La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

Partagez cette publication

Publications similaires

Insurability of Electronic Commerce Risks Torsten GrzebielaAlbert-Ludwigs-University Freiburg Institute for Computer Sciences and Social Studies, Telematics Dept. Friedrichstrasse 50 – 79098 Freiburg i. Br. – Germany Tel.: +49 – 761 – 2035703 Fax: +49 – 761 – 2034929 The consequences of the loss of data crucial to the Abstract enterprises can be of enormous extent depending on the New kinds of risks increasingly threaten electronic sector and on the size of the enterprise. Studies on data commerce. The traditional instrument for risk transfer is security made by Hewlett-Packard show that the costs of insurance. Research is needed to determine whether new stagnation, replacement and resulting competitive disad-Internet risks are insurable. vantages, etc. can amount to $ 7,3 million per hour. The In this article, starting with damage scenarios and study further concludes that up to 94% of the enterprises damage dimensions, Internet risks are classified and their would not survive the following two fiscal years in the properties are evaluated by means of decision-oriented event of complete loss of their data [40]. A current survey insurability criteria. The definition of basic goal-oriented of [22] reveals that almost every other German enterprise risk sees risk as a violation of the technical protection fears hackers as the biggest security risk for its e-com-goals of the multilateral security concept (confidentiality, merce system. 11% of the surveyed enterprises said that integrity, availability, accountability). These technical they have experienced security violations during the past security risks, which form the foundation for further twelve months. However, these are only the discovered economic and social risks, are being further examined. and reported cases. The estimated number of undiscov-On the basis of the protection goals of multilateral ered cases is probably much higher. security, existing insurance offers are analysed and In the information era, security measures and insur-statements regarding the insurability of potential ances against Internet risks grow increasingly important. violation of individual protection goals are made. The Recently, special Internet insurances have started to be article works out problems resulting from insurability and available. In this context, one problem arises: Are all risks shows solution approaches regarding the insurability. related to the Internet generally insurable or are there risks that cannot be transferred to the insurer? 1. Scenarios and dimensions of damage 2. Classification of internet risks High turnover rates and great future perspectives are forecast for e-commerce which characterizes businessof risk2.1. Definition practice via the open world wide web. On the one hand the Internet offers great opportunities, on the other hand it The understanding of the term risk is not unified in harbors a high potential of damages. Individuals as well literature [24, p. 23]. A generally recognized definition of as enterprises are affected by loss of data due to attacks risk does not exist [38, p. 2038]. Economic risk theory is by hackers or viruses, industrial espionage or profile meanwhile no longer attempting to define risk; risk is formation. The distributed-denial-of-service-attack on rathermore defined by its essential properties [18, p.2] Yahoo, E-Bay and E-Trade on February 8, 2000, for [41, p.7]. The goal-oriented risk interpretation in this instance, generated a turnover loss of $ 250 million [42]. paper views risk as a danger of a negative goal i.e. Furthermore, it entailed a loss of their stock exchange expectation deviation [11] [13] [37]. In contrast to the value of $ 2,5 billion [14]. According to estimations, the distribution-oriented definitions, this understanding also spreading of the “I LOVE YOU”-virus in May 2000 enables the consideration of qualitative aspects. caused a total loss of up to $ 30 billion worldwide [17].
