An Expanded Cyber Insurance Framework to Mitigate Cyber Induced Economic Losses of the U.S. Power Industry

John P. Rosson


Cyber incidents are increasing in the United States and critical infrastructure is no exception. Aging operational technology is reliable, but much of it was not conceived in this century and lacks the security measures required to deal with worldwide interconnectivity. In order to bring security to the forefront of the critical infrastructure operator's priorities, there must be incentive. Insurance may provide the answer, as transferring risk is an attractive option which can be used to incentivize risk reduction, making it more attractive to both the insured and insurer. The incentives built into insurance contracts today, whether negative or positive reinforcement, have a profound effect on our behavior. This research explores the foundations of insurance theory and adopts behavioral manipulation methods used by mature insurance industries into cyber insurance. This cyber security framework builds on established research to incentivize security investment via insurance contracts by including coinsurance and deductible options. The model is validated by applying power industry performance data from 2013 through 2015. The results show how the addition of coinsurance and deductibles can serve as risk reduction incentives that create trade space in constrained budgets and ultimately make the power industry more secure from a cyber perspective if adopted.