Cyber risk management: risk transfer and mitigation strategies to manage cyber risks

Cybersecurity and cyber risk management are an ever growing area of concern due to the growth of the ICT infrastructure and its pervasiveness in everyday’s activities. The growing reliance on ICT and its role in economic activities are unfortunately an attractive incentive for hacking and hacking-related criminal activities. However, cyber risks are quite peculiar compared to other forms of risks for several reasons. We do not have long-term historical data and its characteristics evolve rapidly, so that reliable forecasts are not possible. In addition, cyber attacks can go undetected for a long period, so that a significant gap may exist between their appearance and their observation. Finally, strong interdependencies exist between infrastructures that may cause the propagation of damages. What is certain is that such risks can cause relevant tangible and intangible losses, which may sometimes be hard to quantify, since they may be due, e.g., to loss of reputation. Since cyber risks represent such a hard challenge, they call for a proper risk management approach. Contrary to the strong majority of cybersecurity studies, which deal with the engineering tools to protect information and prevent security breaches, a relevant and growing area of research is represented by cybersecurity economics, which takes an economic approach to cyber risk management, with the aim of quantifying the risk, evaluate the economic effectiveness of security countermeasures, and minimize the overall losses involved. My thesis aims at analysing the risk management strategies that companies can adopt to deal with cyber risks. In particular, the following three techniques are explored: 1. cyber risk mitigation; 2. cyber risk transfer; 3. cyber risk transfer and mitigation. The first strategy, cyber risk mitigation, tends to reduce cyber risk through economic investments in cybersecurity. Using established models for the effectiveness of security investments, and adjusting those models through parameter estimates obtained from the recent literature, the optimal investment in security is derived. The economic balance between investment and residual losses is then examined. Finally, the impact of deviations from the optimized investments is also examined through the use of sensitivity analysis. The second strategy is cyber risk transfer. In this case, I focus on a cloud infrastructure. In particular, I compute the insurance premium that a cloud provider has to pay in order to be covered against the losses caused by disruptions in its service (which may be due either to accidental malfunctionings or to accidental attacks). Insurance represents here a means for the cloud provider to transfer its risk to the insurer. The issue is addressed by considering a combination of service outage models (Exponential-Pareto and ParetoLognormal), and three different Quality of Service (QoS) metrics (number of outages, number of long outages, and unavailability). Since protecting against cyber losses has anyway a price, a final part of the study is devoted to help the company recalibrating its compensation deals with its customers (whose overall volume impacts on the insurance premium), namely by deriving a closed formula to set the unit compensation offered to customers so as to avoid those compensations and the resulting insurance premium eroding the profit margins. The third strategy is a combination of the first two. There is a synergic advantage in using both strategies, since security investments helps reduce the expected loss and therefore the resulting insurance premium. In this thesis, the optimal balance between investments and insurance is then sought after. The optimal investment in security, is derived for this mixed strategy under three insurance policies, covering, respectively, all the losses (total coverage), just those below the limit of maximum liability (partial coverage), and those above a threshold but below the maximum liability (partial coverage with deductibles). Under certain conditions (e.g., low potential loss, or either very low or very high vulnerability), the mixed strategy reverts however to insurance alone, because investments do not provide an additional benefit. When the mixed strategy is the best choice, I find that the dominant component in the overall security expenses is the insurance premium.