Pricing insurance for risks associated with information technology systems presents a complex modelling challenge, combining the disciplines of operations management, security, and economics. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, addressing a long-standing research challenge of capturing organizational structure in the design and pricing of cyber-insurance policies. Insurance pricing is usually informed by the long experience insurance companies have of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. A unique challenge of cyber-insurance is that data history is limited and not necessarily informative of future loss risk meaning that established actuarial methodology for other lines of insurance may not be the optimal pricing strategy. The model proposed in this paper provides a vehicle for agreement between practitioners in the cyber-insurance ecosystem on cyber-security risks and allows for the users to choose their desired level of abstraction in the description of a system.

翻译：针对信息技术系统相关风险的保险定价是一个复杂的建模挑战，融合了运营管理、安全性和经济学等学科。本文提出了一种由实体关系图、安全成熟度模型和经济模型组成的网络保险决策社会经济模型，解决了在设计和定价网络保险政策时捕捉组织结构这一长期研究难题。保险定价通常基于保险公司根据企业规模、行业类别和地理位置对损失幅度和发生频率的长期经验积累。因此，其保费计算将从这些因素确定的基准值出发。网络保险的特殊挑战在于历史数据有限且未必能反映未来损失风险，这意味着适用于其他保险险种的成熟精算方法可能并非最优定价策略。本文提出的模型为网络保险生态系统中的从业者就网络安全风险达成共识提供了载体，并允许用户在系统描述中选择所需的抽象层次。