Cyber security is an increasingly important concern for citizens, businesses and policymakers  . This becomes gradually more intense in increasingly many countries, as societies rely already upon cyberspace to do business, purchase products and services or exchange information with others online. This trend is expected to grow further  , towards the continuous digitization, interconnection and integration of systems and platforms. It is thus leading individuals and corporations in having a digital life and activity, composed by the logic of bits, as part of their physical life and activity, consequently making them more vulnerable to digital threats. While digitization is transforming business models and daily lives, it is also making the global economy more vulnerable to cyber-attacks. One solution is to transfer the cyber risk to a third party. This can be applied to a wide range of incidents, from individual breach occurrences, to wider losses, such as mass data breaches, ransomware (e.g. BitLocker, WannaCry) and distributed denial-of-service attacks (ddos).
The consequences of these risks, should they materialize, vary but include direct economic loss (digital assets, income, etc.), loss or theft of personal data, disclosure of sensitive data, possible reputational damage, confidentiality or integrity issues of the information under attack  , regulatory and/or legal exposure, loss of business and industrial secrets, increased costs of doing business, etc. Nowadays, many cyber-attacks have financial motives and focus on stealing personal data or trade secrets and/or intellectual property or even the assault of a person’s digital life. When a cyber-attack occurs or a digital life is lost, a series of costs may be generated and the income-generating capacity of the affected individual may impacted. This can be short term, in the case of a cyber-attack leading to a minor loss of money and/or data, and midterm or long-term, in the case of a severe cyber-attack. The latter may lead to a large economic loss and/or information and data breach; it may delete accounts and digital profiles, cause damage to certain critical assets and properties (domains, servers and files), thus increasing the associated economic loss and reputational damage.
Such an economic loss has consequences not only for the affected individual but also for the entire economic system in which he or she operates. Therefore, the challenge is to account for the costs incurred by the cyber-attack and to the means to prevent it or compensate for it (in relation to the individual, the household, the business and the state). The methodological approach introduced in this paper evaluates the aforementioned economic loss by considering the equivalent money that the individual would not have lost if he or she had not suffered the cyber-attack.
On one hand, prevention and protection can rely on education and awareness, such as the adoption of best practices regarding a person’s digital life; on technological advances, such as the use of secure sites, systems and platforms, updated and legitimate software, equipment and infrastructure etc. On the other hand, it can be based on financial-insurance means, such as the accumulation of a fund which can be spent to recover from the loss caused by a cyber-attack. The latter is of great significance as if all other means fail there needs to be a last resort fund/ account that will cover at least for the financial loss that the affected individual will have to endure. Such a fund accumulation needs to take into account the probability of the occurrence of a cyber-attack as well as the probable loss; as such it can be offered via an insurance coverage. The commercialization of such coverage can be wholesale or retail. The first one can be achieved by embedding it as a feature to the ISP contract, to the web banking account or to the digital services offered by any provider. The second one can be realized by making it available to persons or enterprises through individual sales.
Our goal is to exploit the aforementioned approach. We propose a valuation (pricing) of the loss caused by the digital threats (digital crime) to the citizens affected by these incidents through insurance oriented methods, and we explore the potential insurance coverage that is suitable for the relevant risk. The value (price) is nothing else but the burning cost of such a coverage; it can be borne either by the provider or the state in the wholesale option. This mimics the calculation of a risk premium, as the premium is calculated by taking into account only the probability of occurrence of the cyber-attack and the interest rate, without considering any other factors (expenses or loadings). It also gives an indication of the amount that needs to be set aside to cover for the one-off economic loss suffered as result of the cyber-attack. A similar approach has been followed by Dimitriou and Poufinas   who have used actuarial pricing techniques to estimate the cost of road traffic accidents to the economy.
Our contribution to the scientific research in the field of cyber insurance includes the application of insurance-based actuarial techniques for the quantification of the loss in present terms. Such a direction has not been exploited in the past to the best of the authors’ knowledge.
2. Literature Review
The existing literature regarding cyber-attacks and other forms of digital risks for individuals, households, businesses, insurance companies and policy makers focuses more on the cost-benefit analysis  of the alternative investments regarding optimal investment allocation. Even in the cases at which utility functions have been employed  this has been done in order to compare a limited number of alternatives (such as risk pooling arrangements and managed security services) to cyber insurance. No specific utility functions are constructed and no combinations of alternatives are derived.
