DECSUP-12332; No of Pages 16 Decision Support Systems xxx (2013) xxx–xxx Contents lists available at SciVerse ScienceDirect Decision Support Systems journal homepage: www.elsevier.com/locate/dss Cyber-risk decision models: To insure IT or not?☆ Arunabha Mukhopadhyay a,⁎, Samir Chatterjee b, Debashis Saha c, Ambuj Mahanti c, Samir K. Sadhukhan c a b c Indian Institute of Management Lucknow, India Claremont Graduate University, United States Indian Institute of Management Calcutta, India a r t i c l e i n f o Article history: Received 17 April 2011 Received in revised form 20 November 2012 Accepted 23 April 2013 Available online xxxx Keywords: Security breach Cyber-risk Cyber-insurance Copula Bayesian Belief Network Premium Utility models a b s t r a c t Security breaches adversely impact profit margins, market capitalization and brand image of an organization. Global organizations resort to the use of technological devices to reduce the frequency of a security breach. To minimize the impact of financial losses from security breaches, we advocate the use of cyber-insurance products. This paper proposes models to help firms decide on the utility of cyber-insurance products and to what extent they can use them. In this paper, we propose a Copula-aided Bayesian Belief Network (CBBN) for cybervulnerability assessment (C-VA), and expected loss computation. Taking these as an input and using the concepts of collective risk modeling theory, we also compute the premium that a cyber risk insurer can charge to indemnify cyber losses. Further, to assist cyber risk insurers and to effectively design products, we propose a utility based preferential pricing (UBPP) model. UBPP takes into account risk profiles and wealth of the prospective insured firm before proposing the premium. © 2013 Elsevier B.V. All rights reserved. 1. Introduction Organizations invest millions of dollars on perimeter security applications such as firewalls, anti-virus and intrusion detection systems to minimize security breaches from attack such as hacking, phishing, and spamming [41,58]. Nonetheless, a new virus or a clever hacker can easily compromise these detection systems, resulting in millions of dollar losses annually. Organizations also use digital signature and encryption to ensure confidentiality (C) and integrity (I) of their transferred data. Yet, eavesdropping and man-in-the middle (M-n-M) attacks are common. Use of stringent technology policies is enforced [5,30–33,41] by organizations to authenticate and authorize individuals to access data. Organizations also plan to ensure availability (A) of online resources for customers and employees 24 × 7/365 days. This helps promote ecommerce activities and in turn leads to growth of the top lines for the organizations. C–I–A triad forms the backbone of an organization's security framework. ☆ Our previous version accepted in conferences: ⁎ Corresponding author at: Indian Institute of Management Lucknow, Prabandh Nagar, Off Sitapur Road, Lucknow-226013, Uttar Pradesh, India. Tel.: +91 522 2736 646. E-mail addresses: arunabha@iiml.ac.in, mukhopadhyay.arunabha@gmail.com (A. Mukhopadhyay). Cyber-risk is defined as the risk involved with a malicious electronic event that causes disruption of business and monetary loss [17,80,83]. For example, hackers and disgruntled employees exploit both the security and application level vulnerabilities and can break into organizational databases and gather confidential customer information (such as credit card pin numbers). In 2012, a hacker group, Anonymous, had also tried a cyber extortion attack of $50,000 on Symantec software and also declared its malicious plans to disrupt the power supply system in the USA through a cyber attack on the power grid in the near future [42]. Cyber-risk disasters have a direct impact on the bottom line of an organization, in terms of loss of opportunity cost. The organization's brand equity and market capitalization too are adversely impacted by these risks [70,73,79]. Cyber-insurance products are a viable complementary method for a firm, after investing in perimeter and core security appliances, to cope with security breaches in e-commerce [12–14,67,68,71,79,82,107]. Cyber-insurance is outsourcing of low frequency, high impact risk. It helps to reduce the financial losses of e-business organizations, by payment of the premium to a cyber risk insurer. An insurance company would cover cyber-risk because (i) the probability of the event(s), i.e., breakdown of network, Distributed Denial of Service (DDoS) or a virus attack is relatively small; (ii) a large number of similar risks are available for pooling and for reduction in the variance of experience; (iii) any loss involved is financially large and organizations have substantial “insurable interests” to reduce, (iv) the risks/losses of network 0167-9236/$ – see front matter © 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.dss.2013.04.004 Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 2 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx failure or DDoS are different from that of any other type of general insurance product (i.e., Property, Liability, Financial loss, Fixed Benefit) [85]; (v) the insurer can accept such a risk as it is quantifiable and also an upper limit of possible liability can be fixed; (vi) the insurer can assume that moral hazard would mostly be absent. A cyber security breach insured firm is differentiated from its competitors in terms of its information security management system (ISMS). This works to the company's advantage as it is more secure with respect to its competitors. This in turn helps in creating a sense of trust in the minds of its customers and suppliers. This helps to increase top lines of the firm. Thus ISMS helps and serves as strategic positioning for the firm. Subsequently, the growth of ecommerce helps to reduce operational expenses too and this provides a greater economic value for the organization [33,40,41,47,57,58]. This makes a strong case for a firm to insure its cyber risk to minimize its uncertain losses. The novel contribution of this paper is twofold, first we develop a Copula based Bayesian Belief Network (CBBN) model for assessing and quantifying the cyber-risk of an online business organization. The CBBN model outputs the (i) cyber-risk vulnerability assessment (C-VA) report indicating the probable source of vulnerability/security breach, (ii) the loss expectancy report arising for the security breach, and (iii) premium value to be charged by the insurer based on collective risk model. This study is of prime importance to the CTO as they can spot the vulnerabilities in the corporate network, for the business manager to understand the financial implication arising due to the security breach, and for the CFO to decide on insuring IT assets against cyber risk. The inputs to CBBN are a directed acyclic graph (DAG) illustrating the factors (i.e., technological and business) that lead to a security breach, the log data of IT security appliances, type of organization, IT security budgets, financials and a correlation matrix for the DAG [70,73]. Second, we develop a utility based preferential pricing (UBPP) model for cyber-insurance products. The UBPP is integral to the e-risk insurer as it computes the premium to be paid by each insured firm based on the loss expectancy computed by CBBN, risk profile (i.e., averse, neutral and seeker) and financials. The UBPP model will help cyber-insurers design differentiated cyber-insurance products for a competitive advantage. Our paper is the first attempt to provide a decision model that aids both the insurer and insured in effectively deciding on cyber insurance products as a mitigation tool against cyber disasters. Mukhopadhyay et al. [70] explored the viability of cyber insurance as a complementary tool to minimize the loss arising from a security breach. They computed gross premium for some scenarios. Mukhopadhyay et al. [68,70] demonstrated the use of cyber insurance as a tool to mitigate cyber risk. They also demonstrated how e-risk could be divided in a beneficial manner to assist multiple insurers. In doing so, Mukhopadhyay et al. proposed a Copula based model for computing e-risk [70]. This paper is different from other papers as it takes into account correlated cyber risk [12–15,20,79,80], and we have (i) restricted our study to the firm level cyber risk and (ii) used the concepts of copula to model correlated risks associated with for cyber security breach. Copula is suited for this study as we wish to capture the interdependent risks for modeling the expected loss associated with an online attack. We have used the process approach [61,93] to generate a directed acyclic graph (DAG) that illustrates the probable reasons (i.e., technological and business) for IT security breach in an organization. This forms the basis of our proposed CBBN model. Our paper is different from Herath and Herath [46], as we have used Gaussian Copula to model correlated risk as opposed to Archimedean Copulas (i.e., Clayton and Gumbel Copulas) used by them. Based on data collection and expert opinion, we have modeled each node of the causal diagram as normal distribution and aggregated the data using the Gaussian Copula. We also use, for the first time, the UBPP model to customize the premium structure, which helps in customization of the product. It would make good business sense for an insurer to provide customized products to attract the cyber insurance customers. This paper has eight sections. Section 2 outlines the related literature. Section 3 discusses our cyber-risk vulnerability assessment (C-VA) model development, the reasons for choice of the constructs and the mathematical formulation of the problem. In Section 4, we introduce the basics of Bayesian Belief Networks (BBN) and Copula and explain how they have been used in our C-VA model. This section also has the C-VA and cyber-risk quantification algorithm. Section 5, has the methodology for the premium computation using collective risk modeling concepts. Real-life scenarios of vulnerability assessment, premium computation, and cyber-insurance product design are also evaluated in this section. Sensitivity analysis of our C-VA model is also carried out here. Section 6 discusses our proposed utility based preferential pricing (UBPP) utility model for premium computation for risk neutral, risk averse and constant risk averse firms seeking cyber insurance. Section 7 lists our contributions in this paper, vis-à-vis the related work in IT risk and cyber-insurance domain. Section 8 concludes the paper. 2. Literature review In this section we review related work on (i) process approaches used to model and quantify IT/operational risk [3,6,10,19,25,35,50,54,60,70,73,77,81,89,93] and (ii) models to mitigate correlated risk using cyber insurance [11,13,14,79,80,89,107]. 2.1. Process approach for quantifying operational risk The process approach focuses on the chain of activities that comprise an operation or transaction to find out the exact risk for each process [18,26,28,53,86,88,95]. 