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
Risk levels and internet
The opportunities of e-commerce are confronted with risks, which on the one hand represent only a projection of long-known risks, and on the other hand also a new Internet-specific character i.e. that increasingly appear on the Internet due to globality. Various types of risk can be subsumed under the term “Internet risks”. A model form of representation and classification is the abstraction of various risk levels shown in Fig. 1. It should serve as a classification of risk that shows various dimensions. Thetechnical risk levelattempts to show risks from a technical perspective. At this level, attacker models ex-amine the effectiveness of special protection mechanisms under consideration of the strengths and capabilities of a potential attacker [29]. Here, the fundamental security risks appearing in section 2.3 are named. Hacker, virus or denial-of-service-attacks in addition to fundamental sys-tem risks are also classified at this level. Theindividual risk levelthe risks and violations puts of privacy and identity, in particular, in the foreground. Two dimensions can be recognized here. First, the indi-vidual user´s privacy is threatened through the misuse of personal information and possible profile building. Privacy is defined here as the entirety of property rights in relation to individual personal information [6]. A similar risk also exists in companies which are exposed to a manipulation or a theft of specific company information (i.e. customer information, research information). Such data are often critical success factors of the company that determines its survival. Privacy, which in this context represents the proprietary rights of the company to its specific information, is consequently a very important goal for companies and organizations. Theeconomic risk levelnames the economic effects that reflect themselves directly in sales loss or indirectly in image loss. The above called micro-economic risks should be mentioned here and also the macro-economic risks which apply to economies as a whole. Thesocietal risk level illustrates the societal dimen-sion, which arises from the modern information and communication technologies and especially the Internet. Cyber terrorism, information warfare and the “glass user” are key terms that outline the dangers. But also an “omniscient government”, an international acting NSA as well as industry espionage are dangers that have societal effects.
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
societal risk level
economic risk level
individual risk level: personal information + specific company information
technical risk level
glass user“, omniscient state (NSA), industry espionage, information warfare, cyber terrorism
sales loss, value loss, image loss, third parties liability claims, media risks, macro-economic risks
violations of privacy, violations of identity, fraud, misinformation, manipulation, chain-linking risks (profil formation)
security risks; viruses, hacker attacks, denial-of-service-attacks, system risks
Figure 1. Risk levels The described risk levels cannot be clearly distin-guished. Therefore there is feedback between the individ-ual levels. Clear interdependencies are recognizable particularly at the individual and economic risk levels. The criteria of the effect distinguishes the differentiation. The effect of the loss of specific data or targeted hacker attacks are factors that are considered. 2.3. Multilateral security as reference
The concept of multilateral security is suitable for the study of specific Internet risks [26] [28] [27]. In an open communication system like the Internet, one cannot assume that all parties (communication partners, service providers, network operators, system producers, mainte-nance services etc.) know or completely trust each other. In order to deal with the borderlessness of the Internet as a potential market place, the analysis of security requires not only the observation of external attackers but also the inclusion of all the parties involved as potential attackers [32] [33]. Multilateral security thus requires the consid-eration of the security standards of all parties involved. If possible, everyone should thereby be protected against everyone else. This is particularly evident when protect-ing transactions over the Internet. The interests of the suppliers and demanders are to be hereby preserved. Pursuant to these demands, the security risks, which are seen from a technical view, form the basis for further Internet risks (see Fig. 1) turn into threats of the so-calledprotection goalsof multilateral security [30] [31]: Loss of confidentiality, i.e. the risk of unauthorized gain of information. Information about the identity and preferences of individual users, confidential enterprise data (e.g. information from research and development, crucial business data, such as customer records etc.) or communication data should be safe from unauthorized access or theft. Consequently, attacking confidentiality aims at gaining information without altering it (passive attacks). Apart from specific hacking, these passive attacks could include so-called packet sniffers, which are able to wiretap unencrypted message contents during the
transmission of data. Another example are cookies, with the help of which user profiles can be created. Loss of integrity, i.e. the risk of unauthorized modifi-cation of information and data. The faking of message contents, such as tenders and orders, are to be identified. Attacks on the integrity can be made, for instance, by man-in-the-middle-attacks: The attacker pretends to be the respective partner during the communication of two parties. Loss of availability, i.e. the risk of unauthorized impairment of the functionality. The loss of availability of an enterprise’s online-appearance, which should make communication and access to information possible to all qualified partners at all times, will damage business. Attacks on the availability can be made, for instance, by distributed-denial-of-service-attacks: Without knowing it, several different servers simultaneously carry out attacks, thereby generating a system breakdown of the target computers due to flooding. Loss of accountability, i.e. the risk of illegal irrespon-sibility. The receiver should have the possibility of proving to a third party that a second party has sent a message. Due to the spreading of incorrect information, for example, transactions that cannot be clearly ascribed to one initiator can lead to irresponsible actions and to unverifiable damage claims. Attacks on the accountability are made, for instance, by masquerade-attacks: Fake identities are simulated. In this context, the danger of IP-spoofing must be mentioned: The attacker generates packages with a false IP-address, pretending to be a different computer. 3. Insurances on risk transformation
Security, trust and insurance
Trust-related problems count among the greatest elec-tronic commerce hurdles [5]. Multilateral security alone provides no guarantee that transaction partners behave in a reciprocally foreseeable way. Along with the necessary technical security, the formation and maintenance of trust is an additional requirement complementary to technical security for prospering e-commerce [6] [7]. Trust can be defined as a combination of two elements: trust handling – “… the voluntary provision of a risky advance conces-sion waiving explicit legal security and control measures against opportunistic behavior…” and trust expectation – “… the expectation that the trustee voluntarily refrains from opportunistic behavior” [35]. Trust formation can be effected by means of trust sup-porting institutions, which help to reveal information pertaining to trust, to evaluate or communicate or, in cases of damage, even to compensate (insurances). These institutions can be structured according to transaction phases, as shown in Fig. 2 in support of [6].
