A formal model for pricing information systems insurance contracts

Information systems security has become a top priority issue for most organisations worldwide, mainly because of the rapidly increasing number of threats and the highly sophisticated methods utilised for realising the attacks. The typical reaction of IT officials is to protect their systems through a series of technical security measures. However, in the absence of a scientifically sound methodology for evaluating the cost-effectiveness of the security measures employed, the problem is that they are unable to quantify the security level of their system and thus to determine the appropriate amount that they should invest for its protection. Another option that organisations can explore is to insure their information systems against potential security incidents, aiming to balance the consequences that they will experience, in terms of financial losses, through the compensation that they will get from the insurance company. Even in that case, though, the difficulty for the insurance company is the calculation of the appropriate premium. In this paper we present a probabilistic structure, in the form of a Markov model, used to provide detailed information about all possible transitions of the system state in the course of time. Specifically, we are interested on transitions from the fully operational system state to other non-fully operational states that may result as the effect of a security incident. The aforementioned probabilistic structure enables both the estimation of the insurance premium and the valuation of the security investment. (c) 2005 Elsevier B.V. All rights reserved.