Research

Cyber insurance

futuristic businessman
Image source

I have worked on diverse problems concerning cyber insurance, in particular, mechanisms to address some barriers that prevent the adoption of cyber insurance. Cyber insurance is a mechanism with two critical roles in cybersecurity. The first is to manage the risk of cyber incidents, e.g., deal with losses and provide expertise to recover from incidents. The second consists in creating incentives to invest in cyber protections (firms that make an effort to reduce their cyber risk may pay lower premiums). These are crucial elements to deal with the increased frequency and sophistication of cyber attacks; however, cyber insurance markets have not developed as expected. Insurers face some challenges to achieve these goals, in part, because it is difficult to assess cyber risks (data about cyber incidents is scarce and the cyber threats evolve in time). The following is a summary of the projects on this field

cyber risks

Cyber risks originate from both accidents and intentional actions

Analyse regulations on data sharing for insurers

A proposal to address data scarcity consists in enforcing data sharing among insurers. This is a desirable outcome, because each insurer may make better risk estimations (and with a well developed cyber insurance market society may be better protected). However, we find that such policies can lead to undesirable outcomes. Concretely, insurers may become free riders, that is, they may make less efforts gathering data (e.g., make security assessments)

Investigate strategies for leaning risks

Insurers often have insufficient data to assess cyber risks, but still, the market of cyber insurance is very attractive. Successful insurers must balance both the exposure to cyber threats and the potential gains (profit and data to estimate risks) that results from offering coverage. We study strategies that insurers can use to learn risks when data can be acquired either by offering policies or by conducting security assessments.

Study the impact of software diversity in cyber insurance

One of the main barriers to cover cyber risks is the possibility of aggregate risk, which occurs when a single incident raises multiple claims simultaneously. This is concerning because an insurer may lack the capacity to pay the losses arising from a widespread cyber attack. Unlike other risks, this correlation of claims can be reduced for some cyber risks. Concretely, we study how some security practices, like software diversity, can facilitate the coverage of cyber risks by reducing the correlation between successful cyber attacks.

Selected publications

  1. C. Barreto, A. A. Cardenas, and G. Schwartz, “Cyber-insurance for cyber-physical systems”, in 2018 ieee conference on control technology and applications (ccta) (Aug. 2018), pp. 1704–1711.

  2. C. Barreto, G. Schwartz, and A. A. Cardenas, “Cyber-risk: cyber-physical systems versus information technology systems”, in Safety, security and privacy for cyber-physical systems (Springer International Publishing, Cham, 2021), pp. 319–345.

  3. C. Barreto, G. Schwartz, and A. A. Cardenas, “Cyber-insurance”, in Safety, security and privacy for cyber-physical systems (Springer International Publishing, Cham, 2021), pp. 347–375.

  4. C. Barreto, O. Reinert, T. Wiesinger, and U. Franke, “Duopoly insurers’ incentives for data quality under a mandatory cyber data sharing regime”, Computers & Security 131, 103292 (2023).