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
Valuation and attestation
of past transaction behavior
of future transaction behavior
central decentral central decentral Inspection and Reputation Recommendation Services Services Transaction-oriented Insurance Services
Revaluation/ Inspection
Valuation and sanction
of actual transaction behavior
Conflict Settlement Services
Transaction-oriented Insurance Services
Infrastructure-oriented Insurance Services
Figure 2. Transaction specific trust promotion and insurance Reputation services are engaged prior to the transaction and pertain to the transaction subjects. They should facilitate the estimation of the subjective trust-worthiness of the transaction partner by making plausible statements about past behavior of transaction partners. Inspection and recommendation servicescon- also tribute a priori to the reduction of insecurities with regard to product and transaction quality. They make statements about future transactions, work out general quality criteria and check their compliance. Conflict settlement servicesup trust in the build conflict settlement process itself, when fraudulent behav-ior is suspected by either partner. Transaction-oriented insurance services can come into operation before the transaction. In this case, they have a supporting function for the inspection and recom-mendation service (e.g. transport insurance, moneyback guarantee). On the other hand, insurances can be brought into operation ex ante by supporting alternative conflict solving services (e.g. liability insurances). In both scenarios, transaction-oriented insurance services promote trust formation. Infrastructure-oriented insurance servicesprimarily offer insurance protection against the security risks described above and their effects. The e-commerce infrastructure and enterprises pursuing e-commerce are particularly concerned here. Potentially obtainable insur-ance protection against the threats of multilateral security protection goals (security risks) has a trust-creating effect. In the following, infrastructure-oriented insurances are examined. Starting with insurance as a risk management instrument and the insurability conditions, traditional and special new types of insurance offers are analysed with the protection goals of multilateral security as a reference. Statements regarding the insurability of potential violation of individual protection goals are made possible and
problems which arise with insurability are highlighted. The paper concludes with a summary of the findings and gives an outlook. 3.2. Insurance as a risk management instrument
Economic measures for overcoming risks can be cate-gorized into the risk policy instruments of risk avoidance, risk transfer, risk reduction and the self-sustaining or the formation of risk reserves [13]. Risk avoidance implies generally refraining from activities involving risk. Within the framework ofrisk transfer, the transfer onto risk bearers through insurance, through general or special contract terms or the transfer due to regulations come into question.Risk reductiondenotes measures which reduce the inevitability of events causing damage or their damaging effects. The technical security measures when using Internet should be men-tioned here. For example, cryptographic procedures which reduce existing risks when transmitting data, digital signatures and certificates which serve to secure identity, virus scanners and firewall concepts which regulate communication between the internal enterprise network and the Internet and prevent unauthorized access to the enterprise’s internal network. Also Intrusion Detection Systems which supplement the firewalls in a practical way with automatic recognition and protection against attacks in preventive defence action. If risks can be neither met with by technical security measures nor by economic instruments or if it is not economically practical to use these kind of instruments, theresidual risk will be self-sustained. The formation of risk reserves can be significant in this context. 3.3. Insurability conditions of internet risks
3.3.1. Criteria of insurability. The demand for specific Internet-related insurances might exist or not. In any case, it is necessary to examine the conditions of the formation of a range of insurances concerning Internet risks. In order to examine insurability, various catalogues of criteria have been developed in the past [23, p. 203ff.]. The five criteria of KARTEN [21] are referred to below. This decision-oriented catalogue is frequently cited in the literature of insurance economy. Selected Internet dangers should be exemplarily referred to. The criteria according to which risks can be rated are: Fortuitousness, Unam-biguousness, Estimability, Independence, Size. 3.3.2. Characteristics of internet risks according to decision-oriented criteria of insurability.The fulfilment of the criterion offortuitousness demands that the event causing the case be unknown and not subject to influence at the time of conclusion of the contract [21, p. 287].