Moreover, in practice, although it is generally accepted that insurance policies can claim a serious market share because of the entities high awareness of cyber risk and its increasing exposure to it  , the selection of cyber insurance as a risk mitigation tool is done based on qualitative rather than quantitative criteria. In addition, a commonly accepted risk framework does not seem to be in place  . As mentioned earlier the market uses no specific or uniform criteria in making the decision of purchasing cyber insurance and in most of the cases the decision seems to be lost between the different executives of the company/organization without a specific methodological approach  . Furthermore, the market lacks specific indicators/metrics  as well as the organizational maturity level to make such decisions.
In the past, proposals have been examined for the exploitation of insurance as a risk management tool, taking into account the characteristics of digital hazards and how these affect the design of appropriate insurance policies and contracts  , as well as the viability of insurance market for complete coverage  . The increasing trend of occurrence of cyber-attack incidents  in combination with the need to comply with the new legislation  , contributes significantly to the demand for digital security and insurance solutions  . Ways of benefiting through the use of insurance policies for both business and society  as well as approaches, standards, incentives and rewarding to increase individual protection and security  have been investigated. Furthermore, models providing decision making choices regarding appropriate levels of investment in security and digital insurance for organizations, which operate or exploit critical digital resources, have been examined  .
Despite the objective difficulties, such as the absence of optimum pricing of risk premium, the lack of a uniform way of costing and investing in insurance products against digital risks  , the calculation of exposure to digital hazards, the classification of emerging digital hazards, the lack of reliable data  , the asymmetric information (Shetty et al., 2010) and the threat of moral hazard, which do not facilitate the development of solid insurance policies and solutions, various surveys point out that the direction of digital insurance  can solve the issue of managing digital risk as has been proven in the past with other risk areas (health, life, vehicle, etc). Studies show that insurance increases protection on the internet  , while there are benefits from the adoption of preventive actions to protect against cyber-attacks, contributing to cyber resilience, including the use of insurance  .
In this paper we introduce an insurance-oriented methodological approach to estimate the cost of cyber-attacks in a given economic system. We expect to provide a more holistic approach to the cyber-attack cost estimation. A key conceptual principle of the proposed methodology is that the overall cyber-attack cost for an individual in the economy is represented by the one-off economic loss he or she may incur. This modeling approach and its outputs can assist in proper decision making, cyber resilience, insurance coverage acquisition, investment allocation and budgeting towards cyber security.
3. Research Method
We treat a cyber-attack as a digital death, i.e. we claim that after a cyber-attack happens the individual has no digital life any more. This is equivalent to physical death (fatality) when we examine physical life incidents. Such an approach is justified, as in the framework of this paper we make the hypothesis that any cyber-attack leads at least to the deletion of an individual’s digital profile (e.g. unique virtual identity). Alternatively―but we leave this for future research― one may allow several incidents to occur. Allowing for more cyber attacks in the life span of a person’s digital life would resemble more to a physical disability or a physical illness.
We examine the economic loss arising from the realization of such an incident. We value (price) the involved cost due to cyber-attacks to the affected individuals by calculating the present value of such an economic loss, adjusted for the probability of such an event (cyber-attack) happening. This resembles the calculation of a pure insurance premium, i.e. the premium calculated only with the probability of the event occurring and with the interest rate, ignoring any potential loadings (expenses, etc.). As mentioned earlier, we will mimic the calculation of the burning cost of an insurance policy that provides coverage for the risk under investigation to find the aforementioned amount.
For the purposes of our research the population of interest consists of all individuals, treating their physical age as the digital equivalent of the individual’s digital age. In addition, we assume that each individual of the population is able to produce one monetary unit of income, e.g. USD 1, for their entire digital life. The cost of protecting this one unit of income is the pure premium of a whole-digital-life policy, providing coverage only in case of a cyber-attack incident. We assume that the loss we examine refers to the amount that the individual has the capacity to produce during his or her entire digital life and not just the proportion for the rest of his or her digital life, i.e. until a cyber-attack occurs. This starts from his or her current age x until cyber death occurs. In other words, if an individual experiences a cyber-attack with an economic impact, then his or her digital life is terminated and he or she needs to recuperate the entire income he or she is able to produce in his or her lifespan (in this case the USD 1).
