IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v21y2019i5d10.1007_s10796-017-9808-5.html
   My bibliography  Save this article

Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance

Author

Listed:
  • Arunabha Mukhopadhyay

    (Indian Institute of Management Lucknow)

  • Samir Chatterjee

    (Claremont Graduate University)

  • Kallol K. Bagchi

    (University of Texas at El Paso)

  • Peteer J. Kirs

    (University of Texas at El Paso)

  • Girja K. Shukla

Abstract

Malicious external attackers commonly use cyber threats (such as virus attacks, denial-of-service (DoS) attacks, financial fraud, system penetration, and theft of proprietary information), while internal attackers resort to unauthorized access to compromise the confidentiality, integrity, and availability (CIA) of the data of individuals, organizations, and nations. This results in an opportunity cost, a loss of market capitalization, and a loss of brand equity for organizations. Organizations and nations spend a substantial portion of their information technology (IT) budgets on IT security (such as perimeter and core security technologies). Yet, security breaches are common. In this paper, we propose a cyber-risk assessment and mitigation (CRAM) framework to (i) estimate the probability of an attack using generalized linear models (GLM), namely logit and probit, and validate the same using Computer Security Institute–Federal Bureau of Investigation (CSI–FBI) time series data, (ii) predict security technology required to reduce the probability of attack to a given level in the next year, (iii) use gamma and exponential distribution to best approximate the average loss data for each malicious attack, (iv) calculate the expected loss due to cyber-attacks using collective risk modeling, (v) compute the net premium to be charged by cyber insurers to indemnify losses from a cyber-attack, and (vi) propose either cyber insurance or self-insurance, or self-protection, as a strategy for organizations to minimize losses.