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
Uncertainty requires that both parties of the contract have the same standard of information. A case of asymmetrical information holds the inherent danger of adverse selection. “Not subject to influence” especially points at the problem of moral hazard, which causes market failure [20]. Typically, existing insurance protection will provoke less careful behaviour. This means that activities preventing damages are reduced. If that kind of manner cannot be observed, the above mentioned problem of moral hazard will arise. The probable change in behavior of the insured after the conclusion of a contract should therefore be excluded by obligations. This will enable the insurer to calculate the average probabilities of damages. On the Internet, damages mainly result from deliberate attacks of third parties or technical defects. However, the possibility of the intentional creation of damage event by the insured to get insurance benefit may never be ruled out. In order to eliminate the incentive for the insured to intentionally cause damage or to neglect security meas-ures, insurers apply specific obligations and components in the contracts. These components might include co-insurance of the insured or the limitation of the amount of cover, thereby restricting the benefits in the case of damage. The criterion ofunambiguousness stipulates that the event (the damage occurrence) as well as the amount of damages be rateable in an objectively verifiable way [25, p. 77]. In practice, the exact interpretation of occurrence of damage and the amount of damages that must be com-pensated by the insurance benefits require a great deal of insurance clauses [23, p. 217]. These clauses have to be agreed upon by the signatories before the conclusion of the insurance contract. However, significant problems may arise from the fact that particular damage events emerging through the use of the Internet cannot be proven objectively. The violation of confidentiality, for instance, can normally be evidenced only under one condition: There has to be an objectively provable consequential loss with a direct causal connection to the violation of confi-dentiality [3, p. 185]. Due to the dominance of immaterial values, these kind of damages can be quantified with great difficulty only. They can, however, very well entail mate-rial damages. Additionally, the time difference between the violation of confidentiality and the suffered wealth damages intensifies the problem of provability. The diverse perceptions of immaterial damages by dif-ferent individuals cause yet another problem. The defini-tion of an objective amount of damages becomes nearly impossible. Defining fixed monetary payments of damages ex ante could be one way of solving the problem. A reasonable resolution, however, requires the knowledge of the actually possible damage events and amounts. The problem outlined above shows why damages caused by violating the confidentiality of
contents of communication are insurable under certain restrictions only [3, p. 185]. The third criterion ofestimability represents the prob-lem of insufficient knowledge. By Internet risks there is no statistical data-basis. An insurer who has to estimate the average amount of damages as well as the probability of the occurrence of the event will judge subjectively. Likewise, the decision as to what extent a risk is basically insurable for the risk bearer will be subjective. The criterion ofindependenceto positively refers correlated risks. These should be excluded so as to ensure a process of fortuity of the insured damage events of the business in force. Negatively correlated risks are prefer-able and therefore not considered any further. Sufficient stochastic independence of the single risks is the central prerequisite for the effect of a collective portfolio balance. If the majority of the insured suffer damages at the same time, then the individual cases no longer represent inde-pendent events. Virus attacks, alternatively shortcomings or bugs of widely spread software can be cited as examples causing highly correlated individual damages (so-called risks of contagion). But also distributed-denial-of-service-attacks, which hit many systems at the same time, can entail an accumulation of damages. Such accumulations of damage events, also referred to as cumuli, endanger the solvency of the insurer, which means that high payments are due all of a sudden, by far exceeding the individual capacity limit of the insurer. Independence never exists polarized, it neither exists at all, nor can it be fully preserved. Independence always appears in degrees. This manifests itself in the numerous insurances of elementary events, such as the hurricane insurance in the USA, storm loss insurance or earthquake insurance [9, p. 41] [19]. However, certain limits of dependence should not be exceeded. The