Louise Axon

Jason R. C. Nurse, Louise Axon, Arnau Erola et al.

Cyber insurance is a key component in risk management, intended to transfer risks and support business recovery in the event of a cyber incident. As cyber insurance is still a new concept in practice and research, there are many unanswered questions regarding the data and economic models that drive it, the coverage options and pricing of premiums, and its more procedural policy-related aspects. This paper aims to address some of these questions by focusing on the key types of data which are used by cyber-insurance practitioners, particularly for decision-making in the insurance underwriting and claim processes. We further explore practitioners' perceptions of the challenges they face in gathering and using data, and identify gaps where further data is required. We draw our conclusions from a qualitative study by conducting a focus group with a range of cyber-insurance professionals (including underwriters, actuaries, claims specialists, breach responders, and cyber operations specialists) and provide valuable contributions to existing knowledge. These insights include examples of key data types which contribute to the calculation of premiums and decisions on claims, the identification of challenges and gaps at various stages of data gathering, and initial perspectives on the development of a pre-competitive dataset for the cyber insurance industry. We believe an improved understanding of data gathering and usage in cyber insurance, and of the current challenges faced, can be invaluable for informing future research and practice.

Meredydd Williams, Louise Axon, Jason R. C. Nurse et al.

Over the past half-century, technology has evolved beyond our wildest dreams. However, while the benefits of technological growth are undeniable, the nascent Internet did not anticipate the online threats we routinely encounter and the harms which can result. As our world becomes increasingly connected, it is critical we consider what implications current and future technologies have for security and privacy. We approach this challenge by surveying 30 predictions across industry, academia and international organisations to extract a number of common themes. Through this, we distill 10 emerging scenarios and reflect on the impact these might have on a range of stakeholders. Considering gaps in best practice and requirements for further research, we explore how security and privacy might evolve over the next decade. We find that existing guidelines both fail to consider the relationships between stakeholders and do not address the novel risks from wearable devices and insider threats. Our approach rigorously analyses emerging scenarios and suggests future improvements, of crucial importance as we look to pre-empt new technological threats.