2.1.1. Process approach for quantifying operational risk Basel II defines operational risk (OR) as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. OR "includes legal risk, but excludes strategic and reputational risk” [102,103]. Systems failure is a source of OR and can lead to information security risks [10]. Basel II accord and Sarbanes–Oxley (SOX) mandate quantification of operational risk (OR) [27] and propose the use of process approach for the same [93]. Broadly, there are two process methods for quantifying operational risk (OR), such as (i) top–down and (ii) bottom–up [62]. Bottom–up method measures operational risk for each business line/unit and aggregates it for in an organization [24]. Weiß and Winkelmann have proposed a bottom–up approach the using semantic business process modeling language (SBPML) for conceptualizing operational risk for a bank [102,103]. Standardized Approach (SA) and Advanced Management Approach (AMA) are mostly used by bottom–up methods [24]. AMA proposes the use of (i) process approach, (ii) factor approach [45,101], and (iii) actuarial approach to quantify operational risk. 2.1.2. Process approach for quantifying IT risk The commonly used Process Approach techniques for IT risk assessment are: (i) causal networks, (ii) Bayesian Belief Networks (BBN) and (iii) fuzzy logic [93]. As early as 1988, the Inversion Model Expert System study noted that as systems shifted from manual to automation, the associated risks changed from external (i.e., sabotage and espionage) to internal (i.e., integrity and fraud) threats. In automated systems, the external attacks are more on the processes and the internal threats are directed to data. The output of this expert system was a set of recommendations of security safeguards against threats [6]. Lederman investigated the adverse impact to patient's health if an information systems failure occurred in a healthcare unit [63,64] using process modeling technique. Becker et al. and Strecker et al. used concepts of design science research Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 3 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Table 1 Summary of the key concepts used for modeling operational risk using BPM. Concepts Strecker et al. (2011) Weiß et al. (2011) Becker et al. (2009) and Frank et al. (2011) Salmela (2007) Lederman (2004, 2005) Kokolakis et al. (2000) Inversion Model (1988) Method Unit of research Organizational parameters Technological parameters Compliance MEMO – Y Y Y SBPML Bank Y Y Y Design science Bank Y Y Y Action Research Bank Y Y – BPM technique Health care Y Y – BPM approach – Y Y – Process model – – Y – methodology (DSRM) to propose a conceptual process modeling method for risk assessment [9,96]. Kokolakis et al. made a strong case for modeling IT risk by using the concepts of business process modeling (BPM). They opined that any of the commonly used business process modeling (BPM) techniques (such as IDEF, System dynamics, Process maps, Action Workflow, ARMA, Responsibilities analysis, Business transactions, HC Petri nets etc.) can be effectively used to propose security policies for an organization in terms of roles, activities, agents and their responsibilities [61]. Salmela uses the concepts of BPM and Action Research (AR) to modeled business loss for a Nordic bank due to non-availability of information required for making decisions by its credit card department [88]. Strecker et al. proposed a RiskM model using Multiple-Perspective Enterprise Modeling (MEMO) techniques for IT risk identification and analysis by taking into account risks encountered by the organizational hierarchy (i.e., IT operations, Business Process and Strategic Management units [36,96]). They assumed that interdependence exists between risk factors, IT assets and the environment [106]. They captured the concepts of correlated risk using the semantics, AND/OR. The inputs to the process model also included (i) organizational context, (ii) organizational levels, (iii) qualitative description for risk quantification [22], (iv) compliance to standards and regulations like COBIT, HIPAA and GLB [104] and (v) multiple phases from IT risk identification to risk analysis. Table 1 summarizes the key concepts used in literature to model operational risk using BPM. Causal networks is graphical relationship between the output and input variables for a given scenario/system. Bayesian Belief Network (BBN) [49,54] enables reasoning under uncertainty and combines the advantages of an intuitive visual representation with a sound mathematical basis of Bayesian probability. In 1988 Bayesian Decision Support System (BDSS) was developed by using statistical techniques to quantify IT risk [81]. The inputs to BDSS included (i) identification of the asset and impact in case of damage, (ii) mapping of threat to vulnerability, (iii) exposure distribution and the frequency of occurrence of the event. BDSS outputs (i) the risk distribution for each of the threats, (ii) the viability of the safeguards to be included for reducing vulnerability of the system and (iii) a technical analysis report providing detailed information of the security elements to be adopted [6,81]. Livermore Risk Analysis Methodology (LRAM) was developed in 1987 [43]. It featured the following (i) used Bayesian theory for analysis of security controls, (ii) computed the loss potential indicator (LPI), as the product of maximum potential loss (MPL) times the control failure probability. LPI was used to identify the threats that exceeded the organization's risk threshold, and (iii) cost–benefit ratio (CBR) was used to decide on the nature of controls to be implemented [43]. The main criticism of this model was that it lacked a holistic organizational view of controls [6]. Fuzzy logic is used when some of the inputs are vague, or have subjective judgments associated with them [60,77]. Smith and Eloff propose Risk Management in Health Care—using cognitive fuzzy techniques (RiMaHCoF) based on the business process model operational in a hospital. RiMaHCoF focuses on confidentiality of data. The study identified the critical patient route in a hospital and assigned risk values for each phase along a specific patient route [88,92]. In 1978, a fuzzy logic based model called Securtae [50] was developed. The inputs to this model included subjective/linguistic values for the triplet bvulnerable IT resources, threats, security features installed>. The output from Securtae was ratings for security elements [6,47,50]. Table 2 summarizes the key concepts used in literature to model IT risk using business process approach. 2.2. Cyber risk insurance and actuarial approach Cyber risk can be broadly classified into (i) concepts of risk transfer & market dynamics, (ii) pricing of products and (iii) legal implications of cyber-risk insurance. 2.2.1. Cyber risk transfer Majuca et al. [67] traced the evolution of cyber insurance market. Böhme [16], computed premium, using the utility theory, for both independent and correlated risk scenarios respectively, assuming dominant and alternative platforms [15]. Bohme and Schwartz [14] proposed a framework for risk reallocation. Cyber-risk was dependent on network environment (nodes), which are controlled by agents, who extract utility from the network. Using this framework, Bohme and Schwartz [14] studied the existing models that have been proposed for modeling cyber-insurance [13]. Yurcik [107] observed that organizations may either (i) transfer their risk to an insurance company or (ii) assume the risk internally via self-insurance. They noted that the insurers face the following problems: (1) not enough data and audit procedures to quantify risk and loss potential; (2) a small market base to pool risk; (3) cyber attacks by terrorist; and (4) acceptability of insurance by technology companies. Cyber insurance, then, is a viable option if: (1) insurance companies take a proactive interest; (2) reduce insurance premiums; and (3) pressurize software companies to deliver “safe” products to the market demand or assume liabilities with valid warranties [107]. Shetty et al. [90] demonstrated that competitive cyber insurers in a market do not improve cyber security. 2.2.2. Pricing of cyber-insurance products Böhme and Kataria [13] proposed a two-tier approach for cyber-risk modeling. Technical, managerial and policy choices form a part of the two-tier model. Tier I addressed the correlation of cyber-risks within a firm (i.e. correlated failure of multiple systems on its internal network) Table 2 Summary of the key concepts used for modeling IT risk using process model. Key concept BDSS LRAM Securtae Classification of IS asset Mapping of threat to vulnerability Security controls & appliances Quantification of impact analysis Technique Level of risk acceptance capability Recommendations 1. Safeguards for reducing vulnerability 2. Ratings for security elements Y Y – Y Bayesian Y – Y Y Y Bayesian – Y – Y – Y – Y Y Fuzzy logic Fuzzy logic – – RiMaHCoF Y – – – – – – Y Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 4 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Table 3 Summary of the key concepts used in cyber risk insurance literature. Concepts Bohme et al. (2005, 2006, 2010) Ogut et al. (2005, 2010) Yurcik et al. (2005) Shetty et al. (2009) Kesan et al. (2005) Bolot and LeLarge (2008) Herath et al. (2011) Mukhopadhyay et al. (2006) Correlated risk Premium Legislation Organizational parameters Market Technique Recommends a. IT security b. Transfer risk Y Y – Y Y Utility theory Y Y Y – – Utility theory – – – – – – – – – – Y – Y – Y – Y – Y – – – – Y Y – – – Copula Y Y – Y – Copula Y Y Y Y Y Y – Y Y Y – Y – Y Y Y [12,15]. This influences the firm's decision to seek insurance. Tier II included the correlation in risk at a global level (i.e. correlation across independent firms in an insurer's portfolio) and this influenced the insurers' decisions about premium computation [11]. Ogut and Menon [79] concluded that the interdependency of cyber-risk leads firms to invest less than the socially optimal levels in IT security technologies and instead buy insurance coverage. Insurers are also not keen in absorbing large risks since the insured is investing less on security. As a consequence, the insurance premium is high [79]. Bolot and LeLarge [11] concluded that firms do not invest in self protection due to the presence of network effects and discriminatory insurance pricing by insurers. Herath and Herath [46] investigated cyber-insurance pricing from an actuarial approach using the Clayton and Gumbel Copulas. They adopted an empirical approach using Archimedean Copulas that is different from the process/utility based approaches used by Bohme [15], Böhme and Kataria [13], Mukhopadhyay et al. [70], Bolot and LeLarge [11], and Öğüt et al. [80]. 2.2.3. Cyber risk insurance and legislation Öğüt et al. [80] studied the impact of government intervention and public policy on correlated cyber security risk [80]. Kesan and Majuca [58] studied the cyber insurance industry, in terms of cyber liability legislation. They observed that a proper cyber insurance market will need (i) higher security investment, by firms and (ii) best practices to be followed by firms in terms of risk management and IT security. This will result in higher overall societal welfare [58]. Table 3 summarizes the key concepts used in cyber risk insurance literature. Review of related work on (i) IT risk and (ii) operational risk management shows that Strecker et al., Salmela, Becker et al., and Weiß and Winkelmann [9,88,96,102,103] have proposed various process models to identify, assess and quantify cyber-risk. The process approach is effective, as it can clearly model the processes that are operative in an organization. It is easy to find the points of failure from a causal model [93]. Review of cyber insurance literature shows that (i) transfer of cyber risk has been accepted as a complementary tool to minimize losses arising from IT security breaches, (ii) differential premium for organizations. In this context our paper too proposes to (i) quantify cyber risk associated with ecommerce transactions for a firm using our C-VA model and (ii) also to provide help to insurers in developing cyber insurance products using our UBPP model. 