last criterion ofsize means the highest damage possible of an individual risk. The size of the risk to be insured is a criterion that can be quantified with great difficulty only. This is due to the fact that the insurability depends on the underwriting capacity of the insurance industry or the underwriting policy of the insurer [25, p. 77]. However, the maximum damage can always be re-stricted by limiting the coverage. In addition, the insurer can extend the underwriting capacity by means of re-insurers. If a certain total of damages is exceeded, the re-insurer will assume the excessive burdens in return for adequate premium payments. Moreover, by limiting the coverage more strictly, risks classified as non-insurable can be rendered insurable. Yet another possibility would be the readiness of the insurer to cover only a certain percentage of the total damage amount. It is not reason-able to classify a risk as non-insurable per se only because it does not meet the criterion of size.
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
3.3.3. Insurability limits.In general, there are no signifi-cant insurability limits or so-called uninsurable risks [10]. Reasons for this are, for example, certain oligations such as technical security measures which have to be fulfilled or certain contractual elements such as percentage excess or coverage limits. By implementing such instruments uninsurable risks can be made insurable. It can certainly be observed that insurance is not offered for every risk. The BERLINER approach endeavors to afford an expla-nation for this which establishes the existence of a non-unambiguous insurability area with the existence of a so-called grey zone that lies between the objective insurability and uninsurability area [1] [2]. This grey zone includes risks which not all insurers wish to cover due to various risk aversions but which are by all means covered by some. The existence of the grey zone renders a general definition of risk insurability impossible. Consequently, insurability can best be assessed by means of an empirically realistic approachrepresents the which reality of insurability [8] [9]. The aim of such an investi-gation is to produce statements on practical insurability which are described in section 4.2 concerning security risks. 4. Insurance offers against internet risks
"Traditional" insurance offer
In order to secure itself financially from the risks IT-Systems implicate, the enterprise as the insured can choose between a wide range of insurances in Germany. These traditional Electronic Data Processing (EDP)- and electronic insurances existed on the market before but are not specialized against inherent Internet risks. On the one hand, they provide the insured with the possibility of securing partial risks of the data security [3, p. 194], on the other hand, they only offer a limited insurance cover-age and, last but not least, they are quite expensive. A good overview of these insurance offers can be found in [4]. Basically one has to differentiate between EDP- and personal insurances. EDP-insurances are subclassified into property insurances (electronics property insurance, data media cover-, software insurances) and contingency insurances (electronic-additional cost insurances, electronic business interruption insurances). Personal insurances can be subdivided into misuse insurances (fidelity-, computer abuse insurance), as well as data protection insurances (data liability-, data legal costs insurance). Theelectronics property insurance denotes the insur-ance for hardware. In a kind of all risks coverage, all tangible damages are covered that might either result directly in a loss of the insured items or in circumstances that have not been anticipated in good time. It also includes fixed-installed data media, as well as system
program data from system software resp. similar data. One has to bear in mind that the stored data is separated from the data media. If it is not necessary for the basic functions of the insured hardware covered by the elec-tronics property insurance, here the data media cover insurance becomes effective. Thedata media insurancestands in a complementary relationship with the electronic property insurance. Here the impairment of hardware is an obligatory condition for a monetary compensation [3, p. 194f]. In principle, only those data, programs and data media are insured that have been declared on the policy in advance. Thesoftware insurance, which corresponds to an extended data media insurance, adds a new dimension to the policy outline of the data media insurance. Here, damage caused by deletion or manipulation of data is covered, without the data media or hardware being affected. Among other things, also the deliberate act on the part of any third parties, such as sabotage, hacker- or virus attacks are insured. In the event of damage strictly only those costs are