Cyber Insurance
Lorentz Workshop Open Day

27 March, 2019, Lorentz center, Leiden, NL

About The Event

About The Event

It is an open day within the Lorentz workshop on Cyber Insurance and Its contribution to Cyber Risk Mitigation. There will be two keynote presentations on cyber insurance, a brief introduction to the CYBECO results and toolbox and several roundtables around the workshop themes. The discussion will be around the main challenges for cyber insurance and how they can be overcome.


Oort Lorentz center, Leiden, NL


27 March, 2019

Event Schedule

Here is our event schedule



Location: Lorentz center - Lecture room (3rd floor of the Oort building)
Explanation of objectives and way of working for the open day.

Eireann Leverett, Centre for Risk Studies at the University of Cambridge & Concinnity Risks

Vulnerability does not equal loss by Eireann Leverett

Location: Lorentz center - Lecture room (3rd floor of the Oort building)

Presentation of the roundtable themes

Location: Lorentz center - Lecture room (3rd floor of the Oort building)
See topics description below.

Roundtables session

Location: Lorentz center (3rd floor of the Oort building)
The rountables including a coffee break seession

Networking break and lunch

Location: Lorentz Center lunch room

Philipp Hurni, Swiss Re

Cyber accumulation risk - Swiss Re's view on Cyber catastrophes by Philipp Hurni

Location: Lorentz center - Lecture room (3rd floor of the Oort building)

CYBECO project

CYBECO session

Location: Lorentz center - Lecture room (3rd floor of the Oort building)
H2020 CYBECO team will present the developed approach, results of controlled experiment on cyber insurance decision making, and make the CYBECO toolbox demo.

Coffee break

Location: Lorentz Center - Common room

Plenary session - Roundtables results

Location: Lorentz center - Lecture room (3rd floor of the Oort building)
Results of the roundtables and discussion

Closing of event

Location: Lorentz center - Lecture room (3rd floor of the Oort building)

Networking and workshop dinner

Location: Belgisch Biercafe Olivier (Leiden)

Event Venue

Event venue location info and gallery

Lorentz Center, Leiden, NL

The Lorentz Center is a national center for international workshops in all scientific disciplines. At the Lorentz Center, groups of researchers are brought together to assess the status of a field and share results, problems, methods, and views on future directions of research.
Lorentz center web page:


Here are some nearby hotels

Hotel 1

Hotel Van der Valk Leiden

1.7km from the Venue

Holiday Inn Leiden

Holiday Inn Leiden

1.0km from the Venue

Roundtable Topics

  • The cyber insurance market involves different players (insurers, brokers, insured companies, regulators, third-party vendors, security services providers,...) who create a complex ecosystem. All these parties have their perspectives and goals which must be taken into account for the effective operation of cyber insurance. Therefore, we need to study a model for the cyber insurance ecosystem including existing relationships between parties and their goals from various perspectives (economic, law, ethical, risk management).

    Another open problem in relation with the cyber insurance market is the lack of trust between insurers and insured companies, which results in a limited understanding of companies' level of risk leading to an inadequate level of coverage provided by insurers. This issue demands better standards and regulation to help establish transparent and efficient relations within the cyber insurance ecosystem. An alternative approach could be the development of new business models where, for example, a cyber insurer collaborates with a cyber security service provider by selling insurance coverage together with security services. It is also relevant to determine what is the 'correct' behaviour for the ecosystem and how cyber insurance affects the behaviour of insured companies and the ecosystem in general. Then, we could consider relevant behaviour techniques for cyber insurance to nudge or incentivize ecosystem players towards the correct decision-making.

    The cyber insurance market is a complex topic and could benefit from the contribution of different perspectives like security certification approaches from cyber security, new business models from business development, financial models from economics, behavioural theories from psychology, etc. The clear understanding of the cyber insurance ecosystem and best behaviour for its participants could reveal the central conditions for the use of cyber insurance. Also overcoming such barrier as the lack of trust between cyber insurance players, could provide a green light to the adoption of cyber insurance.

  • A well-known problem for cyber insurance is the lack of (historical) data about security incidents. Having those data is one of the critical conditions for the successful operation of cyber insurance. In May 2018, the new General Data Protection Regulation (GDPR) will come into force. GDPR requires that all companies that work with personal data of EU citizens have to report about any data breach affecting these data. Therefore, data protection authorities will be collecting a significant amount of information about security incidents. There is an ongoing discussion within the cybersecurity community about providing access to these data for interested parties. With these data, cyber insurers could build better actuarial models of cyber risks or use different techniques like predictive models or machine learning classification. However, such access mechanism is an open problem which requires a contribution from different perspectives as it involves the interests of various parties (like government, companies, individuals). The behavioural and economic perspectives feed into the willingness to share the data. To enable meaningful interpretation, contributing to better insurance and reduction of systemic risk, knowledge from cyber security (what data to look for), risk management (linking data to risk), and modelling (correlating data) needs to be combined.

  • Existing approaches like STRIDE, CORAS, attack trees, etc. — help to identify threats and describe how cyber attacks may develop. The benefit of these methods is that they can be used to model different types of attackers and some behavioural aspects in terms of likelihood. However, they poorly incorporate the dynamic behaviour of parties and the economic perspective, i.e. cyber security and cyber insurance investments and their effect. In this regard, several research works have proposed economic and financial models to determine the optimal amount of investment in information systems security. Moreover, as shown by Böhme and Schwartz (2010), there is a significant inconsistency between existing models concerning how they address the main obstacles: interdependent security, correlated risk, and information asymmetries. The primary challenge in addressing these obstacles is to develop a holistic representation of cyber threat agents and their behaviour, which requires a careful combination of economic and mathematical modelling approaches while accounting for behavioural aspects. Such a threat modelling approach is a key condition for understanding how cyber insurance contributes to cyber security risk management, as attackers play a crucial role in the threat events that we are protecting against.

  • With increasing digital connectivity we become more interdependent on one another, increasing the scale and effect of cyber attacks. Therefore, a significant challenge for cyber society is to address the growing systemic risk by improving cyber resilience and defining the responsibilities of the participants in the ecosystem. An open question in this respect is to investigate how cyber insurance can contribute to the realization of cyber resilience and fulfilment of responsibilities, and what kind of implications it creates for the ecosystem. Therefore, we need to have a contribution from 1) cyber security on what cyber resilience means and what kind of responsibilities are vital, 2) the economic and behavioural models of a cyber catastrophe and scenarios for resilience, as well as 3) the risk management vision on the balance between investments in security controls and cyber insurance. This topic adds to the understanding how cyber insurance supports the cyber ecosystem beyond the limits of cyber security risk management and contributes to cyber resilience, i.e. helps to withstand cyber 'hurricanes'.

Contact Us