3. Our cyber-vulnerability assessment (C-VA) model for an organization Based on the literature survey our C-VA model assumes that a security failure in an organization may occur either due to (i) technological and/or (ii) business/organizational reasons. This is in contrast to most of the studies in IT risk assessment which have been focused primarily on IT assets, threats and vulnerability [84] alone. Few studies have also taken into account strategy and business parameters along with technical security appliances [65] to model security failure. 3.1. Technological approach We also take into account principles of (a) ISMS as documented by BS7799 1 [16], (b) COBIT 2 [23], and (c) Telecommunications Network Management (TNM) principles, i.e., FCAPS, 3 [66], to formulate our C-VA model as illustrated in Fig. 1. Our C-VA model also takes into account that cyber-risks are correlated [20,30,31,96]. The technological approach is aimed at ensuring that the C–I–A triad is implemented effectively in an organization. 3.1.1. Access control using perimeter security elements To ensure that users, services and applications have the required rights to access online data and to deter malicious intruders and to ensure C–I–A, keeping in line with FCAPS, BS7799 and COBIT framework [4], organizations deploy (i) application level, (ii) host level and (iii) network level. Yet a smart hacker may simultaneously expose multiple vulnerabilities in the perimeter security elements to compromise [38] a system, through probe packet or DDoS attack. The commonly used security technologies by organizations are: (i) packet filtering or proxy firewalls placed at the perimeter to prevent unauthorized packets leaving or entering the militarized zone (MZ). Host level firewalls are also deployed to prevent data flow from specific hosts; (ii) network based IDS placed after the firewall and before the internal network of an organization, either use signature based or statistical anomaly based techniques to detect and prevent malicious intruders from compromising data; (iii) anti-virus software scans the virus signature database to check if any malicious virus is attempting to break in and; (iv) Remote Authentication Dial in User Service (RADIUS) server is deployed to ensure that unauthorized users do not anonymously access remote information assets [100]. 3.1.2. Security policy Security policy consists of multiple policy statements which maps onto controls from BS7799/ISO 27000/COBIT. These controls are implemented by procedures [4]. The security policy of an organization, lays down the technology policy implementation rules for the perimeter security elements such as: (i) keeping ports open in the 1 (i) Security Policy, (ii) Organizational Security, (iii) Asset Classification, (iv) Personnel Security, (v) Physical Security, (vi) Communications and Operations Management, (vii) access control, (viii) System Development and Maintenance, (ix) Business Continuity Management and (x) Compliance. 2 IT controls to ensure IT Governance in an organization by ensuring proper (i) alignment of business requirements with IT, (ii) IT process, effectiveness and (iii) IT resource utilization. IT processes are broadly divided into 4 broad domains, 34 subprocesses and 236 control activities. 3 Focuses on five functional management issues in a network, namely Fault (F), Configuration (C), Accounting (A), Performance (P) and Security (S). Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 5 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Total Employee & Information Security Culture Partial Hourly Nature of monitoring Daily Weekly Frequency of update Security Policy Failure (SPF) Organization structure / type IT Security Budget PS IDS FW AV RS Security Elements Failure (SEF) Organizational Issues (OI) Security failure reporting Business Loss Fig. 1. Our C-VA model [IDS = Intrusion Detection System; PS = Proxy Server; FW = Firewall; AV = Anti-Virus; RS = RADIUS Server]. firewall, (ii) granting of user privileges and access control rights, and (iii) authenticating users correctly. 3.1.3. Monitoring and review BS7799 and COBIT 4.1 mandate the frequent monitoring and review of the information security controls implemented in an organization [51]. According to the Plan–Do–Control–Act-(PDCA) cycle followed by ISMS [23], it is of utmost importance that the security policies be reviewed and updated regularly. For instance, the type and number of ports left open in a firewall (FW) should be scanned daily. The signatures in the anti-virus engine (AV) and IDS need to be updated regularly. The authentication rules in the RADIUS server (RS) also need to be updated frequently. Monitoring of log files and audit trails of perimeter security elements is also of utmost importance, according to the FCAPS model [66]. The increased frequency of update (i.e., hourly, daily or weekly basis), and nature of monitoring/review (partial or total) increase the efficiency of the security policy [23]. 3.2. Socio-organizational issues Socio-organizations should be taken into account while modeling security, since the security solution is “not with technology, but with the organization itself” [33]. Along with people–process–technology (P–P–T), organization design/strategy plays a crucial role in determining the effectiveness of the information security policy in an organization. The organization structure interacts with the P–P–T triad and determines the (i) culture, (ii) IT Architecture and (iii) the governance structure of an organization [59]. 3.2.1. Organization structure/type The effectiveness of information security is dependent on the organization structure [29,33,48,65,88,96]. Depending on whether the IT security management team reports to the CIO directly or indirectly [55], the effectiveness of IT security may vary. Formalized technological models and approach such as Bell La Padula and Denning model, work well in hierarchical centralized organizations (such as military) as opposed to flat, networked organizations [29]. 3.2.2. IT security budget Investment in IT security is a strategic decision and judicious spending on it should be done based on cost–benefit analysis to ensure that the risks are mitigated adequately [41,55]. Gordon and Loeb [108] proposed a risk adjusted Net Present Value (NPV) method for budgeting of IT security resources. Kolkowska and Dhillon [62] opined that a clear understanding of power relationship in an organization is critical for proper implementation of information security policy and also compliance [62]. Investment in IT security in some organizations is thought as cost center and with no direct return on security investment (ROSI) [8,17,40]. 3.2.3. Employee & information security culture Employees are potential internal threat to information security implementation in organizations [98]. Niekerk and Solms [78] have modeled internal threat, using management and economic theories and concluded that an effective information security culture is required for effective implementation of security in an organization. It follows that protection of data is possible efficiently if employees and organization adhere to a stringent informational security culture [78]. Awareness among employees about security is one of the important parameters of information security culture. This ensures proper monitoring of perimeter security elements in an organization [96,98]. 3.3. Business loss due to security failure It is has been noted that a security failure in organization could lead to IT resources malfunctioning and this is in turn leads to business loss [29,33,38,47,70,88,105]. We summarize in Table 4 the variables used in our C-VA model and their support from literature. Fig. 1 illustrates our causal diagram for the C-VA model. 3.4. C-VA model: the mathematical formulation The directed acyclic graph (DAG), illustrated in Fig. 1, consists of 20 nodes or variables (i.e., X1, X2…, X20) and multiple arcs. The arcs indicate causal relationships between the variables. Each Xi (i.e., technological parameters) is a random variable and represents Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 6 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Table 4 Summary of the variables used and their sources. Variables of C-VA model ISMS frameworks Other security papers COBIT FCAPS BS7799 (A) Business loss Y – Y (B) Security failure reporting (C) Security element failure (SEF) (1). Security elements: (a) IDS (b) PS (c) FW (d) AV (e) RS (2). Security policy failure (SPF) (3). Frequency of update (4). Nature of monitoring (D) Organizational issues (OI) (i). IT security budget Y Y Y Y Y Y Y Y Y Y Y Y – – Y – – Y Y – – Y Y (ii). Employee & information security culture (iii). Organization structure/type an uncertain event and is depicted as a probability table/belief associated with it. The marginal data or prior probability is assimilated from log files present in perimeter security appliances. Each node, Xi (i.e., technological parameters), has 7 states each (very low, low, low-medium, medium, high-medium, high, very high). The organizational variables are discrete ordinal variables. Let the union of all nodes (i.e., U = {X1, X2, …, X20}) be described as the universe (U). If a security breach event (Ei) is observed with certainty, we then designate the parent node (i.e., causes) as SE (or evidence set) and the child nodes (i.e., effects) as SQ (or query set). The correlation (ρ) among the nodes, X1, X2, …, X20 is represented by the variance–covariance matrix, R. Interested readers may refer to [70] for details of the model construction and implementation. Our C-VA tool detects the weakest link based on the posterior probability computation done by Eq. (1). Find RankðEi Þ
 where; Ei ¼ P SQ SE Þ; for a given R matrix SQ ; SE are probablity densities f i ðxi Þ or cumulative distribution F i ðxi ÞÞ: ð1Þ Subject to : SE ; SQ ∈U; U ¼ fX 1 ; X 2 ::; X 20 g   0 ≤ ρ Xi ; Xj ≤1; when an arc exists between SQ and SE nodes   ρ Xi ; Xj ¼ 0; Otherwise For all practical purposes, it is assumed that the set of SQ or SE is disjoint. Example. A CTO observes a security breach in an organization due to a SEF failure and wishes to determine the point of vulnerability that caused it, as shown in Table 5. Gordon et al. (2009), Westerman et. al. (2007), Salmela (2007), Hinz (2005), Dhillon et al. (2001, 2006), Mukhopadhyay et al. (2006) Gordon et al. (2009) Venter et al. (2003), Dhillon et al. (2001) Barnard et al. (2000) – – Segecv et al. (1998), Dhillon (2006), Kiely (2006), Benzel (2006) Gordon and Loeb (2002), Baskerville and Portugal (2003), Cavusoglu et al. (2004), Johnson, Gordon et al. (2006), Goetz (2007), Kolkowska et al. (2012) Thomson et al. (2006), Neikerk et al. (2010), Strecker et al. (2011) Loch et al. (1992), Hitchings (1996), Armstrong (1999), Dhillon (2001, 2003), Dhillon et al. (2001), Dhillon et al. (2006), Salmela (2007), Johnson, Goetz (2007), Strecker et al. (2011) 4.1. Bayesian Belief Network (BBN) We chose to use BBN [54,94] as it enables reasoning under uncertainty and combine the advantages of an intuitive visual representation with a sound mathematical basis of Bayesian probability. We decided to start investigating the IT security breach study, as shown in Fig. 1, by using the belief values provided by experts about the parameter, θ, about any node Xi, and improving it as more information becomes available through experiments. Use of BBN is motivated by the fact that it has the ability to train itself based on observed data. BBN also can take into account dependence/correlation among the variables. The root node(s) of a DAG have marginal probability tables, while the child nodes have conditional probability tables associated with them. For computing the conditional probability for a given (SQ, SE) pair as shown in Eq. (1), we take into account the concept of independence [87] based on the DAG. The full joint probability of these n random variables is joint distribution; this is defined as a product of conditional probabilities for every node-parent combination as shown in Eq. (2).

