Relation between cyber insurance and security investments/controls.

Nowadays, organisations consider cyber security risk as one of the critical risks at organisations. Due to the increase of cyber-related attacks and more advanced technologies, organisations are forced to implement the proper cyber risk management and find the optimality of security expenditure distribution for treating those risks. About twenty years ago, cyber insurance has been introduced as one of the risk treatment methods backing up the security controls. The concept is further benefiting both organisations and the market, where the insurers globally expect 20$ billion in 2025 [1]. On the other hand, cyber insurance has been dealing with several hurdles on the way to maturing. One of the problematic challenges is the relation between cyber insurance and security investments (or controls). Several papers theoretically devoted the analyses on this issue where some highlighted that cyber insurance could be an incentive for security investments while others claim may lead to the fall of investments for self-protection. Since everything lies in a densely interconnected and risk-prone cyber environment, there are various factors on the relation, which effects should be thoroughly investigated. The overall goal of the thesis is to analyse the problems lying in the risk treatment phase and propose an applicable solution to deal with. In particular, we would like to take into account the following factors to address the relation between cyber insurance and security investments. We first analyse different market models to study possible ways to keep both cyber insurance and security investments in both competitive and non-competitive insurance markets. Some studies showed that security investments fall in the non-competitive insurance market. In this regard, we would like to investigate the possibility of raising the security investments by optimising the loading factor, an additional amount of fee for the premium. In practice, organisations do not face a single threat but multiple threats during a certain period. To the best of our knowledge, there is not a study considering multiple threats in the cyber insurance field to analyse how security investments can be varied. Thus, we investigate the multiple threats case in a competitive cyber insurance market and find how security expenditure can be efficiently distributed between the insurance premium and security investments/controls. The analysis allows us to map security controls and cyber insurance cost-effectively. We provide both theoretical and algorithmic solutions to deal with the problem and validate the solutions in both artificial and practical cases. For a practical scenario, we develop a questionnaire-based risk assessment tool to feed our risk treatment solution with necessary empirical data. In both insurance markets, a degree of security interdependence is a unique peculiarity that affects the behaviour of organisations to invest in their self-protection and have cyber insurance. We theoretically analyse the effect of security interdependence in both market models and show whether it affects positively or negatively.