Reducing Informational Disadvantages to Improve Cyber Risk Management

Sachin Shetty, Michael McShane, Linfeng Zhang, Jay P. Kesan, Charles A. Kamhoua, Kevin Kwiat, Laurent L. Njilla

Research output: Contribution to journalArticlepeer-review


Effective cyber risk management should include the use of insurance not only to transfer cyber risk but also to provide incentives for insured enterprises to invest in cyber self-protection. Research indicates that asymmetric information, correlated loss, and interdependent security issues make this difficult if insurers cannot monitor the cybersecurity efforts of the insured enterprises. To address this problem, this paper proposes the Cyber Risk Scoring and Mitigation (CRISM) tool, which estimates cyberattack probabilities by directly monitoring and scoring cyber risk based on assets at risk and continuously updated software vulnerabilities. CRISM also produces risk scores that allow organisations to optimally choose mitigation policies that can potentially reduce insurance premiums.

Original languageEnglish (US)
Pages (from-to)224-238
Number of pages15
JournalGeneva Papers on Risk and Insurance: Issues and Practice
Issue number2
StatePublished - Apr 1 2018


  • Bayesian belief networks
  • attack graphs
  • cyber insurance
  • cyber risk management
  • security risk scores
  • vulnerability assessment

ASJC Scopus subject areas

  • Accounting
  • Business, Management and Accounting(all)
  • Finance
  • Economics and Econometrics


Dive into the research topics of 'Reducing Informational Disadvantages to Improve Cyber Risk Management'. Together they form a unique fingerprint.

Cite this