We talked with Dr. Daniel Woods of the University of Innsbruck about our list of topics in February of 2021. Besides a short introduction of the topics, in the video we also rate them with regards to their feasibility and relevance for academia and the industry.
Getting into cyber insurance and risk quantification is not a straightforward process yet. Compared to varying degree well-established paths of starting a career in cyber security, established insurance lines of business, actuarial modeling, or insurance law, many current practitioners of the cyber insurance ecosystem are first exposed to the topic when they start their careers in the respective field, usually right out of university/college, or when they transition into it from their previous professional field.
While there are already a few dedicated degree university courses on cyber insurance, the majority of students that might have heard of cyber insurance will at most have had a single semester course on the topic and might have difficulties writing their bachelor or master thesis about cyber, be it for lack of awareness, availability of suitable academic chairs, or a lack of awareness for possible research topics. These difficulties are further magnified by the vastness and interdisciplinary nature of the topic, For example, a bachelor student of cyber security might be interested in cyber insurance, but not able to find access to the financial or law aspects of the topic during the completion of just three months.
While bachelor and master theses allow students to take a deep dive into a given topic and push the envelope (within reasonable constraints), cyber-economics.com wants to lower the barrier of entry for the cyber insurance and risk quantification industries and combat the chronic skill-shortage of quantitative cyber risk professionals by providing students and perhaps even academics with a list of topics that are suitable for a thesis and of ongoing interest for academic research community and industry.
As the quantification of cyber risk in an open field that touches many current and future industries and academic disciplines, we categorize the research topics broadly into qualitative and quantitative topics, with an occasional overlap of methods and thesis topics. In addition to the thesis topics, we provide the reader with literature recommendations that serve as a natural first step to dig deeper into a given topic.
Likely the first topic that was discussed in the academic cyber quantification literature, the insurability of cyber risks has been used by bachelor and master students as a thesis topic since the early 2000s. While the general question, if cyber risks are insurable given the current cyber insurance market with an estimated $5 to 8 Billion in worldwide written premiums today somewhat redundant, there are still a lot of derived questions that can provide a great thesis topic.
Possible Thesis Topics
- Which cyber risks will become insurable / cease to be insurable in the future? Possible risks to consider are:
- Coverage for breaches of third party systems contracted by the insured party, like cloud providers (currently partially insurable).
- Ransomware payments ( the actual ransom, as well as, the cleaning of systems is currently insurable. This also has a strong legal component).
- Next generation IoT devices and autonomous driving cars.
- Coverage for Intellectual property (currently not insurable in cyber directly, but there is intellectual property insurance).
Suggested Academic Reading
In the spirit of , , , and other papers, analyzing the contents of cyber insurance forms and policies provides tremendous insights for academics and the industry alike. The SERFF filling system (), which offers extensive up-to-date and historical documents of the US cyber insurance market, is a great source of primary information for this purpose.
Possible Thesis Topics
- An update to the above-mentioned papers. For example, , while being published in 2019 in an academic journal (there are earlier draft versions available), and analyzed policies from 2009 to 2016. As the cyber insurance market has undergone tremendous growth and associated evolution in the last years, it would be interesting to see how the content of cyber insurance policies changed in the previous years and how carriers reacted, for example, to the increased damages through ransomware during the COVID-19 pandemic.
- In the context of a bachelor or master thesis, the analysis of cyber insurance forms from other countries is likely to the respective local market, e.g., a student at a German University analyzing German cyber insurance policies. Most of the content analysis of cyber insurance policies has been done for the US market, given the size and importance (an estimated 60-70% of global written cyber premiums are underwritten in the US), as well as the availability of policies via the SERFF system not surprising. An example of this is (starting from page 193), which analyzed Dutch cyber insurance policies and compared them to the US market. However, we are not aware of any system even remotely as complete as the SERFF system for other countries, which makes gathering of sufficient number of local cyber insurance policies a requirement.