For our numerical application, we consider the cyber-attack incidents in Greece. We assume that: 1) The probability (or frequency)―coming from empirical data from the Hellenic Police  database―of a cyber-attack happening to an individual of age x is known, for each x and for each of the following years of his or her life. To estimate it, as there is no granular and detailed information available in the Hellenic Police database, except for the total number of cyber incidents per year, we use the relevant detailed data from the FBI  report; the latter records cyber incidents per age band, as well as the economic loss that results from these incidents. We assume that the relevant frequencies will not be very different in the two countries. 2) The interest rate curve is horizontal, set at 2%. 3) The monetary unit of income is produced at the end of each year; should a cyber-attack occur (leading to digital death), then the potential income recovery or replacement is paid at the end of the year of the incident. 4) Any monetary contribution resembling an insurance premium, so as to accumulate the necessary capital, takes place at the beginning of the year. We take a snapshot of the population of interest and thereafter study the effect of cyber-attacks on that population, assuming there are no new entries or exits apart from those that are due to digital death from a cyber-attack.
4. A Financial Protection Approach
As the cost estimation approach is based on the actuarial methodology used to price an insurance product covering fatality (digital death in our case) either lifetime or for a specific term, we introduce the relevant notation.
Let px denote the probability that an individual with digital life-age x (x), will attain age x + 1, while denote the probability that the individual (x) will experience a digital fatality within one year. We set as the probability that individual (x) lives for n years to reach age x + n, as the probability that (x) will digitally decease within the next n years, and as the probability that (x) will digitally decease between ages x + m and x + m + n. We let be the probability that individual with digital age x, will experience a digital fatality between ages x + m and x + m + 1.
The cost of protection per USD 1 per individual is the present value of this USD 1 for each year it could be paid, adjusted for the probability that the individual suffers a digital fatality during that year due to a cyber-attack.
We denote by the lump sum cost of the protection of USD 1 for the digital life of the individual (x). The analytical formula of the annuity, payable at the end of the year, is
If for each individual the total equivalent loss is IS, then the total lump sum cost is given by
If any of the individuals (users with internet connection) in the population acquires an individual insurance policy, then he or she will pay the implied commercial premium with all the applicable loadings such as taxes, expenses, profit margin, etc. Alternatively, the insurance coverage could be offered as a feature of his or her internet connection/service. In such a case the implied premium could be added on top of the periodic fee of his or her internet connection/service contract paid to/charged by the internet service provider. So for example, for each USD 1 an individual would like to protect, by not losing it in case of a cyber incident (cyber loss), the equivalent cost of an insurance coverage needs to be calculated. This insurance coverage offers essentially a financial protection in the case of a cyber-attack.
In order to demonstrate the merit of our valuation, we apply it to the cyber-crime incidents (fatalities, for the purposes of our presentation) that occurred in Greece, as officially recorded by the Hellenic Police  for the years 2011 to 2016, according to the Hellenic Police data. There were 2751 incidents in 2016, 2212 incidents in 2015, 2275 incidents in 2014, 1190 incidents in 2013, 3329 incidents in 2012 and 831 incidents in 2011. This yields an average of 2098 incidents for the period 2011-2016. We calculate the probability (frequency) of an individual with age x suffering a cyber-attack for each of the following m years of his or her life, which for the purpose of this paper is equivalent to his or her digital life. We assume that the maximum age of interest, let it be ω, is 130 years of age. This assumption does not harm the validity of our calculations as the probability of survival beyond that age is practically zero.
As data per age band are not available in the Hellenic Police database, we follow the breakdown available through the FBI  report assuming that the relevant frequencies for the Greek population under examination will not be (very much) different. We use the population of Greece  and apply the proportion of individuals that suffered a cybercrime as recorded in the FBI report. We use the average of the frequencies for the years 2016 and 2017   .
The age bands are drawn from the Hellenic Statistical Authority  report; these are age bands of 10 years from 0 to 79 years of age and one age band of 50 years for citizens over 80 years of age (as we assume a maximum age of 130 years old). This yields a total of 9 age bands. We assume that the incidents within each age band follow a uniform distribution. We can thus divide the population of each age band by 10 (for ages up to 79 years old) to find the number of individuals that have suffered a cyber-attack for each year of age. The total population is taken from the latest official census from the Hellenic Statistical Authority  ; we assume that the population remains unchanged for the years under evaluation.
