Integrated framework for information security investment and cyber insurance

This paper presents analytical models for optimizing firm's cybersecurity spending and cyber insurance based on the effectiveness of spending in reducing cyber threats, vulnerability and impact, respectively. At the macro-level, the paper shows how private-sector contribution toward countering cybercrimes can reduce the overall cyber loss and create economic value. At the micro level, a firm's effectiveness of security spending in addressing specific cyber threats can be reduced when other co-dependent security measures are not put in place. The paper derives an optimal mix of cybersecurity investments in "knowledge and expertise" versus "deploying mitigation measures". The paper proposes customizing cyber insurance for firms with itemized threat-specific coverage with a portion of the premium used to help clients with risk knowledge and nudge clients in implementing risk mitigation measures. Small and Mid-sized Enterprises can stand benefit the most from such innovative cyber insurance.