Suggested Academic Reading
Of special interest for insurers and brokers is the relationship between the coverage of cyber insurance and other related insurance types. Often the coverage of D&O (Link to cyber-economics.com page on cyber insurance), E&O, media liability, and general P&C (silent cyber, see below for a explicit discussion), overlaps with the coverage of current cyber insurance policies. The question of how to structure cyber insurance with other insurance types is especially interesting, as there are two primary ways on how cyber insurance is currently sold, either as an addon on an existing P&C policy or as a standalone policy. The primary ways to investigate a question in this nexus are either via qualitative interviews or surveys with brokers, primary insurers, insurance lawyers, and risk owners, or by analyzing the wordings of cyber insurance and the (potential) overlap policies.
Possible Thesis Topics
- How large/in or which scenarios does cyber insurance overlap with other insurance types? Is this overlap sizeable, i.e. could a combination of policies reduce premiums significantly? Does the overlap depend on the type of cyber insurance policy (addon or standalone)?
- What insurance policy gets priority in case of a cyber incident?
- If addon policies can mitigate the risk over double insurance, does this make them inherently better than standalone cyber insurance policies?
Suggested Academic Reading
Standard research topics in microeconomics and contract theory, market failures induced by moral hazard and adverse selection can inhibit the efficient transfer of risks or prevent the formation of a functioning market for cyber insurance entirely. Linked to the insurability of cyber risks, the early academic literature on cyber of the 2000s and 2010s, in the absence of the sizeable cyber insurance market of today to empirically analyze, looked at these and other market failures as a consequence of asymmetric information or the inability for the cyber insurer to continuously monitor the cyber security maturity level of an insured entity. To setup a suitable, often agent-based model, agood way to start is to look at classical game theoretical games and adapt them to cyber as needed.
Possible Thesis Topics
- Under which circumstances can a pooling/separate equilibrium exist when the insurer has only a little information about the cyber maturity level of a potential insured?
- Can an unusual combination of coverage sum and deductible (e.g. very high coverage for a firm with a relatively small turnover) be utilized to draw conclusions about the cyber security level of a firm seeking cyber insurance, i.e. to combat adverse selection in a signaling game?
Suggested Academic Reading
The underwriting process is the gatekeeper for cyber insurance and shapes the insurance market in many ways. While there is an overlap with analyzing current cyber insurance policies (Topic #2), e.g. by comparing what security controls or other information are required in the underwriting process, a thesis about this topic should likely involve interviews with underwriters or other industry practitioners to get additional insights into the current sentiments of underwriters towards cyber risk. gives a good overview and methodological template to conduct qualitative research into the underwriting process.
Possible Thesis Topics
- What does the current cyber insurance underwriting process look like? How does it differ for small or medium companies compared to large ones? Is there a significant difference in the undewriting requirements between industries?
- How does the reinsurance underwriting process differ from the primary underwriting process? How does this influence makeup current cyber portfolios?
- Which technical expedients (cyber security stores, external scans, audits) are utilized in the underwriting process? How does it change the decision to insure, coverage level, or premiums?
Suggested Academic Reading
Cyber insurers have become an important principle for cyber security, law firms, PR firms and all other services or products that are involved in the claims management or underwriting process. Understanding the incentives of the various stakeholders, and perhaps even clearly mapping the current or future value chain in the first place, is important to understand and anticipate the future development of the cyber insurance market.
Possible Thesis Topics
- Where is currently the market power (primary insurer, reinsurers) in the ecosystem and how is it going to change in the future?
- Does the cyber insurance industry have enough contracted capacity in case of a cyber catastrophe (Ransomware attack like NotPetya or a longer cloud outage) to service all claims? Where are likely bottle necks in the ecosystem?
- How does the cyber insurance ecosystem respond to COVID-19? Will certain services or products be in more demand in the future?
- How do certain parts of the cyber risk ecosystem look under the microscope? For example, what are possible incentive incompatibilities for a breach counsel to handle in case of a cyber incident?