 P SQ ∪SE P SQ j SE ¼ PðSE Þ n
 P SQ ∪SE ¼ ∏ PðXi jParentsðXi ÞÞ SQ ; SE ∈ U and U ¼ fX1 ; X2 ::; Xn g Note : SQ is equivalent to prior belief about a paramter; θ For example: Event Details 4. Methodology & data E1 In the following sub-sections we first discuss the basics of BBN, the advantages of using BBN for modeling cyber-security risk, and limitations. We then discuss the basics of Copula and use the same in our C-VA model. We also provide the C-VA algorithm here. In Section 4.7, we describe the data points used to validate our C-VA model. E2 Table 5 Vulnerability assessment. ð2Þ i¼1 P (Firewall = moderate|SEF = moderate) P (Antivirus = moderate|SEF = moderate) P(SQ|SE) =P(SEF|FW,AV) SPF) =P(SEF|FW,AV) SPF) * * * * P(FW|SPF) * P(AV| P(SPF) P(AV|SPF) * P(FW| P(SPF) There are two techniques such as (i) top–down (or causal inference) and (ii) bottom–up (or diagnostic) to solve Eq. (1). SQ comprises child nodes (i.e., effects) and SE represents parent nodes (i.e., causes); in turn this is called a causal or top down inference. In a diagnostic or bottom up inference technique, SQ comprises parent nodes (i.e., causes) and SE comprises child nodes (i.e., effects). Event Details SQ SE E1 P (Firewall = moderate| SEF = moderate) P (Antivirus = moderate| SEF = moderate) Firewall Techno failure 4.2. Limitations of BBN based C-VA model Antivirus Techno failure The main drawbacks of the BBN based C-VA are as follows. Firstly, specification of the conditional probability tables is time and space E2 Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 7 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Fig. 2 (continued). consuming. If the number of nodes or variables for a DAG is large, then the number of joint probability values to be enumerated would be exponentially large. For example, in case of the DAG shown in Fig. 1, there are 20 variables, each having 7 states, the size of the joint probability would be 20 7, or 1280 million. This would make probabilistic inference computationally very costly and time consuming. Secondly, the probability distribution associated to each node can only be a normal distribution. To overcome the above limitations we propose to use the concepts of Copula to make our C-VA model more robust. There are no restrictions on the choice of marginal distributions [70,73]. A brief introduction about Copula is discussed in the following section. 4.3. Concepts of Copula Copula is a function, which allows us to combine univariate distributions to obtain a joint distribution with a particular dependence structure. In our C-VA model as shown in Fig. 1, there are 20 random variables (RV) i.e., X1, X2, .…, X20. Each RV has a marginal cumulative distribution function (CDFs) such as F1(x1), F2(x2), …, F20(x20), respectively. We are interested to compute the joint cumulative distribution i.e., F(x1,x2, …, x20). According to Sklar's Theorem it follows a joint cumulative distribution (F), which can be written as a function of marginals, as shown in Eq. (3) [91]. Fðx1 ; x2 ; …………; x20 Þ ¼ C½F1 ðx1 Þ; F2 ðx2 Þ; ………:; F20 ðx20 ފ ð3Þ where C(u1,u2…………u20) is a joint distribution function with uniform marginals [21,75,76]. In our C-VA model each Fi is continuous, so the function C (i.e., Copula) is unique. Given that Fi and C are differentiable, the joint density f(x1, x2, …, x20) can be written as: f ð x1 ; x2 ; …; x20 Þ ¼ f 1 ðx1 Þ……:  f 20 ðx20 Þ Fig. 2. C-VA algorithm.  c½F1 ðx1 Þ; F2 ðx2 Þ; ………:; F20 ðx20 ފ ð4Þ where fi(xi) is the density corresponding to the cumulative distribution function Fi (xi) and c is the Copula density [21,75,76]. Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 8 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx From Eq. (4), it is clear that the Copula density (c) encodes information about dependence among Xis. Hence, c is called the dependence function. Thus, in short, in this case a Copula is a probability distribution on a 20 dimensional unit cube [0, 1] 20 for which every marginal distribution is uniform on the interval [0,1]. 4.3.1. Correlation measurement The correlation among the random variables of our C-VA model, is captured in pairs, using measures of dependence or association. Two common measures are Spearman (ρ) and Kendall (τ) correlation coefficients. The correlation matrix so obtained is termed R*. The final R* matrix is obtained by using the transformations rij = sin (Пτij / 2) and rij = sin (Пρij / 6), respectively, for Kendall and Spearman [21,75,76]. The correlation matrix (R*) is for our C-VA model obtained from the data and domain experts. Incorporating the R matrix and assuming a multivariate normal density ϕ (20)(y1,., y20|R*) Eq. (4) can be rewritten as follows [21]: ð20Þ
y1 ; :::::::::::; y20 jR ϕ  ¼ ϕ1 ðy1 Þ :::::::::::::::  ϕ20 ðy20 Þ    c ½Φðy Þ; :::::::::::Φy ÞR 20 ðn Þ  a 0.121 0.121 0.027 1 T yIy − 2  ¼   1 −1 T y  R −I  y 2 ð6Þ :  1=2 jR j b 0.200 0.121 0.121 0.027 0.027 Very High Very low Low Lowish medium Medium Highish medium High Very High 0.00 High 0.002 Highish medium 0.25 0.20 0.15 0.10 0.05 0.00 Medium 0.00 1 3 5 7 9 11 13 2 4 6 8 10 12 14 0.250 c 0.200 0.15 0.121 0.10 0.05 0.121 0.027 0.002 0.200 0.150 0.121 0.100 0.050 0.027 0.002 High Very High Very low Low Lowish medium Medium Highish medium High Very High 0.00 Highish medium 0.027 Medium 0.000 0.121 Lowish medium 0.00 d Low 0.027 0.200 Very low 0.00 Node 2(x) Node 4(p) Node 3(p) 0.20 − Details can be found in [21]. In summary it can be stated, as shown in Fig. 4, that the inputs needed for our C-VA are: (i) causal diagram; (ii) marginal distributions (such as Beta, Gamma, Poisson, Log-normal) for each node (iii) the correlation matrix (R), which describes the dependence among the marginal's; and (iv) choice of Copula function. The output is the vulnerability assessment table (Table 8). Node 1(x) 0.25  e Lowish medium 0.027 T y Low 0.002 1 e pffiffiffiffiffiffiffiffiffiffiffiffiffi20 2  20 Node 2(p) 0.200 1 yR 2 e pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 2  20  jR j Very low Node 1(p) 0.25 0.20 0.15 0.10 0.05 0.00  ϕ ðy1 ; :::::::::::; y20 jR Þ ϕ1 ðy1 Þ :::::::::::::::  ϕ20 ðy20 Þ c½Φðy1 Þ; :::::::::::Φy20 Þފ ¼ c½Φðy1 Þ; :::::::::::Φy20 Þފ ¼ Broadly speaking, there are two types of Copula, such as Gaussian and Archimedean (such as Clayton, Frank and Gumbel) [21,34,75,76]. In this study we have used Gaussian Copula aided C-VA for risk assessment and quantification since (i) there exists a linear correlation among the nodes of the DAG and (ii) based on expert opinion, we have arrived at the fact that for each individual IT risks follow a normal distribution. The Gaussian Copula aggregates multiple normal distributions for determining the vulnerability. Gumbel Copula is used to combine extreme distributions. Archimedean and t-copulas are used to combine distributions, which have dependence in the tail [21,34,75,76]. 20 here, Φ and ϕ denote univariate standard normal distribution respectively. We derive the Gaussian Copula formula for our C-VA model [21] as follows: − 4.4. Gaussian Copula based C-VA model 1 ð5Þ 3 5 7 9 11 13 15 4 6 8 10 12 14 16 Node 3(x) Node 4(x) Fig. 3. Prior belief. Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 9 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx 4.5. CBBN based C-VA algorithm Table 7 Correlation matrix (Rho). The algorithm is given in Fig. 2. It has 6 functions, as shown below: (i) (ii) (iii) (iv) (v) (vi) Node_cdf ( ), Node_pdf( ), Generate_correlation( ), Generate_ JDF( ), Generate_ Conditional( ), Frequency_of_failure( ). SPF SPF Firewall failure Anti-virus failure SEF Based on the DAG supplied by the user, the functions Node_cdf( ) and Node_pdf( ) populate the nodes. The inputs to the function are the number of nodes, the DAG and the mean and variance for each of the nodes. The output results in marginal probability density and distribution functions (i.e., pdf and cdf) for each of the nodes. Each continuous variable has 7 states (very low, low, low-medium, medium, high-medium, high, very high). The Generate_correlation( ) function takes the above populated nodes as input and generates the correlation matrix (R) from the nodes. The R matrix is modified using the DAG supplied by the user based on domain knowledge provided by experts. If there are no arcs between two nodes of the DAG, then the correlation for that pair is set to zero. The Generate_JDF( ) function takes the R matrix and the node distributions (pdf and cdf) and creates a joint distribution. Then, based on the requirement of the user, the marginal distributions are computed by the function Generate_Marginal( ). The inputs are the joint distribution function and the set of nodes for which the marginal distribution is needed. Frequency_of_failure( ) computes the probability of a security breach for a set of observed and evidence nodes. Frequency_of_failure( ) uses the joint distribution function and the marginal distribution as inputs. 1.0 0.0 0.1 0.0 Firewall failure Anti-virus failure 1.0 0.1 0.0 1.0 0.1 SEF 1.0 of the 4 nodes follows normal distribution. Fig. 3a–d shows the prior belief distributions (i.e., probability density function (pdf)) of the nodes SPF, FW, AV and SEF. The x-axis represents the range of values for each of the nodes (i.e., xi) and the y-axis represents the probability (i.e., pi) of event occurrence. The values of the x-axis stretch to 3 times the standard deviation on either side of the mean. In Fig. 3a, the x-axis indicates the technology policy failure occurring over a month. We note that 7 failures occur on average, with a variance of 2 failures. Each point plotted on the x axis represents the mean of each of these ranges. For example, the range 3 to 5 depicts very low failure. The mean failure for the range is 4. For example, the probability value corresponding to 10 is 0.1995. This indicates that there is 20% chance of 10 failures occurring in a month. Table 6 illustrates the prior belief for each node in terms of: (i) distribution type, (ii) parameters (μ, σ), (iii) ranges and (iv) expectation of the loss amount distribution for each of the nodes as Binomial (1000, 0.2). Table 7 depicts the correlation matrix, R, among the nodes. In this study, we assume the loss distribution with mean (E (Li)) of 200 and a variance (V (Li)) of 160. 5. CBBN based C-VA: results 4.6. Complexity analysis of CBBN based C-VA algorithm The CBBN based C-VA algorithm requires a non-polynomial number of probability computations. There are n BBN nodes, each having m states each. The function Generate_JDF( ) generates an m n celled joint distribution table. Generate_Marginal( ) generates for n nodes, thus 2 n − 2 determines conditional distributions. For example for 18 nodes, 2 18 distributions are generated. Frequency_of_failure( ) takes each cell from the joint distribution table and divides it by the corresponding marginal distribution to compute the conditional probability (i.e., the posterior distribution). The computation is shown in Fig. 2. 4.7. Data for our C-VA model validation However, to show as a proof of concept we have kept ourselves restricted to 4 nodes only (SPF, FW, AV and SEF) in this study. We have collected log data of perimeter security elements [43], from a premier business management school in India, for a period of two years, and computed their averages. On analysis we note that each The output of the C-VA is as follows: (i) vulnerability assessment report and (ii) expected cyber-risk value at each of the nodes of the DAG supplied to the model. 