The economics of cyber risk transfer

Risk transfer plays an increasing role in information security risk management as organisations purchase cyber insurance and vendors offer cyber warranties. These cyber risk transfer products affect how risk managers make decisions. An archetypal example is insurers offering discounts on cyber insurance contingent on information security controls being in place. Alternatively, vendors offering cyber warranties incur relatively less cost if they produce more effective products, increasing the information risk managers possess when purchasing security products. This dissertation uses mixed methods to ask how might cyber risk transfer products increase information about security decisions? Focusing on the incentives and strategies of market participants situates this dissertation within the Economics of Information Security. We collect empirical data in order to make realistic modelling decisions. We then introduce two decision-theoretic models to explore how mechanisms like cyber insurance and cyber warranties can increase information about the effectiveness of security controls. One of the resulting insights is operationalised by introducing a novel method to infer loss distributions from insurance prices. Our first contribution collects data about cyber insurance risk assessment and how it feeds into pricing. A qualitative study involving nine insurance firms in the UK provides insights into market processes. We identify disparities between how an area of information security is valued by underwriters and how much information is collected in application forms. Additionally, we extract 26 regulatory filings describing how US insurers price cyber insurance, providing one of the first quantitative empirical studies of the cyber insurance market. Our second contribution extends an existing model to consider multiple policyholders with an insurer coordinating information. Monte Carlo simulations are used to explore different strategies for the insurer. The results describe how the rate of attack, security spending, variance of losses, and gross return relate to the insurer's choice of strategy and number of insureds. Our third contribution considers how consumers can use cyber warranties to increase information about the effectiveness of security products. We analyse 10 warranties attached to information security products to understand what they typically cover. We then introduce a simple model and derive four different inferences to be made, depending on the information held by the consumer. Numerical illustrations suggest vendors voluntarily offering warranties can force a separating equilibria. Finally, we discuss barriers to making these inferences in reality. Our final contribution introduces a novel method to infer cyber loss distributions from insurance prices. We apply this to a set of 6,218 cyber insurance prices extracted in our first contribution. This allows us to derive what we term the County Fair Cyber Loss Distribution, which aggregates the inferred loss models from 26 separate pricing schemes. The results provide real estimates that organisations can use to quantify cyber risk.