Suggested Academic Reading
Analogous to topic 6, the cybercrime value chain is the dark side of the cyber insurance value chain and “producer” of the underlying cyber risk. The incentives of cybercriminals are a key consideration when it comes to cyber insurance. From recent developments of cyber crime-as-a-service and the wholesaling of databases and sensitivity of information over the darknet, the cybercrime value chain is perhaps as organized as the cyber insurance one.
Possible Thesis Topics
- Does cyber insurance increase the payout for cyber criminals and if so, is cyber insurance even a net welfare loss (See also the 8th topic on welfare below)?
- Does the shutdown of a darkmarket (like SilkRoad) correspond with measurable temporary declines in cybercrime activity?
- Does the activity of well-known bot networks, especially pauses in their activities like the one observed with Ryuk in 2019, allow conclusions about the perpetrators?
Suggested Academic Reading
In economic terms, all insurance types provide utility by smoothing the consumption of risk-averse parties, which in turn are willing to pay an economic premium on top of the expected value of damages. In the case of cyber, there are additional factors that impact the overall welfare.
A key feature of cyber incidents is that the overall costs are most often not solely internalized by the directly affected party, but also cause collateral damages to other firms and entities: Firms using the affected party as a supplier are not able to receive their raw materials and ransomware and phishing attacks can spread more quickly to business partners as well. While the damages of the directly affected party are usually only slightly increased by these collateral damages, e.g. through fines for broken service level agreements, the social planner, usually the government, following standard economic welfare theory, should internalize all damages regardless of who suffers them. Cyber incidents are, therefore, a negative externality and its mitigation via cyber insurance or a better cyber security maturity level is a positive one.
Another factor that impacts the overall welfare effect of cyber are possible substitutions of the cyber security budget of a firm by cyber insurance: If the premiums for a cyber insurance policy are paid from the existing cyber security budget, the overall cyber maturity level of a company is likely to be adversely affected and the underlying risk could even increase.
Positive externalities for cyber include the minimum requirements to get a cyber insurance policy, which prompts poorly secured companies to invest more into cyber security as a prerequisite for cyber insurance, possible cross financing opportunities of cyber security measures with a premium reduction in insurance, the knowledge transfer between the insurer and insured, and the mitigating effects of a prompt incident response orchestrated by the insurer compared to the damages the insured suffers without premeditated external help.
Possible Thesis Topics
- How is Cyber Insurance impacting the cyber maturity level of a company? Is there a difference in the size of the company? i.e. is the overall welfare gain of smaller companies stronger with a cyber insurance policy in place than for larger companies?
- What are the economic incentives for companies to invest in cyber security when it has an active cyber policy?
- Is the damage mitigation of incident response organized by the cyber insurer significant and on which factors (company size, policy structure, concrete damage scenario) does it depend?
- Can the exclusion of certain risk transfers, e.g. limiting the insurability of ransomware payments, be used to enhance the overall welfare of an economy?
- What are sensible policies for governments to adopt to cost-efficiently increase the cyber maturity level of their respective economy?
Suggested Academic Reading
Insurers have to adhere to regulatory requirements such as Solvency II in the European Union. Solvency II consists of three pillars that define governance, reporting, and risk capital requirements. The Solvency II standard formula mandates an insurance company to have a maximum annual risk of ruin of 1-to-200 or 0.5%. Especially for cyber risks, the standard formula might be underestimating the fat tails of cyber and, therefore, underestimate the risk of ruin of insurers underwriting cyber, as discussed by .
An interesting possible research angle for this topic is the aforementioned SERFF filing system, which besides accepted rate schedules and documents also shows rejected and modified ones, as well as the correspondence between insurer and regulator. The unprecedented insights into how cyber insurance is regulated on an operative level have so far not been analyzed in the academic literature and might be a great thesis topic.
Possible Thesis Topics
- Is the Solvency II standard formula adequately calibrated to determine the necessary risk capital for cyber? If not, what are possible stress tests that can be applied to capture the long tails of cyber?
