Risks associated with information technology systems present a complex modelling challenge, combining the disciplines of operations management, security, and economics. The challenge is to establish a representation of an organization's operational and systems architecture that allows an assessment of the security postures of its various components able to support an assessment of its insurance risk. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, thereby linking systems-type and economic approaches to cyber-security assessments. The concept of a cyber-loss-adjuster is introduced, who reconciles cyber-incidents with economic losses. The work aims to bridge a number of disciplines to partly address a longstanding research challenge of accounting for organizational structure in the design and pricing of cyber-insurance. It is important to note the following: insurance companies have long experience of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. The contribution of the methodology proposed here is to provide a framework for calculating the effects of cyber-based risk on the frequency and magnitude of losses. This is achieved through a security analysis of the relationship between the operational structure of an organization and its information systems. It also provides a consistent means for those seeking insurance to describe and understand their security posture and for an insurance company to price its offer of coverage.

翻译：信息技术系统相关的风险带来了复杂的建模挑战，融合了运营管理、安全性和经济学等学科。这一挑战在于建立组织运营与系统架构的表示方法，使其能够评估各组成部分的安全态势，从而支持保险风险评估。本文提出了一种网络保险决策的社会经济模型，该模型包含实体关系图、安全成熟度模型和经济模型，从而将系统类型方法与经济方法联系起来，用于网络安全评估。引入了“网络损失调整员”的概念，负责协调网络事件与经济损失。本文旨在连接多个学科，以部分解决长期存在的研究难题——在设计和定价网络保险时考虑组织结构。需要特别指出：保险公司长期以来根据组织的规模、行业领域和地理位置，积累了关于损失规模和发生频率的丰富经验。因此，它们的保费计算将从基于这些因素确定的基准出发。本文提出的方法论的贡献在于提供了一个框架，用于计算基于网络的风险对损失频率和规模的影响。这是通过分析组织运营结构与其信息系统之间的安全关系实现的。该方法还为寻求保险的组织提供了一种统一的方式来描述和理解其安全态势，同时为保险公司定价其承保范围提供了连贯的手段。