Optimal Security Configuration for Cyber Insurance

摘要

Losses due to cyber security incidents could be very significant for organisations. This fact forces managers to consider cyber security risks at the highest management level. Cyber risks are usually either mitigated by technical means (countermeasures) or transferred to another party (i.e., insurer). Both options require significant investments and organisations face the problem of optimal distribution of cyber security budget between these risk treatment options. In this paper, we propose an approach for optimal distribution of investments between self-protection and cyber insurance. The key difference of our paper with respect to others in the field is that our model helps to identify the required security controls, rather than implicitly assuming a relation between security investments, security configuration and expected probability of attack. Our approach exploits a discrete model of investment in self-protection, which is more challenging for analysis but is more realistic and convenient for the application. Our model further considers several threats and allows threats to occur more than once.