- What are regulators looking for when approving rate schedules? What are common reasons to decline a cyber insurance rate schedule, i.e. an analysis of the correspondence between cyber insurers and regulators?
Suggested Academic Reading
A great hurdle and growing concern for insurance carriers is silent cyber or non-affirmative cyber. In contrast to all affirmative cyber policies that explicitly provide protection against cyber incidents and their related causes, silent cyber describes the exposure of insurers to cyber damages in traditional property and casualty lines of business. A property example of a silent cyber claim is a fire that was started after a hacker manipulated the temperatures of a blast furnace in a steel mill or the loss of a week production of a food manufacturer because a ransomware attack has disrupted the cold chain by disabling the refrigerators. While these claims are a direct consequence of a cyber incident and would likely be covered by most affirmative cyber policies, they might be also be covered within an existing fire or loss of production insurance. This means that every P&C carrier is likely already incurring cyber-related losses, even though it might not even be offering affirmative cyber coverage.
One of the most important measures to combat silent cyber has been the silent cyber mandate by Lloyd’s of London, which requires all P&C policies underwritten in London to clearly state if they cover cyber damages. Mandatory for property policies since 2020 and 2021 for liability policies, it is perhaps a little bit too early to empirically analyze the effects of the silent cyber mandate. However it will become one of the most tangible sources for the market reaction and sentiments towards silent cyber.
Possible Thesis Topics
- Did the Lloyds requirement declare the coverage of cyber damages increases the transparency of silent cyber in P&C portfolios?
- How large is the impeding effect of silent cyber on the affirmative cyber insurance market? One could approach this topic by interviews with industry practitioners or by modeling the correlation between silent cyber and affirmative cyber damages and joint impact on the mandatory risk capital (see also topic #9).
- How is silent cyber handled in local markets? , for example, analyzes German P&C Insurance policies after exclusions for silent cyber.
Suggested Academic Reading
While cyber insurance has seen a sharp rise in awareness and market penetration, there is still a lot of misconceptions about it in the minds of risk owners. Anecdotally speaking, the willingness of risk owners to pay for cyber insurance is low unless they or someone in their immediate peer group is hit by a cyber attack. As these behavioral inefficiencies of cyber insurance also apply to cyber security as a whole, an important research topic is how to phrase and present the facts regarding cyber to the wider public. This of course, has a natural intersection with the commercial interests of brokers and primary insurers that are looking to increase their sales.
The European Union started the CYBECO Grant () in 2018 to study the behavioral aspects of cyber. The programs website is a good starting point in the topic.
Possible Thesis Topics
- Is the uptake of cyber insurance and/or security increased after big and media salient hacks such as NotPetya or Solarwinds?
- What wordings in marketing and policies can help to raise awareness for cyber insurance and cyber security and increase its uptake?
Suggested Academic Reading
Of tremendous importance for cyber risk research is the modeling of cyber damages. While looking monolithic on the surface, cyber risk modeling actually encompasses a plethora of different questions and methods. In the context of cyber insurance, the three most important questions are the (1) pricing of cyber insurance policies based on factors such as industry type, security questions, requested coverage of a given applicant, (2) the modeling of cyber damages for a given entity (firms or natural persons), with or without cyber insurance, and (3) the modelling of cyber damages for a given industry sector or cyber insurance portfolio, which are highly dependent on the correlation between cyber damages. While these questions are deeply linked to each other, from an operative view they have varying relevance for different stakeholders of the cyber insurance value chain. For example, primary insurance underwriters are often looking at the pricing of a single policy, while reinsurance underwriters are more concerned with the correlation and performance of the entire portfolio.
The approaches to model cyber also differ. The straightforward to fit a distribution to a damage dataset can and is also be utilized to model cyber, for example, by . However, because of the evolving and hard to predict threat landscape, this method does not yield the same predictive value for more traditional risks. Additionally, in the context of a bachelor or master thesis, the above discussed limited availability of free datasets might be an additional hindrance.