compensated that the policy holder has to expend on the replacement of data media as well as on the recreation of the insured data. Furthermore, the software insurance has very restricted terms of insurance. Within the scope of anelectronic additional cost insurancethe underwriter compensates the costs for bridging measures. These are caused by a breakdown of the insured systems due to material damage and therefore interrupt or affect the efficiency of the enterprise. In case a breakdown of insured systems cannot be bridged, the electronic business interruption insuranceand covers compensates the lost profits and running costs. In addi-tion, due to numerous exclusion clauses, the electronic business interruption insurance does not cover damages that are not caused by an in-house communicating system but by the Internet connection (such as failure of internet network node). Thefidelity insurance protects the enterprise against pecuniary losses that may be caused by deliberate acts of employees. The so-calledcomputer abuse insurance is a special form of the fidelity guarantee claim insurance [16]. The coverage is limited to damages that stand in direct connection with the data processing. Moreover, the insurance benefit is subject to a time limit. In contrast to property insurances, here no concrete insured values can be defined. Therefore, the insured has to rate a sum ade-quate to the risk in advance. The processing of personal data by means of EDP un-derlies the regulation of the federal data protection law in Germany. In the course of processing and transmitting personal data, violations against the regulations of the federal data protection law might occur. In this case the enterprise might be called to account for arising pecuniary losses. The field of potential claims for damages is barely clear. Likewise, the degree of a possibly justified claim for damages risk is hardly assessable. Possible liability
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
claims especially refer to the demand of material dam-ages. They are for instance caused by invasion of privacy or an affected reputation and might have substantial con-sequences (e.g loss of income, withdrawal of granted loans). Often the exact amount of damages can barely be measured. As a consequence, legal inquisitions take place regularly in order to determine the actual damage. The data liability insurancecovers pecuniary losses due to the legal inquisitions mentioned above. Moreover, it refunds proved damage claims. Thedata legal costs insurancecan be seen as a kind of supplement to the data liability insurance. It covers special risks of legal expences, which the data liability insurance does not cover. This is especially the case when adversaries litigate in legal pro-ceedings until the last instance causing enormous legal expenses. 4.2. Special internet insurances
Insurances that cover the risks of transactions in e-commerce are already on the market in Germany. With Trusted Trade for business-to-business-transactions and Trusted Shops for business-to-consumer-transactions, the Gerling Speziale Kreditversicherung-AG already offers corresponding insurance concepts. These insurances will not be discussed any further. Instead those Internet insur-ances that attend to security risks will be presented. The calculation of Internet risks is extremely difficult. This is due to a lack of experiential records of both the treatment of probability of a loss and the average amount of loss, as well as of the occurence of cumuli arising out of contingency- or breakdown risks. In spite of these calculation risks, there are already a few insurances against Internet risks on the market in Germany. Along-side other Internet insurance suppliers the presentation of some concepts should exemplify these insurances. In strategical alliance withsecunet Security Networks AG, theGothaer Versicherungenbeen offering a combi- has nation of two insurances against Internet risks since December 1999. The “Gothaer secusure Internet-insurance” covers damages caused by the manipulation or destruction of homepages. Moreover, it is liable for consequential losses evoked by the misuse of delicate data such as credit card numbers, whereas the“Gothaer Soft-ware business interruption insurance”compen- provides sation for malfunctions caused by the loss of either data or EDP programs. Apart from the restoration of data, image damage, as well as loss of sales and profits and third party liability claims are covered. In order to effect the insurance it is a mandatory requirement that the security system is up-to-date. This can be verified bysecunetwith a special certificate. Likewise, the policy requires the insured to attend regular audits, in order to extend the validity of the certificate. As an alternative, the insured
