Skeoch, Henry Robert Keith;
(2024)
The Economics of Information Security: Investment, Insurance and Evaluation.
Doctoral thesis (Ph.D), UCL (University College London).
Preview |
Text
SkeochHenry PhD Thesis.pdf - Other Download (2MB) | Preview |
Abstract
The complexity and connectivity of modern information technology systems present a significant modelling challenge from a security perspective. The field of security economics aims to use the tools of economics to reason about security problems to understand and evaluate the different possible outcomes of varying security postures. This thesis is primarily focused on the economics of cyber-insurance, which provides indemnity for individuals and organizations against financial losses related to degradation in cyber-security risk parameters such as confidentiality, integrity, or availability. The research presented addresses several pertinent questions related to cyber-insurance. An existing influential model for cyber-security investment decisions, the Gordon-Loeb Model, is expanded to included cyber-insurance and the optimal combination of defensive security investment versus insurance is investigated. A modelling framework is then developed that combines a systems-focused descriptive approach to security modelling using entity relationship diagrams and security maturity models to demonstrate how their outputs might be used to provide or adjust parameters for an expected utility maximization insurance pricing approach. This model helps to provide a consistent methodology for pricing cyber-insurance, which then poses the question of scalability and insurance market capacity. If a market is not efficient, theory suggests financial imbalances will develop. Via simulations, it is demonstrated that better information sharing is a key condition to strengthen the sustainability of the cyber-insurance market. Finally, an economic model of a ransomware attack across a network is developed. Ransomware is a key concern for cyber-insurers as it has the potential to trigger immediate financial losses and accordingly is an important modelling target for the cyber-insurance industry.
| Type: | Thesis (Doctoral) |
|---|---|
| Qualification: | Ph.D |
| Title: | The Economics of Information Security: Investment, Insurance and Evaluation |
| Open access status: | An open access version is available from UCL Discovery |
| Language: | English |
| Additional information: | Copyright © The Author 2024. Original content in this thesis is licensed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) Licence (https://creativecommons.org/licenses/by-nc/4.0/). Any third-party copyright material present remains the property of its respective owner(s) and is licensed under its existing terms. Access may initially be restricted at the author’s request. |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10185804 |
Archive Staff Only
 |
View Item |