Besides the tried and tested method in the actuarial sciences to fit distributions to damage datasets, which are classified under 1.2.1 in our cyber-economics.com library, there are other approaches that might be interesting for a thesis. Under 1.2.2 Scenario/Catastrophe Analysis, we have gathered studies and papers that look at possible economic and insurable losses arising from bad to worst-case scenarios, like a widespread ransomware attack or outage of a major cloud provider. Under 1.2.3 Network/Node Models, you can find modeling approaches that are based on computer systems based on atomic nodes and connected via edges, which have inherent similarities with the modelling of pandemics.
Quantitative topics often require empirical cyber damage datasets or distributions. These datasets are hard to come by in general, especially if they are free of charge. The following sources for data are freely available and most of them have been used in the academic literature. We add new datasets to the 3.1 Cyber-Damages/-breaches/-Incidents Dataset in our cyber-economics.com library.
A completely different approach to modeling cyber is employed by , which reverse engineers cyber damage loss distributions based on current rate schedules of insurers. From an epistemological standpoint, rather than modeling cyber damages directly, this method quantifies the sentiments of insurers towards cyber risk. While, of course, the rate schedules should be closely connected to the “real” cyber loss distributions, at the very least this approach captures the attitude of entities that put their money where their mouth is. The mentioned paper of woods et all averages out the reverse-engineered cyber distributions of 17 insurers to provide a consensus loss distribution. However, especially within the time constraints of a bachelor and master thesis, it is probably a better idea to apply the method of Woods to a single or few recent rate schedules of a major insurer, to get an up-to-date cyber loss distribution.
Possible Thesis Topics
- Using a direct loss distribution fit, what are the cyber loss distribution and fair price of a cyber insurance contract for a given dataset?
- Using a direct loss distribution fit, what is the correlation between damages for a given dataset?
- Using a node model, how sensitive are the total damages of a hypothetical ransomware attack based on the “contagiousness” of the attack or the difficulty of removing it?
- Using a reverse-engineered loss distribution based on a current rate schedule of a major insurer, what is the sentiment of the respective insurer towards factors in the pricing of cyber insurance. For example, how are policies for small firms priced compared to large ones? How does the security standard of a company change the price? Does this allow a meaningful cross financing of security spending with reduced premiums (see also Topic 8)?
- Using a direct loss distribution fit, what are the cyber loss distribution and fair price of a cyber insurance contract for a given dataset?
- Using a direct loss distribution fit, what is the correlation between damages for a given dataset?
- Using a node model, how sensitive are the total damages of a hypothetical ransomware attack based on the “contagiousness” of the attack or the difficulty of removing it?
- Using a reverse-engineered loss distribution based on a current rate schedule of a major insurer, what is the sentiment of the respective insurer towards factors in the pricing of cyber insurance. For example, how are policies for small firms priced compared to large ones? How does the security standard of a company change the price? Does this allow a meaningful cross-financing of security spending with reduced premiums (see also Topic 8)?
Suggested Academic Reading
Pricing higher cyber risk transfers via reinsurance within the insurance sector or with cyber bonds via the capital market is an important topic for the insurance industry, possible capital market investors, and academics. While for the pricing based on single risks the correlation between cyber damages can be neglected, it becomes the most consideration for higher risk transfers. Getting a suitable dataset to empirically model the correlation of cyber damages becomes even more difficult than getting one for cyber damages. Often the parameters guiding the correlation between damages are, therefore, exogenously imposed or derived from other parameters or assumptions within the model. A robustness analysis, i.e, changing the correlation parameters to simulate a low, medium, or high correlation, is then used to analyze the results with respect to their sensibility towards the model parameters.
Possible Thesis Topics
- What is the distribution for the reinsurer or fair price for a reinsurance contract (be it proportional or excess-of-loss) for a given cyber damage distribution? How sensitive are prices and reinsurers payout distributions towards the underlying model assumptions?
- Are cyber bonds able to pay an on-par premium with natural catastrophe bonds (around 5% p.a. since their inception) for a given damage distribution?