We apply the FBI frequencies, which are though available for a smaller number of age bands; namely under 20, 20 - 29, 30 - 39, 40 - 49, 50 - 59 and over 60. We assume also that within each of these age bands, the number of cybercrime incidents also follows a uniform distribution so that, by dividing the number incidents with the number of years of each age band we can find the incidents corresponding to each year. We can then calculate the average number of cyber-attacks (crimes) per one (1) million people per age band (in our case for the six age bands we have chosen). We then estimate the average number of cyber-attacks (crimes) per one (1) million per year, within the six age bands under investigation. This is shown in Table 1.
Table 1. Number of cyber-deaths (fatalities) due to cyber-attacks.
Source: Author calculations based on Hellenic Statistical Authority  , Hellenic Police  and FBI  .
In order to complete our study we assess the economic loss that a cyber-attack can cause to the individual and the society/economy as a whole. Due to the lack of more refined data (time series) related to the economic loss resulting from a cyber-attack, we take into account the average cost per capita for the years 2016 and 2017 as estimated by the FBI cyber-crime incidents   , as well as the costs presented in other studies regarding digital risks (taking into account the discrepancies and the margin of error that may be present as most of these studies try to estimate the cost from the side of a business), such as Ponemon-Accenture  , AIG  and Net Diligence  . Furthermore, following a more horizontal approach, one may assume that the cost associated with a cyber-attack equals a percentage of the GDP per capita for the duration under investigation. Under this framework, we derive an average loss (per study) of 1) ~USD 4400 per individual as officially documented from FBI 2) ~USD 3500 from Ponemon-Accenture  ; 3) ~USD 1900 following AIG  ; 4) ~USD 8000 as per Net Diligence  ; 5) ~USD 3000 according to McAfee  ; and 6) ~USD 2500 to USD 3300, if we assume that it reached a level of 15% - 20% of the GDP per capita of Greece  .
For the purposes of our numerical application, following the aforementioned estimations, we will try to calculate the per capita average burning cost of an individual for every USD 1000 of financial protection acquired against a cyber-attack. Finding the burning cost or premium per mille of sum assured is quite common in insurance, as then the actual burning cost or premium can be found by multiplying the burning cost or premium per mille times the number of thousands of USD of sum assured purchased or sought.
Based on the above, we calculate the average (total and per individual) economic loss (costs) when such a cyber-attack occurs, as well as the amount that should be set aside to cover for these losses either from the state (as a fixed amount per year) or from an internet service provider (as insurance protection added to an internet connection contract). We apply Equations (1) and (2) to find the average cost (lump-sum) and the per capita cost for the Greek population and produce the applicable cyber-attack mortality table, shown as Table 2 below. We denote by lx the number of individuals who live (survive) to age x and by dx the number of individuals that die at age x.
Consequently, for a loss of USD 1000 per individual, in case an authority or provider wanted to offer financial protection to the entire population of the country from cyber-crime, it would have to put aside a lump sum of USD 4,381,215.44 to cover for the losses that are anticipated to incur as a result of cyber-attacks. That is split to a charge of USD 0.41 per individual/per capita for a population of 10,816,286 people. Such an approach is simplistic in the sense that we have assumed that there exists only one internet service provider offering such a protection for USD 0.41 for every USD 1000 of financial protection. If there is more than one provider that wanted to offer such a protection, then the cost would have been split proportionally to their clientele, following the
Table 2. Cyber-attack mortality table.
Source: Author calculations based on Hellenic Statistical Authority  , Hellenic Police  and FBI  .
same approach and adjusting only for the underlying population. In addition, the cost would have to encounter the different pricing policies of the providers, taking into account the market competition, the desired profit margin, the risk appetite and other parameters that influence the commercial premium. However, if the state wanted to protect the entire population that is subject to cyber-attacks it would have to somehow provision or charge the relevant amount.
