Pricing insurance for risks associated with information technology systems presents a complex modelling challenge, combining the disciplines of operations management, security, and economics. This work proposes a socioeconomic modelling framework for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, addressing a long-standing research challenge of capturing organizational structure in the design and pricing of cyber-insurance policies. Insurance pricing is usually informed by the long experience insurance companies have of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. A unique challenge of cyber-insurance is that data history is limited and not necessarily informative of future loss risk meaning that established actuarial methodology for other lines of insurance may not be the optimal pricing strategy. The modelling framework proposed in this paper provides a vehicle for agreement between practitioners in the cyber-insurance ecosystem on cyber-security risks and allows for the users to choose their desired level of abstraction in the description of a system.

翻译：针对信息技术系统相关风险的保险定价是一项复杂的建模挑战，需要融合运营管理、安全与经济学等多学科领域。本文提出了一种用于网络安全保险决策的社会经济建模框架，该框架整合了实体关系图、安全成熟度模型与经济模型，解决了在网络安全保险单设计与定价中刻画组织结构的长期研究难题。保险定价通常依赖于保险公司对组织基于规模、行业领域和地理位置所产生损失的规模与频率的长期经验，因此保费计算将从这些因素确定的基准值出发。网络安全保险的特殊挑战在于历史数据有限且未必能预示未来损失风险，这意味着适用于其他险种的成熟精算方法论可能并非最优定价策略。本文提出的建模框架为网络安全保险生态系统中的实践者就网络安全风险达成共识提供了工具，并允许用户根据自身需求选择描述系统时的抽象层级。