can also close a service contract withsecunet, which guarantees up-to-date security technology. TheMarsh GmbHoffers an insurance package. also According to their account, it covers all e-commerce risks, such as breakdowns caused by manipulation by hackers or employees [39]. The insurance also covers network breakdown evoked by deficient software as well as malfunctions of servers and damages. The damages of third parties struck by breakdowns on the Internet are also covered. Even the possible loss of stock exchange value caused by hackers is, to a certain extent, insurable, as in the case of the above mentioned distributed-denial-of service-attacks on American Internet-enterprises on February 8th, 2000. Condition precedent is a safety audit by an expert chosen by the insurance. The expert checks the technical security measures of the enterprise. The insurance package is then arranged individually for every single customer (insurance sum, premium sum etc.). An analysis of “traditional” insurance offers on the one hand and new Internet insurances on the other hand which was carried out for the German market leads to Table 1. Here, an evaluation of the recent insurability of Internet risks is given. In relation to the technical risk level, these are summarized as threats of the protection goals of mul-tilateral security. Table 1. Company insurance possibilities Protection goals Insurability Problems
Confidentiality theft of information and data
Integrity manipulation resp. reset of information and data
Accountability transactions cannot be imputed clearly / unverifiable damage claims
Availability website not available / impairment of the functionality; no entrance
not applicable
presently not applicable
definite causal connection, provability, quantification
low limits of coverage, expensive technical security precautions
definite causal connection, provability
low limits of coverage, expensive technical security precautions
Summary and perspectives
Technical security measures are in complementary proportion to insurances. Apart from classical elements of product design, such as deductibles or coverage limita-tions, normally, a certain minimum of technical security precautions is necessary in order to make Internet risks insurable in the first place. An analysis of current insurance offers shows that potential violations of integrity and availability are insur-able. Apart from the necessary technical and thus expen-
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
sive security precautions, the problem currently lies with relatively low limits of coverage. Insurance cover is currently only possible for small enterprises. One way of resolving the problem is the extension of the capacity limits of the insurers by re-insurers. Moreover, inefficiencies respectively the limits of the insurances may be met by innovative solutions of financing risks, so-called alternative risk financing products [36]. These products are suitable especially for risks that can either not be transferred at all on the existing insurance markets or at high costs only. In this field, there is currently need for further research. The danger of the loss of accountability is as yet unin-surable. Firstly, it is provable with great difficulty only. Secondly, there is a lack of unequivocally causal connec-tions. In order to render cases of violated accountability insurable, one could think of the widespread use of digital signatures and digital certificates that are issued by trust-worthy authorities. At present, however, this method is not widely used. A requisite trustworthy and widely accepted Public Key Infrastructure is also unavailable. Lastly, violations of confidentiality are not insurable. Illegal outflow of information from enterprises or illegal selling of personal data are normally not “experienced in person”. The loss of data is – if at all – realizable by hind-sight only. The identification of the culprit as well as finding evidence is extremely difficult and very often not possible at all. Likewise, the exact quantification of wealth damages is hardly possible. Additionally, one has to assume that the mentioned risks of the violation of privacy are not insurable because of the strongly limited provability. 6. References
[1] Berliner, B.:Die Grenzen der Versicherbarkeit von Risiken.Schweizerische Rückversicherungsgesellschaft, Zürich 1982. [2] Berliner, B.: Versicherbarkeit. In: Farny, Dieter, et al. (eds.):Handwörterbuch der Versicherung, VVW, Karls-ruhe 1988, pp. 951-958. [3] Blind, K.:Allokationsineffizienzen auf Sicherheitsmärkten: Ursachen und Lösungsmöglichkeiten; Fallstudie: Informa-tionssicherheit in Kommunikationssystemen. Lang, Frank-furt am Main et al. 1996. [4] Deutscher Versicherungs-Schutzverband:Wie Sie Ihre EDV-Risiken richtig versichern – Eine Anleitung für Betriebe.2nd edition, Bonn 1992. [5] Eggs, H.; Englert, J.:Electronic Commerce Enquête 2000 – Vernetzte kleine und mittlere Unternehmen. Konradin-Verlag, Leinfelden-Echterdingen 2000.
