Abstract
Risk transfer can be an economically favorable way of handling security and privacy issues, but choosing this option indiscriminately and without proper knowledge is a risk in itself. This report provides an overview of knowledge gaps related to cyber-insurance as a risk management strategy. These are grouped into three high-level topics; cyber-insurance products, understanding and measuring risk and estimation of consequences. The topics are further divided into 11 knowledge areas with recommendations for further research. The work is based on a study of academic literature and other written materials, such as various reports and newspaper articles. There is a clear lack of empirical data on cyber-insurance, and in particular qualitative studies aiming to understand and describe needs, obstacles and processes relevant for cyber-insurance. We recommend a stronger emphasis on research related to topics that are specific to cyber-insurance, covering decision models for buyers of insurance, barriers for information sharing, impact of cyber-insurance on security, and business models for insurers.
Oppdragsgiver: SINTEF ICT
Oppdragsgiver: SINTEF ICT