5.1. Vulnerability assessment report We started our study with the belief that the probability of moderate firewall failure and antivirus leading to an IT security breach was 0.20 respectively. We next used our CBBN based C-VA model to compute the vulnerability of the firewall. The posterior probability computation by the Frequency_of_failure( ) module of the C_VA procedure reports the probability of vulnerability for the firewall as 0.50 and that of anti-virus as 0.38. Table 8 ranks the malicious events, based on the C-VA model shown in Eq. (1). It thus follows that the firewall is the weakest link, which malicious attackers will use to break into the organization network. Fig. 4a–b shows the comparison between the posterior and prior distributions for the events. 5.2. Cyber-risk quantification Table 6 Prior marginal beliefs and loss distribution. Causal Variable Failure distribution Loss distribution Distribution Failure parameters Range Normal μ = 7; σ = 2 [1–13] 7 Firewall failure Normal μ = 8; σ = 2 [2–14] 7 Anti-virus failure SEF Normal μ = 9; σ = 2 [3–15] 7 Normal μ = 10; σ = 2 [4–16] 7 SPF Using the Collective Risk Model [52], we construct the combined distribution of the loss, E (Si) by assuming both the frequency of the States Parameters Binomial (1000, 0.2) Binomial (1000, 0.2) Binomial (1000, 0.2) Binomial (1000, 0.2) Table 8 Vulnerability assessment report. Event Details Prior belief Posterior belief E1 P (Firewall = moderate| SEF = moderate) P (Antivirus = moderate| SEF = moderate) 0.20 0.49 0.20 0.38 E2 Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 10 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx 0.20 0.200 0.121 10 0.027 0.027 0.003 0.002 12 14 3 5 9 11 7 13 15 Node 3(x) Node 2(x) Prior_Prob 0.121 0.060 0.003 0.002 Low Highish 8 0.00 0.121 0.060 Very low 6 medium Medium 0.020 0.240 0.200 Very High 4 0.027 0.240 High 2 0.121 0.027 0.020 Lowish Very low 0.001 0.002 medium 0.10 0.00 0.230 Very High 0.230 0.390 High 0.30 b Highish medium Node 3(p) 0.40 Low Node 2(p) 0.490 0.45 0.40 0.35 0.30 0.25 0.20 0.15 0.10 0.05 0.00 Medium a 0.50 Lowish medium 0.60 Posterior_prob Prior_Prob Posterior_prob Fig. 4. Prior and posterior probability distributions of the events. attack, E (Ni) and the associated loss, E (Li) as stochastic variables. The central tendencies of the combined loss distribution, E (Si), are defined in Eq. (7). claim amounts to be indemnified and with limited product traits. Ideally they should launch them in small geographic spread/markets too. EðSi Þ ¼ EðNi Þ  EðLi ÞVarðSi Þ ¼ EðNi Þ  VarðLi Þ þ fEðLi Þg2  VarðNi Þ 5.4. Premium fixation ð7Þ The basic inputs for cyber-risk quantification are the C-VA report and the expected loss distribution at each node. The output is the expected loss due to cyber-risk; this is represented in terms of the mean and variance. We denote the frequency of failure as E (Ni) as per Eq. (7). In this study, we assume the expectation of the loss amount distribution for each of the nodes to be of the form Binomial (1000, 0.2). Table 9 illustrates the expected loss or claim severity (i.e., E (Si)) and its variance (i.e., Var (Si)) as obtained using Eq. (1). 5.3. Cyber-risk insurance product characteristics We propose a cyber risk insurance product that has provisions of indemnifying the first and third party perils related to cyber risks such as (i) business interruption due to failure of software or hardware or virus attack or DDoS or (ii) loss to a third party due to virus-infected mail sent to them or due to downloading of a document or clicking on a hyperlink on a website. We assume that the claim distributions are short-tailed. The first party claims for cyber disasters will be reported immediately and be settled. While the third party claims (e.g. a virus in a mail attachment) would take a slightly longer time to settle. The product will have an exclusion policy that no compensation will be paid to the insured for any and all instances of self-inflicted loss, accessing insecure websites, acts of terrorism and/or improper self-protection. Currently, the maximum coverage provided to e-businesses, by an insurer, is only $200 million [1,2,69,81,82]. Only after more data is collated about cyber disasters by insurance companies, risk analysts and the government on a regular basis can the claim distributions be updated. Similar practice has been followed by other insurance business such as (i) life and marine insurance, (ii) motor car insurance and (iii) home insurance. Cyber insurers should initially go to market with products that have limited chance of exposure, small Table 9 Cyber-risk computation. Event Details Probability E(S) Var(S) E1 P (Firewall = moderate| SEF = moderate) P (Antivirus = moderate| SEF = moderate) 0.49 1600 81,280 0.38 1800 81,440 E2 Based on the expected loss arrived at in Eq. (9), the premium (Pri) at each node is defined as the expected loss E (Si) multiplied by the quantity of the overhead loading (OV) plus the variance (V(Si)i) multiplied by the contingency loading (k) [52]. The premium (Pri) is arrived at by using Eq. (8): Pri ¼ ð1 þ OVÞEðSi Þ þ k√VarðSi Þ ð8Þ where OV is the loading factor and k is the contingency loading. The loading factor is provided to account for the profit and other related administrative charges. The contingency loading (k) accounts for any variation from the mean. Fig. 5 illustrates the risk and premium computation modules. The inputs to this module are risk-frequency and risk-amount generated from the CBBN based C-VA algorithm (Fig. 4). Loss_calculation( ) provides the expected amount of loss due to a security breach, occurring at a node. The inputs are the frequency of failure for the node and the associated loss distribution. Premium_calculate( ) combines the expected amount of loss and the overhead (OV) and contingency (k) loading as inputs and determines the premium as output. We arrive at the premium by using Eq. (10). We will now illustrate the model using the following example. We assume an expense loading of 10% of the risk premium and a contingency loading (k) of 10% of standard deviation, for premium calculation. Table 10 illustrates the results. 5.5. Sensitivity analysis of CBBN based C-VA model The aim of a sensitivity analysis is to estimate the rate of change in the output of a model with respect to changes in model inputs. Such knowledge is important for: (i) evaluating the applicability of the model, (ii) determining parameters for which it is important to have more accurate values, and (iii) understanding the behavior of the system being modeled. For this study we change the following inputs, namely marginal distributions of the nodes, by changing the mean and variances; correlation matrix (R). We follow the subsequent methodology: (i) change the mean of a node by 5% in a gradient of 1%, while the other nodes were kept constant; (ii) change the mean of each of the nodes in graduations of 1%, to a maximum of 5%. We then run the CBBN based C-VA model, which finds that there are no significant changes noted in the posterior distributions. Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 11 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Function Loss_calculation(Risk_frequency, Risk_amount) Expected loss = Risk_frequency * Risk_amount Return Expected loss End Loss_calculation Function Variance_calculation(Risk_frequency, Risk_amount) Compute Variance Return Variance End Variance_calculation Function Premium_calculate(Expected loss, OV ) Premium = Expected loss *( 1+ OV) + k* √Variance Return Premium End Premium_ calculate Fig. 5. Module for risk and premium computation. 6. Utility based preferential pricing (UBPP) model for cyber insurers We propose a process model [26,96,102,103] for facilitating decision making by CTOs whether to transfer the cyber-risk or to manage it in-house. Let us assume that the CTO of an e-commerce organization wishes to decide whether he should opt for cyber-insurance to mitigate the financial losses that could arise due to a malicious DDoS. Using our C-VA model the CTO is aware of the fact that the DDoS attack could arise due to vulnerabilities in the: (i) firewall, or (ii) anti-virus, or (iii) both. She is also aware that the DDoS may never materialize (i.e., the firewall and the anti-virus resist the attack). The probability of each of the malicious events is Pi (i.e., a, b, ¢ and d). He has also computed the cyber-risk for his organization using the C-VA model. If the CTO has insured, there is cash outflow of the premium (Pr) and an inflow of XDoSi (i = type of security element compromised) amount as indemnification. While, if the CTO is uninsured there occurs a direct loss of XDoSi amount. An insured organization would lose Pr amount if no event occurs. The CTO is weighing her options to buy cyber-insurance vis-à-vis handling cyber-risk in-house. In Fig. 6 we illustrate the possible scenarios that could lead to a DDoS and also the resulting financial impact to an organization. 6.1. UBPP model: the mathematical formulation Our UBPP model shown in Eq. (9) computes the premium, Pri for a cyber insurer based on the following assumptions: (i) the probability ! n X βi ¼ 1 ; (ii) the online of each of the malicious events is βi and i¼1 Table 10 The basic premium amount for each event. Event Details Probability E(S) E1 0.49 1600 81,280 $1789 0.38 1800 81,440 $2089 E2 P (Firewall = moderate|SEF = moderate) P (Antivirus = moderate|SEF = moderate) Var(S) Premium ($) revenue earned by the organization is R; (iii) the expected utility for the insured (EUinsured) is greater than the expected utility of the uninsured (EUuninsured) [56,99]. The occurrence of a malicious event due to any of the vulnerabilities getting exposed leads to a loss of XDoSi (where i = 1, …, 4) amount. If insured the loss is indemnified by the insurer, else not. The utility (or reduction in wealth/revenues) for the ith event for the insured and the uninsured organization is denoted by EUi (where i = 1,2). Find Pr i Subject to : EU insured ≥ EU uninsured EUinsured ¼ events n X EUuninsured ¼ i¼1 βi  UIi n X events i¼1 ð9Þ βi  UNIi UIi ¼ ðW−Pr−χ  ðXDoSi þ XDoSi ÞÞ; χ ¼ 1 if event occurs χ ¼ 0 otherwise UNIi ¼ ðW−χ  XDOSi Þ; χ ¼ 1 if event occurs χ ¼ 0 otherwise where UIi and UNi can take any function form, such as linear, quadratic etc. A rational decision maker would only insure the e-business, if the utility arising from insurance is greater or equal to the utility obtained from non-insuring. Using this basic premise of utility theory [56,99], our UBPP models, the expected premium (Pr) to be charged from the insured firm. Eqs. (10) and (11) respectively illustrate the expected utility [35] of insured (EUInsured) and non-insured (EUNot Insured) organizations. EUInsured ¼ aEUðR–Pr–XDoSFW þ XDoSFW Þ þ bEUðR–Pr–XDoSAV þ XDoSAV Þ þ c=EUðR–Pr–XDoSB þ XDoSB Þ þ dEUðR–PrÞ ð10Þ EUNot Insured ¼ a  EUðR–XFW Þ þ bEUðR–XAV Þ þ c=EUðR–XB Þ þ dEUðRÞ ð11Þ Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 12 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx a=P (FWD, AVu ) U (R- Pr –XDOSFW + XDOSFW) b=P (FWU, AVD) U (R- Pr –XDOSAV +XDOSAV) ¢=P (FWD, AVD ) Yes U (R- Pr – XDOSB + XDOSB) d=P (FWU , AVU ) U (R- Pr) Insure? a=P (FWD, AVu ) U (R – XDOSFW) b=P (FWU, AVD) U (R – XDOSAV) No ¢=P (FWD, AVD ) U (R - XDOSB) d=P (FWU , AVU ) U (R) Fig. 6. Decision tree of utility payoffs for insuring vis-à-vis not insuring cyber-risk [XDOSFW = loss due to Firewall failure; XDOSAV = loss due to Anti-virus failure; XDOSB = loss due to both Firewall and Anti-virus failure; a + b + ¢ + d = 1; U = up; D = down]. A risk neutral online business organization insures, if the premium value lies between zero and the organizations' expected loss. 6.2. Risk and premium calculation Each organization has its own risk profile (such as neutral, risk averse and constant risk averse) based on its revenue, growth plans and other financial traits. The risk profile of the firm is denoted by a unique utility function. Our UBPP model aims to compute the risk premium for companies based on its risk profiles. 