{"title":"Does Cyber Insurance promote Cyber Security Best Practice? An Analysis based on Insurance Application Forms","authors":"Rodney Adriko, Jason R.C. Nurse","doi":"10.1145/3676283","DOIUrl":null,"url":null,"abstract":"The significant rise in digital threats and attacks has led to an increase in the use of cyber insurance as a risk treatment method intended to support organisations in the event of a breach. Insurance providers are set up to assume such residual risk, but they often require organisations to implement certain security controls a priori to reduce their exposure. We examine the assertion that cyber insurance promotes cyber security best practice by conducting a critical examination of cyber insurance application forms to determine how well they align with ISO 27001, the NIST Cybersecurity Framework and the UK’s Cyber Essentials security standards. We achieve this by mapping questions and requirements expressed in insurance forms to the security controls covered in each of the standards. This allows us to identify security controls and standards that are considered – and likely most valued – by insurers and those that are neglected. We find that while there is some reasonable coverage across forms, there is an underrepresentation of best practice standards and controls generally, and particularly in some control areas (e.g., procedural/governance controls, incident response and recovery).","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":" 31","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3676283","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
The significant rise in digital threats and attacks has led to an increase in the use of cyber insurance as a risk treatment method intended to support organisations in the event of a breach. Insurance providers are set up to assume such residual risk, but they often require organisations to implement certain security controls a priori to reduce their exposure. We examine the assertion that cyber insurance promotes cyber security best practice by conducting a critical examination of cyber insurance application forms to determine how well they align with ISO 27001, the NIST Cybersecurity Framework and the UK’s Cyber Essentials security standards. We achieve this by mapping questions and requirements expressed in insurance forms to the security controls covered in each of the standards. This allows us to identify security controls and standards that are considered – and likely most valued – by insurers and those that are neglected. We find that while there is some reasonable coverage across forms, there is an underrepresentation of best practice standards and controls generally, and particularly in some control areas (e.g., procedural/governance controls, incident response and recovery).
数字威胁和攻击的大幅增加导致网络保险的使用增加,网络保险是一种风险处理方法,目的是在出现漏洞时为组织提供支持。保险提供商是为承担此类残余风险而设立的,但他们往往要求组织事先实施某些安全控制措施,以降低风险。我们对网络保险申请表进行了严格审查,以确定它们在多大程度上符合 ISO 27001、NIST 网络安全框架和英国网络基本安全标准,从而对网络保险促进网络安全最佳实践的说法进行研究。为此,我们将保险表格中的问题和要求与每项标准中涵盖的安全控制进行了映射。这样,我们就能找出保险公司认为最重要的安全控制和标准,以及那些被忽视的安全控制和标准。我们发现,虽然各种表格都有一些合理的覆盖范围,但总体而言,最佳实践标准和控制的代表性不足,特别是在某些控制领域(如程序/治理控制、事故响应和恢复)。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
