Incentivizing Cyber Security Investment in the Power Sector Using An Extended Cyber Insurance Framework

Collaboration between the DHS Cybersecurity and Infrastructure Security Agency (CISA) and public-sector partners has revealed that a dearth of cyber-incident data combined with the unpredictability of cyber attacks have contributed to a shortfall in first-party cyber insurance protection in the critical infrastructure community. This research explores the foundations of insurance theory and adopts behavioral manipulation methods to incentivize cyber-security investment. We validate the model by applying power industry performance data from 2013-2015 to assess risk facing the industry. Results show that the model can successfully discriminate between individual power companies as well as geographic regions on the basis of risk and can recommend cyber risk-management strategies tailored to individual risk profiles. The adoption of this framework could invite more market participation, which will create a more robust cyber-incident reporting environment, contributing directly to the DHS goal of creating a national cyber-incident data repository.