6.2.1. Risk neutral Let us assume that the organization is risk neutral, with utility function U (R) = R [56,99]. The utility functions of the insured and not insured are illustrated in Eqs. (12) and (13). 6.2.2. Risk averse If the organization is risk averse, we assume the utility functions [56,72,99] as shown in Eq. (16). UðRÞ ¼  R; 2 EðRÞ−0:5  K  XDoSi ; If Insured If not insured ð16Þ EUNot Insured ¼ R  ða þ b þ c= þ dÞ–a  XDoSFW –bXDoSAV –c=XDoSB ð13Þ Here the expected loss (XDoSi) is a stochastic variable. This indicates that the organization is trying to keep the loss as close as possible to the expected loss. The utility of the insured and not insured user is illustrated in Eqs. (17) and (18) respectively. Using Eq. (10) and the utility function in Eq. (16), we get the expected utility of the insured user as: It is a basic assumption that the expected utility of an insured organization is greater than that of a not insured organization (i.e., Eq. (14)) because the former gets indemnified for all losses in case of a contingency. EUInsured ¼ R–Pr: EUInsured ≥ EUNot Insured Using Eq. (10) and the utility function, we get the expected utility of the uninsured organization as: EUInsured ¼ R  ða þ b þ c= þ dÞ–Pr  ða þ b þ c= þ dÞ ð12Þ ð14Þ In this case, a risk neutral organization would insure, if Eq. (14) holds. The premium of a risk neutral organization is given by Eq. (15). Rða þ b þ c= þ dÞ–Prða þ b þ c= þ dÞ≥Rða þ b þ c= þ dÞ–aXDoSFW –bXDoSAV –c=XDoSB 0 ≤ Pr ≤ aXDoSFW þ bXDoSAV þ c=XDoSB ð15Þ ðR−PrÞ≥ R−aXDoSFW −bXDoSAV −c=XDoSB − ð17Þ aK  2 XDoSFW 2 bK  c=K  2 2 XDoSAV − XDoSB Pr≤aXDoSFW þ bXDoSAV 2 2 i Kh 2 2 2 þc= XDoSB þ aXDoS2FW þ bXDoSAV þ c=XDoSB : 2 ð18Þ − Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 13 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx Table 11 Risk premium vis-à-vis risk profile for a DDoS attack. C-VA model UBPP model Failure probability Loss amount ($) a = P (FWD, AVu) b = P (FWU, AVD) ¢ = P (FWD, AVD) d = P (FWU, AVU) a = P (FWD, AVu) b = P (FWU, AVD) ¢ = P (FWD, AVD) d = P (FWU, AVU) a = P (FWD, AVu) b = P (FWU, AVD) ¢ = P (FWD, AVD) d = P (FWU, AVU) a = P (FWD, AVu) b = P (FWU, AVD) ¢ = P (FWD, AVD) d = P (FWU, AVU) 0.6 0.2 0.1 0.1 0.1 0.2 0.3 0.4 0.01 0.10 0.10 0.79 0.1 0.5 0.3 0.1 XDoSFW XDoSAV XDoSB – XDoSFW XDoSAV XDoSB – XDoSFW XDoSAV XDoSB – XDoSFW XDoSAV XDoSB – 6000 8000 3000 0 6000 8000 3000 0 6000 8000 3000 0 6000 8000 3000 0 −ðR−PrÞ 1000 ð19Þ ð20Þ : Using Eq. (11) and the utility function, we get the expected utility of the uninsured organization as EuNot XDoSFW 1000 −R Insured ¼ 1−e1000  ae XDoSAV 1000 þ be  XDoSB þ c=e 1000 þ d : ð21Þ Eq. (14) also holds in this case. The premium of a constant risk averse organization is given by Eq. (22).  1−e −ðR−PrÞ 1000  ≥1−e −R 1000 Pr ≤ 1000 ln ae  ae XDoSFW 1000 XDoSFW 1000 þ be þ be XDoSAV 1000 XDoSAV 1000 þ c=e  XDoSB þ c=e 1000 þ d XDoSB 1000 þd  : 5500 Neutral Constant risk averse Risk averse – Neutral Constant risk averse Risk averse – Neutral Constant risk averse Risk averse – Neutral Constant risk averse Risk averse – 5500 10,275 20,000 – 3100 10,968 33,100 – 1160 7554 18,270 – 5500 10,498 43,600 – 5500 6.2.3. Constant risk averse If the organization is risk averse with a utility function U (R) = 1 − e (− R/1000). According to Pratt–Arrow's measure, a utility function is constant if − U //(R)/U /(R) is constant [56]. The utilities of the insured and not insured organization are illustrated in Eqs. (20) and (21) respectively. Using Eq. (16) and the utility function, we get the expected utility of the insured organization as: 1−e Risk premium ($) 1160 As evident from Eq. (19), if the variance from the expected loss is high then a risk averse organization should expect to pay a higher premium. EuInsured ¼ Risk profile 3100 As Eq. (14) also holds in this case, the premium of a risk averse organization is given by Eq. (19). aK  2 ðR−PrÞ≥ R−aXDoSFW −bXDoSAV −c=XDoSB − XDoS 2 bK =c K  2 2 − XDoSAV − XDoSB ÞPr ≤ aXDoSFW þ bXDoSAV 2 2 i Kh  2 2  2 a XDoSFW þ bXDoSAV þ c= XDoSB : þ =c XDoSB þ 2 Expected loss ($) ð22Þ Example. Assume that the organization that faced a DDoS has online revenues of $5 billion. The CEO has to decide in consultation with the CSO whether or not to opt for the insurance policy. In Table 11, we consider four scenarios with probabilities (a, b, ¢ and d) that can lead to a DDoS and derive the expected loss using the C-VA model and risk premium for three different user risk profiles: (i) neutral, (ii) risk averse and (iii) constant risk averse using the UBPP model. It is evident from Table 6 that the risk neutral organization would invest in the cyber-insurance policy only if the risk premium is equal to the expected loss. The risk averse organizations would be ready to pay a markup to opt for cyber-insurance because they prefer to transfer the risk to the insurer rather than handling it themselves. In all the four cases in Table 6, it is observed that risk averse and constant risk averse organizations should expect to pay higher premiums. In this context it can be concluded that the cyber-risk insurance products once introduced would find maximum popularity among risk averse online business organizations. It also shows that cyber-risk insurers need to skillfully design their products to attract various types of users and varying risk profiles. 7. Discussion Organizations globally invest a lot in IT security budget [40] to minimize the loss arising due to a security breach. This helps to reduce the probability of attack. But, the impact of malicious attack causes serious implications to the top lines and bottom lines of an organization. Minimizing the information security breach loss is as important for the top executives as any other business risk arising due to operational activity [10,23,37,104,105]. Geer et al. in their study highlight that a risk management strategy has to be followed by organizations. Organizations should also comply with regulations such as Basel II Capital Accord, Gramm–Leach–Bliley (GLB) Act, HIPPA and SOX in the terms of risk management and accountability [37]. COBIT and operational risk mitigation principles clearly mandate that a IT security risk management should comprise of risk identification, risk assessment and risk mitigation [23,93]. In this study we propose a process model for vulnerability assessment (i.e., C-VA model). We attribute the reasons for a security failure in an organization to (i) technological and (ii) organizational parameters. Our C-VA model is different from the process models proposed by Strecker et al., Salmela, Weiß and Winkelmann, 2011, as we have used the principles of FCAPS and BS7799 to model our solution [88,96,102,103]. Our C-VA model can be applied to any organization to assess risk, based on the log files retrieved from security appliances. Our C-VA model takes quantitative log data from perimeter and core security appliances as the basic input (i.e., marginal probability distributions). This provides subjective perception about cyber risk [22]. We have also taken into account that threats to organizational information assets are interdependent or correlated as security Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 14 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx appliances have related vulnerabilities [20]. To identify the vulnerabilities in the security appliances and in the organizational network we use the concepts of probabilistic inference [54]. Our study is in contrast to Chen et al., where the author uses the concept of queuing theory to quantify the vulnerability matrix [20]. We use concepts of Copula to effectively compute the posterior probability for the nodes of the C-VA model as shown in Eq. (1). Our paper is different from Herath and Herath [46], as we have used Gaussian Copula to model correlated risk as opposed to Archimedean Copulas (i.e., Clayton and Gumbel Copulas) used by them. We have modeled each node of the causal diagram as normal distribution and aggregated the data using the Gaussian Copula. The CTO or a CSO needs to choose the evidence and query nodes respectively as described in Eq. (1) to identify vulnerabilities in a corporate network. The vulnerability analysis report generated can be used to prioritize the strategies to pro-actively minimize the organizational losses. The CTO or CSO effectively updates the (i) security architecture, (ii) the security policy, (iii) organizational IT infrastructure, (iv) IT Budget, and (v) the security culture of the organization [23] to ensure proper C–I–A of organizational data. We then input loss amount distribution for each node of the C-VA model, based on expert opinion. We use Collective Risk modeling techniques as proposed in General Insurance literature to compute the expected loss, by taking into account the likelihood of breach and impact as stochastic variables respectively [52]. This is an advanced expected loss computation technique as compared to Courtney [25]. From a business manager's perspective this study is of immense importance as it provides them insight about the quantum of loss an organization may face due to a particular threat arising due to a vulnerability being exposed. Based on it they may decide on strategies for the organization to mitigate the IT related contingency. Many organizations today invest in cyber-insurance [1,7,13–15,39,44,70,72,74,79,85,97] to minimize the loss arising due to IT security breach. We then propose our UBPP model that helps insurers to customize premium and cyber-risk insurance schemes for the insured based on its revenues and risk taking ability. Our UBPP model helps insurers to propose attractive preferential premium for the prospective insured firms. A proper premium helps to attract customers and also to ensure that the cyber-risk insurance companies do not default. Using the collective risk modeling [52] along with overhead and contingency loading we arrive at the premium. Our UBPP model for premium is an improvement on Kahane et al.'s work on quantification of risk of backup pools, disaster recovery, and default risk [56]. Our UBPP is also different from Bohme et al. (2005) utility based model for arriving at premium for correlated cyber risk [15]. The premium value arrived using UBPP helps the business manager (especially the top management) to decide on the proportion of cyber risk to be managed in house (using technological solution) vis-à-vis buying cyber risk insurance [73]. We also provide guidelines to insurers to adequately design their cyber insurance products in terms of (i) coverage, (ii) exclusion policy, and (iii) scheme types. From an academic prospective, our research made the following important contributions in terms of proposing: (i) CBBN based C-VA, (ii) CBBN based model for cyber-risk quantification, (iii) premium computation for cyber-risk insurance products using the concepts of Collective Risk Model; and (iv) UBPP model for preferential premium computation for customers (i.e., e-business) with varying risk profiles and wealth, using the concepts of utility modeling. 