter, we have presented the cyber insurance ecosystem. In Section 2.1, we discussed the different types of actors involved in the ecosystem and the relationships between them. In Section 2.2, we reviewed the cyber insurance adoption process in different types of companies. We also discussed the decision-making problems that companies, insurers, and insurance brokers may encounter in regard to cybersecurity risk management, as well as the factors influencing companies’ decisions to purchase cyber insurance. Section 2.3 used agent-based modelling to simulate the effects of various policy intervention options on the overall risk in the ecosystem. These results shed light on the complexity of the system, the factors influencing the behaviour of some of the actors, and the effect of policy interventions on actor behaviour under certain assumptions. Further studies can enrich the findings by investigating the effects of different assumptions on the ecosystem and/or examining the behaviour of other actors to capture more of the complexity in simulations.

  • [1] BIn practice this would be among companies that already have reasonable cybersecurity levels, as insurerswill not insure companies that have poor or low security levels. Insurers decline many risks based on acompany having poor or low cybersecurity levels. The threshold will depend on each insurer's individualrisk tolerance.
  • [2] At present, many insurers only assess a potential client’s risk based on the client’s application form.
 
Source
< Prev   CONTENTS   Source   Next >