Suggested Citation

  • Arunabha Mukhopadhyay & Samir Chatterjee & Kallol K. Bagchi & Peteer J. Kirs & Girja K. Shukla, 2019. "Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance," Information Systems Frontiers, Springer, vol. 21(5), pages 997-1018, October.
    • Handle: RePEc:spr:infosf:v:21:y:2019:i:5:d:10.1007_s10796-017-9808-5
    DOI: 10.1007/s10796-017-9808-5
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-017-9808-5
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10796-017-9808-5?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Saini Das & Arunabha Mukhopadhyay & Manoj Anand, 2012. "Stock Market Response to Information Security Breach: A Study Using Firm and Attack Characteristics," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 8(4), pages 27-55, October.
    3. Daniel Kahneman & Amos Tversky, 2013. "Prospect Theory: An Analysis of Decision Under Risk," World Scientific Book Chapters, in: Leonard C MacLean & William T Ziemba (ed.), HANDBOOK OF THE FUNDAMENTALS OF FINANCIAL DECISION MAKING Part I, chapter 6, pages 99-127, World Scientific Publishing Co. Pte. Ltd..
    4. Robert T. Clemen & Terence Reilly, 1999. "Correlations and Copulas for Decision and Risk Analysis," Management Science, INFORMS, vol. 45(2), pages 208-224, February.
    5. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    6. Fang Fang & Manoj Parameswaran & Xia Zhao & Andrew B. Whinston, 2014. "An economic mechanism to manage operational security risks for inter-organizational information systems," Information Systems Frontiers, Springer, vol. 16(3), pages 399-416, July.
    7. Hulisi Öğüt & Srinivasan Raghunathan & Nirup Menon, 2011. "Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection," Risk Analysis, John Wiley & Sons, vol. 31(3), pages 497-512, March.
    8. Tridib Bandyopadhyay & Vijay Mookerjee, 0. "A model to analyze the challenge of using cyber insurance," Information Systems Frontiers, Springer, vol. 0, pages 1-25.
    9. Howard Kunreuther, 1997. "Managing Catastrophic Risks Through Insurance and Mitigation," Center for Financial Institutions Working Papers 98-13, Wharton School Center for Financial Institutions, University of Pennsylvania.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Taylor Reynolds & Sarah Scheffler & Daniel J. Weitzner & Angelina Wu, 2024. "Mind the Gap: Securely modeling cyber risk based on security deviations from a peer group," Papers 2402.04166, arXiv.org.
    2. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    3. Kalpit Sharma & Arunabha Mukhopadhyay, 2023. "Cyber-risk Management Framework for Online Gaming Firms: an Artificial Neural Network Approach," Information Systems Frontiers, Springer, vol. 25(5), pages 1757-1778, October.
    4. Jae Kyu Lee & Younghoon Chang & Hun Yeong Kwon & Beopyeon Kim, 2020. "Reconciliation of Privacy with Preventive Cybersecurity: The Bright Internet Approach," Information Systems Frontiers, Springer, vol. 22(1), pages 45-57, February.
    5. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    6. Alessandro Mazzoccoli & Maurizio Naldi, 2022. "An Overview of Security Breach Probability Models," Risks, MDPI, vol. 10(11), pages 1-29, November.
    7. Alessandro Mazzoccoli, 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis," Risks, MDPI, vol. 11(9), pages 1-14, August.
    8. Rajan, Rishabh & Rana, Nripendra P. & Parameswar, Nakul & Dhir, Sanjay & Sushil, & Dwivedi, Yogesh K., 2021. "Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management," Technological Forecasting and Social Change, Elsevier, vol. 170(C).
    9. Avital Baral & Taylor Reynolds & Lawrence Susskind & Daniel J. Weitzner & Angelina Wu, 2024. "Municipal cyber risk modeling using cryptographic computing to inform cyber policymaking," Papers 2402.01007, arXiv.org, revised Feb 2024.
    10. Supunmali Ahangama, 2023. "Relating Social Media Diffusion, Education Level and Cybersecurity Protection Mechanisms to E-Participation Initiatives: Insights from a Cross-Country Analysis," Information Systems Frontiers, Springer, vol. 25(5), pages 1695-1711, October.
    11. Ben Krishna & Satish Krishnan & M. P. Sebastian, 2023. "Examining the Relationship between National Cybersecurity Commitment, Culture, and Digital Payment Usage: An Institutional Trust Theory Perspective," Information Systems Frontiers, Springer, vol. 25(5), pages 1713-1741, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    2. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    3. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    4. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    5. Martin Peterson, 2002. "The Limits of Catastrophe Aversion," Risk Analysis, John Wiley & Sons, vol. 22(3), pages 527-538, June.
    6. Seow Eng Ong & Davin Wang & Calvin Chua, 2023. "Disruptive Innovation and Real Estate Agency: The Disruptee Strikes Back," The Journal of Real Estate Finance and Economics, Springer, vol. 67(2), pages 287-317, August.
    7. Christiane Goodfellow & Dirk Schiereck & Steffen Wippler, 2013. "Are behavioural finance equity funds a superior investment? A note on fund performance and market efficiency," Journal of Asset Management, Palgrave Macmillan, vol. 14(2), pages 111-119, April.
    8. Philippe Fevrier & Sebastien Gay, 2005. "Informed Consent Versus Presumed Consent The Role of the Family in Organ Donations," HEW 0509007, University Library of Munich, Germany.
    9. Shuang Yao & Donghua Yu & Yan Song & Hao Yao & Yuzhen Hu & Benhai Guo, 2018. "Dry Bulk Carrier Investment Selection through a Dual Group Decision Fusing Mechanism in the Green Supply Chain," Sustainability, MDPI, vol. 10(12), pages 1-19, November.
    10. Senik, Claudia, 2009. "Direct evidence on income comparisons and their welfare effects," Journal of Economic Behavior & Organization, Elsevier, vol. 72(1), pages 408-424, October.
    11. Jose Apesteguia & Miguel Ballester, 2009. "A theory of reference-dependent behavior," Economic Theory, Springer;Society for the Advancement of Economic Theory (SAET), vol. 40(3), pages 427-455, September.
    12. Shoji, Isao & Kanehiro, Sumei, 2016. "Disposition effect as a behavioral trading activity elicited by investors' different risk preferences," International Review of Financial Analysis, Elsevier, vol. 46(C), pages 104-112.
    13. Christoph Engel & Michael Kurschilgen, 2011. "Fairness Ex Ante and Ex Post: Experimentally Testing Ex Post Judicial Intervention into Blockbuster Deals," Journal of Empirical Legal Studies, John Wiley & Sons, vol. 8(4), pages 682-708, December.
    14. Christina Leuker & Thorsten Pachur & Ralph Hertwig & Timothy J. Pleskac, 2019. "Do people exploit risk–reward structures to simplify information processing in risky choice?," Journal of the Economic Science Association, Springer;Economic Science Association, vol. 5(1), pages 76-94, August.
    15. Boone, Jan & Sadrieh, Abdolkarim & van Ours, Jan C., 2009. "Experiments on unemployment benefit sanctions and job search behavior," European Economic Review, Elsevier, vol. 53(8), pages 937-951, November.
    16. Singal, Vijay & Xu, Zhaojin, 2011. "Selling winners, holding losers: Effect on fund flows and survival of disposition-prone mutual funds," Journal of Banking & Finance, Elsevier, vol. 35(10), pages 2704-2718, October.
    17. Jos'e Cl'audio do Nascimento, 2019. "Behavioral Biases and Nonadditive Dynamics in Risk Taking: An Experimental Investigation," Papers 1908.01709, arXiv.org, revised Apr 2023.
    18. Alex Cukierman & Anton Muscatelli, 2001. "Do Central Banks have Precautionary Demands for Expansions and for Price Stability?," Working Papers 2002_4, Business School - Economics, University of Glasgow, revised Mar 2002.
    19. Dash, Saumya Ranjan & Maitra, Debasish, 2018. "Does sentiment matter for stock returns? Evidence from Indian stock market using wavelet approach," Finance Research Letters, Elsevier, vol. 26(C), pages 32-39.
    20. José F. Tudón M., 2019. "Perception, utility, and evolution," Economic Theory Bulletin, Springer;Society for the Advancement of Economic Theory (SAET), vol. 7(2), pages 191-208, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:21:y:2019:i:5:d:10.1007_s10796-017-9808-5. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.