8. Conclusion Cyber-risk insurance products help organizations in reducing the losses from cyber-risk. The use of cyber risk insurance will better help e-commerce and online organizations to promote e-transactions as the potential loss from security breaches would now be indemnified by cyber risk insurers. As more and more companies begin to adopt cyber-risk insurance products the trust in the minds of customers will increase. This will positively impact the top lines of a company too. This will also help induce cyber insurers to create more attractive products for firms. In the beginning we posed a question: should we insure IT or not. Based on our detailed presentation, we have not only identified the many reasons that organizations should acquire cyber-insurance but we have also shown the financial trade-offs and benefits of getting cyber-insurance. We hope that our work will inspire other researchers to come up with new designs of cyber insurance products. References [1] T. Bandyopadhyay, V.S. Mookerjee, R.C. Rao, Why it managers don't go for cyber-insurance products, Communications of the ACM 52 (11) (2009) 68–73. [2] T. Bandyopadhyay, V.S. Mookerjee, R.C. Rao, A model to analyze the unfulfilled promise of cyber insurance: the impact of secondary loss, Working Paper, 2010, (http://www.utdallas.edu/˜rrao/CyberBMR%5B1%5D.pdf). [3] H. Barki, S. Rivard, J. Talbot, Toward an assessment of software development risk, Journal of Management Information Systems 10 (2) (1993) 203–225. [4] L. Barnard, R.V. Solms, A formalized approach to effective selection and evaluation of information security controls, Computer & Security 19 (2) (2000). [5] R.L. Baskerville, Designing Information Systems Security, Wiley, Chichester, U.K., 1988 [6] R.L. Baskerville, Information systems security design methods: implication for information systems development, ACM Computing Surveys 25 (4) (1993) 375–414. [7] R.L. Baskerville, Strategic information Security Risk Management, Information Security, Policy, Processes and Practices, in: W.D. Straub, S. Goodman, R.L. Baskerville (Eds.) , 2008. [8] R.L. Baskerville, V. Portougal, A possibility theory framework for security evaluation in national infrastructure protection, Journal of Database Management 14 (2) (2003) 1–13. [9] J. Becker, B. Weiß, A. Winkelmann, Developing a business process modeling language for the banking sector—a design science approach, Proceedings of the 15th Americas Conference on Information Systems, San Francisco, 2009. [10] B. Blakley, E. McDermott, D. Geer, B. Blakley, E. McDermott, D. Geer, Information security is information risk management, Proceedings of the workshop on New security paradigms (NSPW '01), ACM, New York, NY, USA, 2001, pp. 97–104. [11] J. Bolot, M. LeLarge, Cyber insurance as an incentive for internet security, Workshop on the Economics of Information Security, Hanover, NH, 2008. [12] H. Cavusoglu, B. Mishra, S. Raghunathan, The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers, International Journal of Electronic Commerce 9 (1) (2004) 69–105. [13] R. Böhme, G. Kataria, Models and measures for correlation in cyber-insurance, Workshop on the Economics of Information Security (WEIS) University of Cambridge, UK, 2006, June. [14] R. Bohme, G. Schwartz, Modeling cyber-insurance: towards a unifying framework, Workshop on the Economics of Information Security (WEIS), Harvard, 2010, June. [15] R. Bohme, Security metrics and security investment models, in: I. Echizen, N. Ku-nihiro, R. Sasaki (Eds.) Advances in Information and Computer Security (IWSEC 2010), LNCS 6434, Springer-Verlag, Berlin Heidelberg, 2010, pp. 10–24. [16] R. Böhme, Cyber-insurance revisited, Workshop on the Economics of Information Security (WEIS), Harvard, 2005. [17] British Standards Institute, BS 7799: Code of Practice for Information Security Management (CoP). PD0003, United Kingdom, , 1993. [18] D. Cernauskas, A. Tarantino, Operational risk management with process control and business process modeling, The Journal of Operational Risk 4 (2) (2009) 1–22. [19] A.S. Chernobai, S.T. Rachev, Frank J. Fabozzi, Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis, Wiley Publishing, 2007. [20] P. Chen, G. Kataria, R. Krishnan, Correlated failures, diversification, and information security risk management, MIS Quarterly 35 (2) (2011) 397–422. [21] T.R. Cleman, T. Reilly, Correlations and copulas for decision and risk analysis, Management Science 45 (2) (1999) 28–224. [22] T.R. Cleman, R.L. Winkler, Combining probability distributions from experts in risk analysis, Risk Analysis 19 (2) (1999) 187–203. [23] Control Objectives for Information and Related Technologies (COBIT), 3rd ed. IT Governance Institute, USA, 2000. [24] C. Cornalba, P. Giudici, Statistical models for operational risk management, Physica A 338 (2004) 166–172. [25] R. Courtney, Security Risk Assessment in Electronic Data Processing, AFIPS, Arlington, USA, 1977, pp. 97–104. [26] B. Curtis, M.I. Kellner, J. Over, Process modeling, Communications of the ACM 35 (9) (1992) 75–90. [27] M. Damianides, Sarbanes–Oxley and IT governance: new guidance on IT control and compliance, Information Systems Management 22 (1) (2005) 77–85. [28] D.I. Dickstein, R.H. Flast, No Excuses: A Business Process Approach to Managing Operational Risk, John Willey & Sons Inc., Hoboken, New Jersey, 2009.. Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx [29] G. Dhillon, J. Backhouse, Current directions in IS security research: towards socio-organizational perspectives, Info Systems of Journal 11 (2) (2001) 127–153. [30] G. Dhillon, Managing Information System Security, Macmillan Press Ltd., London, 1997. [31] G. Dhillon, Realizing benefits of an information security program, Business Process Management 10 (3) (2004) 260–261. [32] G. Dhillon, J. Backhouse, Information system security management in the new millennium, Communications of the ACM 43 (7) (2000) 125–127. [33] G. Dhillon, G. Torkzadeh, Value focused assessment of information system security in organizations, Information Systems Journal 16 (3) (2006). [34] M. Dorey, P. Joubert, Modeling Copulas: An Overview, The Staple Inn Actuarial Society, 2005. [35] K. Dutta, J. Perry, A tale of tails: an empirical analysis of loss distribution models for estimating operational risk capital, Working paper No.06-13, Federal Reserve Bank of Boston, 2011. [36] U. Frank, Multi-perspective enterprise modeling (MEMO): conceptual framework and modeling languages, Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS), IEEE Computer Society Washington, DC, USA, Honolulu, HI, 2002, pp. 72–82. [37] D. Geer Jr., K.S. Hoo, A. Jaquith, Information security: why the future belongs to the quants, IEEE Security and Privacy 1 (4) (2003) 24–32. [38] L.A. Gordon, M.P. Loeb, W. Lucyshyn, R. Richardson, CSI/FBI Computer Crime and Security Survey, , 2009. (GoCSI.com). [39] L.A. Gordon, M.P. Loeb, T. Sohail, A framework for using insurance for cyber-risk management, Communications of the ACM 46 (3) (2003) 81. [40] L.A. Gordon, M.P. Loeb, The economics of information security investment, ACM Transactions on Information and System Security 5 (4) (2002, Nov) 438–457. [41] L.A. Gordon, M.P. Loeb, Return on information security investments, myths vs realities, Strategic Finance 84 (5) (2002) 26–31. [42] S. Gorman, Alert on Hacker Power Play: U.S. Official Signals Growing Concern Over Anonymous Group's Capabilities, http://online.wsj.com/article_email/SB1000142405 2970204059804577229390105521090-lMyQjAxMTAyMDIwMDEyNDAyWj. html 2012. [43] S. Guarrao, Principles and procedures of the LRAM approach to information systems risk analysis and management, Computers & Security 6 (6) (1987) 493–504. [44] T. Grzebiela, Insurability of electronic commerce risks, Proceedings of the Hawaii International Conference on System Sciences, USA, 35, 2002. [45] J.F. Hair Jr., William C. Black, Barry J. Babin, Rolph E. Anderson, Multivariate Data, Analysis, 7/E, , 2010. [46] H. Herath, T. Herath, Copula Based Actuarial Model for Pricing Cyber, Insurance Policies Insurance Markets and Companies: Analyses and Actuarial Computations, 2, 2011. [47] J.D. Hinz, High severity information technology risks in finance, Paper Presented at the Hawaii International Conference on System Sciences, Hawaii, USA, 2005. [48] J. Hitchings, The need for a new approach to information security, Proceedings of the 10th International Conference on Information Security (IFIP Sec '94), Curacao, NA, 2002. [49] J. Hiwatashi, H. Ashida, Advancing operational risk management using Japanese banking experiences, Bank of Japan, Audit Office Working Paper No. 00-1, 2002, February. [50] L. Hoffman, E. Michelman, D. Clements, SECURATE—security evaluation and analysis using fuzzy metrics, , 1978. 531–540. [51] K. Hone, J.H.P. Eloff, Information security policy—what do international information standards say? Computer & Security 21 (5) (2002) 402–409. [52] B.I. Hossack, J. Pollard, B. Zehnwirth, Introduction to Statistics with Applications to General Insurance, Cambridge University Press, 1983. [53] A.K. Jallow, B. Majeed, K. Vergidis, A. Tiwari, R. Roy, Operational risk analysis in business processes, BT Technology Journal 1 (2007). [54] F.V. Jensen, Bayesian Networks and Decision Diagrams, Springer, 2001. [55] M.E. Jonson, E. Gortz, Embedding information security into organization, Security & Privacy 5 (3) (2007) 16–24. [56] Y. Kahane, S. Neumann, S.C. Taperio, Computer backup pools, disaster recovery, and default risk, Communications of the ACM 31 (1) (1988) 78–83. [57] J.P. Kesan, P.M. Ruperto, J.Y. Willam, The economic case for cyberinsurance, Working Paper Series No. Paper No. LE04-004, Illinois Law and Economics, 2004. [58] J.P. Kesan, R. Majuca, Cyberinsurance as a market-based solution to the problem of cybersecurity: a case study, Fourth Workshop on the Economics of Information Security (WEIS), Harvard, 2005. [59] L. Kiely, T.V. Benzel, Systemic security management, Security & Privacy (2006). [60] G.J. Klir, Bo Yuan, Fuzzy Sets and Fuzzy Logic: Theory and Applications, Phi Learning Pvt Ltd., 2009 [61] S.A. Kokolakis, A.J. Demopoulos, E.A. Kiountouzis, The use of business process modelling in information systems security analysis and design, Information Management & Computer Security 8 (3) (2000) 107–116. [62] E. Kolkowska, G. Dhillon, Organizational power and information security rule compliance, Computers & Security 33 (2013) 3–11. [63] R. Lederman, Adverse events in hospitals: the contribution of poor information systems, European Conference on Information Systems, (Turku, Finland), 2004. [64] R. Lederman, Managing hospital databases: can large hospitals really protect patient data? Health Informatics 11 (3) (2005) 201–210. [65] K.D. Loch, H. Carr, M.E. Warketin, Threats to information systems: today's reality, yesterday's understanding, MIS Quarterly 16 (2) (1992) 173–186. 