Even if the loss is assumed to be different, our approach is still valid and applicable. One simply has to put the relevant amount as input to receive the corresponding total lump sum or the individual charge. If for example we wanted to estimate the cost for the different approaches mentioned above, then that would be a total of USD 19,277,347.92 or USD 1.78 per capita for the FBI average amount of USD 4400 per individual as, which is case 1) above. We derived the total and the per capita amounts by multiplying the lump sum of USD 4,381,215.44 by 4.4 times and the USD 0.41 per individual/per capita by 4.4 times. This is because the average amount of USD 4400 per individual is 4.4 times the USD 1000 that we did our pricing for. As explained earlier, this is the benefit of expressing the charge per mille of sum assured; the actual charge can be found by multiplying the charge per mille times the number of thousands of USD of sum assured purchased. We can extend this approach to the other cases. This yields a total of USD 15,334,254.02 or USD 1.42 per capita for the data from Ponemon-Accenture  , which is case 2) above. This time we multiply the lump sum amount and the per capita by 3.5 as the average loss is USD 3500, which is 3.5 times USD 1000. The total amount comes up to USD 8,324,309.33 or USD 0.77 per capita for the AIG  data, which is case 3) above. This time we multiply the lump sum and the per capita amount by 1.9, as the average loss is USD 1900, which is 1.9 times USD 1000. In a similar manner, we get a total of USD 35,049,723.49 or USD 3.24 per capita as per the Net Diligence  data, which is case 4) above. For this case we multiply times 8, as the average loss of USD 8000 is 8 times USD 1000. For the data McAfee  we receive a total of USD 13,143,646.31 or USD 1.22 per capita (case 5) above), by multiplying the relevant amounts by 3, as USD 3000 is 3 times USD 1000. Finally, we find a total of USD 10,953,038.59 to USD 14,458,010.94 or USD 1.01 to USD 1.34 per capita if we assume that it the average loss reached a level of 15% - 20% of the GDP per capita of Greece  , which is case 6) described above. This is derived by multiplying times 2.5 (3.3 respectively) the corresponding amounts, as USD 2500 (USD 3300 respectively) is 2.5 times (3.3 respectively) the amount of USD 1000.
Summarizing the above, we note that we introduced an insurance oriented, financial protection approach to find what would be the burning cost of protecting an income of USD 1 from a cyber-attack. We did that by assuming that a cyber-attack practically eliminates the digital life of an individual and is thus treated as a digital fatality, similar to a physical fatality. Not only did we follow a theoretical approach, but we elaborated that it can be applied also in practice. Our numerical example was applied to the cyber-attacks that we were recorded in Greece. Consequently, our population of interest was the Greek one. Considering a loss of USD 1000 per individual, we found a lump sum cost of USD 4,381,215.44 to offer financial protection to the entire population of the country from cyber-crime, so as to cover for the losses that are anticipated to incur as a result of cyber-attacks. That is split to a charge of USD 0.41 per individual for a population of 10,816,286 people, which is the population of Greece (as of the 2011 census). Our findings can be easily extended to any population and to any assumed amount of protection that is sought. They can be easily used by the state, internet service providers, financial service providers, or any other provider that offers digital services so as to embed cyber-attack protection to their product. This is we trust the significance of our contribution in the scientific research in the field.
In this paper, we assumed that a cyber-attack results in a digital fatality, meaning that one such incident can occur in a digital lifetime. In future research, we will 1) Allow more incidents to occur, which resembles more to a disability or illness and we will mimic the relevant pricing techniques. 2) Be looking for more detailed data, in order to better model the frequency and severity of the occurrences of cyber-crime incidents and come up with additional risk parameters. 3) Assess the conditions under which it would make sense for an individual to purchase a cyber insurance coverage (as a complementary to his or her internet service contract), as well as the various coverage levels and charge approaches that can be provided.
Cyber-attacks are an important threat of an individual’s digital life. In this paper, we identify the losses that result from cyber-crime incidents and calculate the amount that is needed to offer financial protection against these losses (as a lump-sum or per capita). We assume that after a cyber-attack happens the individual has no digital life any more, which is similar to his or her physical death. Therefore, the calculation resembles to that of a pure insurance premium.
The results of the paper are useful to internet service providers―as well as other providers that offer digital services―and policymakers in order to provide a better understanding of this type of risk, as well as the amount they need to provision for, should they wish to protect the citizens of a country or their clientele respectively from these risks. It may also provide guidance for the pricing of financial protection features against cyber-attacks, embedded in internet service contracts or any other service offered through a digital environment.
Conflicts of Interest
The authors declare no conflicts of interest regarding the publication of this paper.