IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v21y2019i5d10.1007_s10796-017-9808-5.html
   My bibliography  Save this article

Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance

Author

Listed:
  • Arunabha Mukhopadhyay

    (Indian Institute of Management Lucknow)

  • Samir Chatterjee

    (Claremont Graduate University)

  • Kallol K. Bagchi

    (University of Texas at El Paso)

  • Peteer J. Kirs

    (University of Texas at El Paso)

  • Girja K. Shukla

Abstract

Malicious external attackers commonly use cyber threats (such as virus attacks, denial-of-service (DoS) attacks, financial fraud, system penetration, and theft of proprietary information), while internal attackers resort to unauthorized access to compromise the confidentiality, integrity, and availability (CIA) of the data of individuals, organizations, and nations. This results in an opportunity cost, a loss of market capitalization, and a loss of brand equity for organizations. Organizations and nations spend a substantial portion of their information technology (IT) budgets on IT security (such as perimeter and core security technologies). Yet, security breaches are common. In this paper, we propose a cyber-risk assessment and mitigation (CRAM) framework to (i) estimate the probability of an attack using generalized linear models (GLM), namely logit and probit, and validate the same using Computer Security Institute–Federal Bureau of Investigation (CSI–FBI) time series data, (ii) predict security technology required to reduce the probability of attack to a given level in the next year, (iii) use gamma and exponential distribution to best approximate the average loss data for each malicious attack, (iv) calculate the expected loss due to cyber-attacks using collective risk modeling, (v) compute the net premium to be charged by cyber insurers to indemnify losses from a cyber-attack, and (vi) propose either cyber insurance or self-insurance, or self-protection, as a strategy for organizations to minimize losses.

Suggested Citation

  • Arunabha Mukhopadhyay & Samir Chatterjee & Kallol K. Bagchi & Peteer J. Kirs & Girja K. Shukla, 2019. "Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance," Information Systems Frontiers, Springer, vol. 21(5), pages 997-1018, October.
  • Handle: RePEc:spr:infosf:v:21:y:2019:i:5:d:10.1007_s10796-017-9808-5
    DOI: 10.1007/s10796-017-9808-5
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-017-9808-5
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.