15 [66] M.3400 TMN Management Functions, International Telecommunications Union, 1997. [67] R.P. Majuca, W. Yurcik, J.P. Kesan, The Evolution of Cyber Insurance, 2005. (Available at: http://arxiv.org/ftp/cs/papers/0601/0601020.pdf (http://arxiv. org/ftp/cs/papers/0601/0601020.pdf), Accessed on September 19, 2005). [68] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti, B.B. Chakrabarti, A.K. Podder, Security breach losses in e-commerce through insurance, Paper Presented at the Proceedings of 4th Security Conference, Las Vegas, Nevada, 2005. [69] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti, A.K. Podder, e-Risk: a case for insurance, Paper Presented at the Proceedings of the Conference on Information Systems and Technology, New Delhi, India, 2005. [70] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti, S.K. Sadhukhan, e-Risk management with insurance: a framework using copula aided Bayesian belief networks, Paper Presented at the Hawaii International Conference on system sciences, Hawaii, USA, 2006. [71] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti, R. Roy, S.K. Sadhukhan, Insuring big losses due to security breaches through insurance: a business model, Proceedings of the Hawaii International Conference on System Sciences, 40, IEEE Computer Society Washington, DC, USA, 2007. [72] A. Mukhopadhyay, B.B. Chakrabarti, D. Saha, A. Mahanti, e-Risk management through self-insurance: an option model, Proceedings of the Hawaii International Conference on System Sciences, 40, IEEE Computer Society Washington, DC, USA, 2007. [73] A. Mukhopadhyay, A Novel Framework for Mitigating e-Risk Through Insurance. , Phd Thesis IIM, Calcutta, 2007. [74] A. Mukhopadhyay, D. Saha, A. Mahanti, A.K. Podder, Insurance for cyber-risk: a utility model. Decision, Journal of IIM Calcutta 32 (1) (2005) 153–170. [75] R.B. Nelsen, Copulas characterization, correlation and counterexamples, Mathematics Magazine 68 (1995) 193–198. [76] R.B. Nelsen, An Introduction to Copulas, Springer-Verlag, New York, Inc., 1999 [77] E.W.T. Ngai, F.K.T. Wat, Fuzzy decision support system for risk analysis in e-commerce development, Decision Support Systems 40 (2005) 235–255. [78] J.F.V. Niekerk, R.V. Solms, Information security culture: a management perspective, Computers & Security (2010). [79] H. Ogut, N. Menon, Cyber insurance and IT security investment: impact of interdependent risk, Fourth Workshop on the Economics of Information Security (WEIS), Harvard, 2005. [80] H. Öğüt, S. Raghunathan, N. Menon, Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection, Risk Analysis 31 (3) (2011) 497–512 (2010). [81] W. Ozeir, Risk quantification problems and Bayesian Decision Support System solutions, , 1988. 229–234. [82] D. Pauli, M. Crawford, Cyber insurance, what's that 2006. Available at http://www. cso.com.au/article/10744/cyber_insurance_what 2006. [83] L. Ponemon, National survey on the detection and prevention of data security breaches. Available at http://www.csoonline.com/features/ponemon/ ponemon102306.html 2006. [84] R.K. Rainer, C.A. Synder, H.H. Carr, Risk analysis for information technology, Journal of Management Information Systems 8 (1) (1991) 129–147. [85] G.E. Rejda, Principles of Risk Management and Insurance, 10th edition Pearson Publication, 2010. [86] B. Di Renzo, M. Hillairet, M. Picard, A. Rifaut, C. Bernard, D. Hagen, P. Maar, D. Reinard, Operational risk management in financial institutions: process assessment in concordance with Basel II, Software Process: Improvement and Practice 12 (4) (2007) 321–330. [87] S.J. Russell, Artificial Intelligence: A Modern Approach, Pearson, 2010. [88] H. Salmela, Analyzing business losses caused by information systems risk: a business process analysis approach, Journal of Information Technology 23 (3) (2008) 185–202. [89] R. Schmidt, K. Lyytinen, M. Keil, P. Cule, Identifying software project risks: an international Delphi study, Journal of Management Information Systems 17 (4) (2001, March) 5–36. [90] N. Shetty, G. Schwartz, M. Felegyhazi, J. Walrand, Competitive cyber-insurance and internet security, Workshop on the Economics of Information Security, London, 2009. [91] Sklar, Fonctions de Repartition a n Dimensions et Leurs Marges, 8, Publications del'Institut Statistique de l' Universiate de Paris, 1959, pp. 229–231. [92] E. Smith, J.H.P. Eloff, A prototype for assessing information technology risks in health care, Computers & Security 21 (2) (2002) 266–284. [93] C. Smithson, S. Paul, C. Smithson, S. Paul, Quantifying operational risk, Risk (2004) 57–59. [94] J.R. Staker, Use of Bayesian Belief Networks in the Analysis of Information System Network Risk, Commonwealth of Australia, 1999.. [95] J. Sterman, Business Dynamics, Tata McGraw Hill Education Private Limited, 2010. [96] S. Strecker, D. Heise, U. Frank, RiskM: a multi-perspective modeling method for IT risk assessment, Information Systems Frontiers 13 (2011) 595–611. [97] G.S. Smith, Recognizing and preparing loss estimates from cyber-attacks, Information Systems Security 12 (6) (2004) 46–58. [98] K. Thomson, R.v. Solms, L. Louw, Cultivating an organizational information security culture, Computer Fraud & Security 10 (2006) 7–11. [99] H.R. Varian, Intermediate Economics, A Modern Approach, W W Norton Publication, 1999. [100] H.S. Venter, J.H.P. Eloff, A taxonomy for information security technologies, Computers & Security 22 (4) (May 2003) 299–307. [101] J. Wang, A. Chaudhury, H.R. Rao, A value-at-risk approach to information security investment, Information Systems Research 19 (1) (2008) 106–120. Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004 16 A. Mukhopadhyay et al. / Decision Support Systems xxx (2013) xxx–xxx [102] B. Weiß, A. Winkelmann, A metamodel based perspective on the adaptation of a process modeling language to the financial sector, Proceedings of the 44th Hawaii International Conference on System Sciences, Koloa, USA, 2011. [103] B. Weiß, A. Winkelmann, Developing a process oriented notation for modeling operational risks—a conceptual meta model approach to operational risk management in knowledge intensive business process within the financial industry, Proceedings of the 44th Hawaii International Conference on System Sciences, Koloa, USA, 2011. [104] P. Weill, J.W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, 2004. [105] G. Westerman, R. Hunter, IT Risk: Turning Business Threats into Competitive Advantage, Harvard Business School Press, Cambridge, 2007. [106] L. Willcocks, H. Margetts, Risk assessment and information systems, European Journal of Information Systems 3 (2) (1994) 127–138. [107] W. Yurcik, Cyber insurance: a market solution to the internet security market failure, Workshop on the Economics of Information Security (WEIS), Berkeley, 2002. [108] L.A. Gordon, M.P. Loeb, Budgeting Process for Information Security Expenditures, Communications of the ACM, 2006. Arunabha Mukhopadhyay, Ph.D. is an Associate Professor of Information Technology & Systems Area at Indian Institute of Management Lucknow (IIM Lucknow). His research interests include IT Risk Management, Quantifying IT Risk, Cyber-risk insurance, IT Governance, IT Audit, Network Security, Healthcare IT, Network Science, Data mining, e-governance and Telecom Management. He has co-supervised 3 doctoral theses and published around 40 papers in various referred journals and conferences including JIPS, IJISCM, Decision, IIMB Review, CSI-C, HICSS, AMCIS, Pre-ICIS workshops, GITMA, CISTM, ICEG etc. He is the recipient of the Best Teacher in Information Technology Management in 2013 and 2011, by Star-DNA group B-School Award and 19th Dewang Mehta Business School Award, in India respectively. He is a Member of IEEE, AIS, ISACA, DSI, ITS, IFIP WG 11.1 and a Life Member of Computer Society of India (CSI), Telemedicine Society of India (TSI), Indian Insurance Institute (III), Actuarial Society of India (ASI), All India Management Association (AIMA), System Dynamics Society of India (SDSI) and, Operations Research Society of India (ORSI). He has obtained his Ph.D. and Post Graduate Diploma in Business Management (PGDBM) from the Indian Institute of Management Calcutta (IIM Calcutta), in the area of Management Information Systems. He was awarded the Infosys scholarship during his Ph.D. Samir Chatterjee, Ph.D. is a Professor and Fletcher Jones Chair of Technology, Management & Design in the Center for Information Systems & Technology at Claremont Graduate University. He is a technology designer, a healthcare IT strategist, and Founding Director of the Network Convergence Laboratory at Claremont Graduate University, California. His current research includes network security, persuasive technology and software design that support health behavior change. He has published over 100 articles in refereed conferences and journals including IEEE Network, IEEE J. on Selected Areas in Communications, Communications of the ACM, Computer Networks, Journal of MIS, Decision Support Systems, Journal of American Medical Informatics Association (JAMIA), Telemedicine & e-Health Journal, Information Systems Frontiers, Computer Communication, IEEE IT Professional, ACM CCR, Communications of AIS, Journal of Internet Technology etc. He is an AE for MISQ and Health Systems Journal. His recent book titled “Design Research in Information Systems: Theory and Practice” published by Springer in May 2010 has become a seminal resource in Information Systems design field. He has managed as principal investigator over $2.6 million of grants from agencies such as NSF, and numerous private foundations and corporations. Debashis Saha received the B.E. (Hons) degree from Jadavpur University, Kolkata, India, and the M.Tech. and Ph.D. degrees from the Indian Institute of Technology (IIT), Kharagpur, all in electronics and telecommunication engineering. He is currently a Full Professor with the MIS and Computer Science Group, Indian Institute of Management (IIM) Calcutta. Previously, he was with Computer Science & Engg Dept, Jadavpur University. His research interests include pervasive communication and computing, wireless networking and mobile computing, WDM optical networking, e-commerce, ICT for development and network economics. He has co-supervised 14 doctoral theses and published about 270 research papers in various conferences and journals, and directed four funded projects on networking. He has coauthored several book chapters, a monograph and five books including Networking Infrastructure for Pervasive Computing: Enabling Technologies and Systems (Norwell, MA: Kluwer, 2002) and Location Management and Routing in Mobile Wireless Networks (Boston, MA: Artech House, 2003). He is the Co-Editor-in-Chief of the International Journal of Business Data Communications & Networking (IJBDCN), had served on the editorial board of three international journals, member of the organizing/program committee of several international conferences, and is a regular reviewer of several international journals. Dr. Saha was the recipient of the prestigious Career Award for Young Teachers from AICTE, Government of India, and is a SERC Visiting Fellow with the Department of Science and Technology (DST), Government of India. He is a Fellow of West Bengal Academy of Science and Technology (WAST), Senior Life Member of Computer Society of India, Senior Member of IEEE, a member of ACM, a member of AIS, and a member of the International Federation of Information Processing (IFIP) Working Groups 6.8 and 6.10. He was the co-Vice-Chair of IEEE Calcutta Section (2010–2011) and was the founder chair of Calcutta Chapter of IEEE Communications Society (2003–2008) which won the ‘Best Chapter of the World’ award in 2008. Dr. Ambuj Mahanti, D.Sc., is a professor at the MIS Group in IIM Calcutta for about three decades. He has been a UN Fellow on number of occasions and has taught in the University of Maryland at College Park, USA for several years. He has published widely in noted international journals and guided numerous theses on management and technology. He has also widely consulted and conducted many highlevel training programs. He has served as the Dean (planning and administration) at IIM Calcutta. His current interests include heuristics, business intelligence, cloud computing, social networking and ontology based information security and compliance systems. Samir K Sadhukhan received his M.Sc. degree in Applied Mathematics from Calcutta University (India), M.Tech. degree in Computer Science from Indian Statistical Institute (India) and MBA degree from Jadavpur University (India). Presently, he is associated with Indian Institute of Management Calcutta as Senior Systems Analyst. His research interests include algorithms in heuristic search, Network security, Mobile and Wireless network planning. Please cite this article as: A. Mukhopadhyay, et al., Cyber-risk decision models: To insure IT or not?, Decision Support Systems (2013), http:// dx.doi.org/10.1016/j.dss.2013.04.004