    File URL: https://libkey.io/10.1007/s10796-017-9808-5?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Daniel Kahneman & Amos Tversky, 2013. "Prospect Theory: An Analysis of Decision Under Risk," World Scientific Book Chapters, in: Leonard C MacLean & William T Ziemba (ed.), HANDBOOK OF THE FUNDAMENTALS OF FINANCIAL DECISION MAKING Part I, chapter 6, pages 99-127, World Scientific Publishing Co. Pte. Ltd..
    3. Tridib Bandyopadhyay & Vijay Mookerjee, 0. "A model to analyze the challenge of using cyber insurance," Information Systems Frontiers, Springer, vol. 0, pages 1-25.
    4. Howard Kunreuther, 1997. "Managing Catastrophic Risks Through Insurance and Mitigation," Center for Financial Institutions Working Papers 98-13, Wharton School Center for Financial Institutions, University of Pennsylvania.
    5. Fang Fang & Manoj Parameswaran & Xia Zhao & Andrew B. Whinston, 2014. "An economic mechanism to manage operational security risks for inter-organizational information systems," Information Systems Frontiers, Springer, vol. 16(3), pages 399-416, July.
    6. Robert T. Clemen & Terence Reilly, 1999. "Correlations and Copulas for Decision and Risk Analysis," Management Science, INFORMS, vol. 45(2), pages 208-224, February.
    7. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    8. Saini Das & Arunabha Mukhopadhyay & Manoj Anand, 2012. "Stock Market Response to Information Security Breach: A Study Using Firm and Attack Characteristics," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 8(4), pages 27-55, October.
    9. Hulisi Öğüt & Srinivasan Raghunathan & Nirup Menon, 2011. "Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection," Risk Analysis, John Wiley & Sons, vol. 31(3), pages 497-512, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Alessandro Mazzoccoli, 2023. "Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis," Risks, MDPI, vol. 11(9), pages 1-14, August.
    2. Abraham Onipe Okomanyi & Audra R. Sherwood & Ekundayo Shittu, 2024. "Exploring effective strategies against cyberattacks: the case of the automotive industry," Environment Systems and Decisions, Springer, vol. 44(4), pages 779-809, December.
    3. Ben Krishna & Satish Krishnan & M. P. Sebastian, 2023. "Examining the Relationship between National Cybersecurity Commitment, Culture, and Digital Payment Usage: An Institutional Trust Theory Perspective," Information Systems Frontiers, Springer, vol. 25(5), pages 1713-1741, October.
    4. Kalpit Sharma & Arunabha Mukhopadhyay, 2023. "Cyber-risk Management Framework for Online Gaming Firms: an Artificial Neural Network Approach," Information Systems Frontiers, Springer, vol. 25(5), pages 1757-1778, October.
    5. Jae Kyu Lee & Younghoon Chang & Hun Yeong Kwon & Beopyeon Kim, 2020. "Reconciliation of Privacy with Preventive Cybersecurity: The Bright Internet Approach," Information Systems Frontiers, Springer, vol. 22(1), pages 45-57, February.
    6. Alessandro Mazzoccoli & Maurizio Naldi, 2022. "An Overview of Security Breach Probability Models," Risks, MDPI, vol. 10(11), pages 1-29, November.
    7. Rajan, Rishabh & Rana, Nripendra P. & Parameswar, Nakul & Dhir, Sanjay & Sushil, & Dwivedi, Yogesh K., 2021. "Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management," Technological Forecasting and Social Change, Elsevier, vol. 170(C).
    8. Taylor Reynolds & Sarah Scheffler & Daniel J. Weitzner & Angelina Wu, 2024. "Mind the Gap: Securely modeling cyber risk based on security deviations from a peer group," Papers 2402.04166, arXiv.org.
    9. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    10. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    11. Avital Baral & Taylor Reynolds & Lawrence Susskind & Daniel J. Weitzner & Angelina Wu, 2024. "Municipal cyber risk modeling using cryptographic computing to inform cyber policymaking," Papers 2402.01007, arXiv.org, revised Feb 2024.
    12. Supunmali Ahangama, 2023. "Relating Social Media Diffusion, Education Level and Cybersecurity Protection Mechanisms to E-Participation Initiatives: Insights from a Cross-Country Analysis," Information Systems Frontiers, Springer, vol. 25(5), pages 1695-1711, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    2. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    3. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    4. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    5. Martin Peterson, 2002. "The Limits of Catastrophe Aversion," Risk Analysis, John Wiley & Sons, vol. 22(3), pages 527-538, June.
    6. Seow Eng Ong & Davin Wang & Calvin Chua, 2023. "Disruptive Innovation and Real Estate Agency: The Disruptee Strikes Back," The Journal of Real Estate Finance and Economics, Springer, vol. 67(2), pages 287-317, August.
    7. Herrmann, Tabea & Hübler, Olaf & Menkhoff, Lukas & Schmidt, Ulrich, 2016. "Allais for the poor," Kiel Working Papers 2036, Kiel Institute for the World Economy (IfW Kiel).
    8. Christiane Goodfellow & Dirk Schiereck & Steffen Wippler, 2013. "Are behavioural finance equity funds a superior investment? A note on fund performance and market efficiency," Journal of Asset Management, Palgrave Macmillan, vol. 14(2), pages 111-119, April.
    9. Berg, Joyce E. & Rietz, Thomas A., 2019. "Longshots, overconfidence and efficiency on the Iowa Electronic Market," International Journal of Forecasting, Elsevier, vol. 35(1), pages 271-287.
    10. Reckers, Philip M.J. & Sanders, Debra L. & Roark, Stephen J., 1994. "The Influence of Ethical Attitudes on Taxpayer Compliance," National Tax Journal, National Tax Association;National Tax Journal, vol. 47(4), pages 825-836, December.
    11. Bier, Vicki & Gutfraind, Alexander, 2019. "Risk analysis beyond vulnerability and resilience – characterizing the defensibility of critical systems," European Journal of Operational Research, Elsevier, vol. 276(2), pages 626-636.
    12. Sitinjak Elizabeth Lucky Maretha & Haryanti Kristiana & Kurniasari Widuri & Sasmito Yohanes Wisnu Djati, 2019. "Investor behavior based on personality and company life cycle," HOLISTICA – Journal of Business and Public Administration, Sciendo, vol. 10(2), pages 23-38, August.
    13. Theo Arentze & Tao Feng & Harry Timmermans & Jops Robroeks, 2012. "Context-dependent influence of road attributes and pricing policies on route choice behavior of truck drivers: results of a conjoint choice experiment," Transportation, Springer, vol. 39(6), pages 1173-1188, November.
    14. van den Bergh, J.C.J.M. & Botzen, W.J.W., 2015. "Monetary valuation of the social cost of CO2 emissions: A critical survey," Ecological Economics, Elsevier, vol. 114(C), pages 33-46.
    15. Frank D. Hodge & Roger D. Martin & Jamie H. Pratt, 2006. "Audit Qualifications of Income†Decreasing Accounting Choices," Contemporary Accounting Research, John Wiley & Sons, vol. 23(2), pages 369-394, June.
    16. Philippe Fevrier & Sebastien Gay, 2005. "Informed Consent Versus Presumed Consent The Role of the Family in Organ Donations," HEW 0509007, University Library of Munich, Germany.
    17. Ran Sun Lyng & Jie Zhou, 2019. "Household Portfolio Choice Before and After a House Purchase," Economics Working Papers 2019-01, Department of Economics and Business Economics, Aarhus University.
    18. Homonoff, Tatiana & Spreen, Thomas Luke & St. Clair, Travis, 2020. "Balance sheet insolvency and contribution revenue in public charities," Journal of Public Economics, Elsevier, vol. 186(C).
    19. Shuang Yao & Donghua Yu & Yan Song & Hao Yao & Yuzhen Hu & Benhai Guo, 2018. "Dry Bulk Carrier Investment Selection through a Dual Group Decision Fusing Mechanism in the Green Supply Chain," Sustainability, MDPI, vol. 10(12), pages 1-19, November.
    20. Senik, Claudia, 2009. "Direct evidence on income comparisons and their welfare effects," Journal of Economic Behavior & Organization, Elsevier, vol. 72(1), pages 408-424, October.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:21:y:2019:i:5:d:10.1007_s10796-017-9808-5. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.