[6] Eggs, H.:Vertrauen im Electronic Commerce: Herausfor-derungen und Lösungsansätze, Ph.D. Thesis, Universität Freiburg, 2001. [7] Eggs, H.; Müller, G.: Sicherheit und Vertrauen: Mehrwert im E-Commerce. In: Müller, G., Reichenbach, M. (eds.): Sicherheitskonzepte für das Internet. Springer-Verlag, Berlin et al. 2001, pp. 27-44. [8] Eszler, E.: Versicherbarkeit und ihre Grenzen: Logik – Realität – Konstruktion. In:Zeitschrift für die gesamte Versicherungswissenschaft(2000), pp. 285-300. [9] Eszler, E.:Versicherbarkeit und Versicherungsmodelle, insbesondere für katastrophenartige Elementarrisiken – ein Bezugs- und Analyserahmen. Schriftenreihe „Forschungs-ergebnisse der Wirtschaftsuniversität Wien“, Topritzhofer, E. (ed.), Service Fachverlag, Wien 1992. [10] Eszler, E.:Versicherbarkeit und ihre Grenzen. Analyse und Systematisierung auf erkenntnistheoretisch-ontologischer Basis.VVW, Karlsruhe 1999. [11] Eucken, W.: Die Grundlagen der Nationalökonomie. 4th edition, Fischer, Jena, 1944. [12] Federrath, H.; Pfitzmann, A.: Bausteine zur Realisierung mehrseitiger Sicherheit. In: Müller, G., Pfitzmann, A. (eds.):Mehrseitige Sicherheit in der Kommunika-tionstechnik, Vol. 1: Verfahren, Komponenten, Integration. Addison-Wesley-Longman, Bonn et al. 1997, pp. 83-104. [13] Haller, M.: Risiko-Management – Eckpunkte eines integrierten Konzeptes. In: Jacob, H. (ed.):Schriften zur Unternehmensführung – Risiko-Management. Gabler, Wiesbaden 1986, pp. 7-44. [14] Handelsblatt, 11./12.2.2000. [15] Härlen, H.: Die Grenzen der Versicherbarkeit, zum Beispiel in der Lebensversicherung stark erhöhter Risiken. In: Zeitschrift für die gesamte Versicherungswissenschaft(1972), pp. 271-277. [16] Heidinger, J. L.:Die Computer-Mißbrauchs-Versicherung.VVW, Karlsruhe 1980. [17] N.N.: US-Politiker kritisieren Software-Industrie. In: heise online news, er/data/chr-11.05.00-001/, call 2001-05-30. [18] Helten, E.: Die Erfassung und Messung des Risikos. In: Asmus, W., Gassmann, J. (eds.):Versicherungswirtschaft-liches Studienwerk, 4th edition, Wiebaden 1994. [19] Herbrich, M.:Kumulkontrolle. Gabler, Wiesbaden 1992. [20] Holmström, B.: Moral Hazard and Observability. In:Bell Journal of Economics, 10/1979, pp. 74-90.
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
[21] Karten, W.: Zum Problem der Versicherbarkeit und zur Risikopolitik des Versicherungsnehmers – betriebswirt-schaftliche Aspekte. In:Zeitschrift für die gesamte Versicherungswissenschaft(1972), pp. 279-299. [22] KPMG:efr@ud.survey. Umfrage zur Wirtschaftskrimina-lität im eCommerce. KPMG-Studie Integrity Services, Februar 2001,, call 2001-05-30. [23] Lucius, R.-R.:Die Grenzen der Versicherbarkeit. Haag und Herchen, Frankfurt am Main 1979. [24] Meinecke, H.:Integriertes Risiko-Management für Unter-nehmenseigentümer. St. Gallen 1997. [25] Mugler, J.: Risikopolitische Strategien im Grenzbereich des Versicherbaren. In:Zeitschrift für die gesamte Versiche-rungswissenschaft(1980), pp. 71-87. [26] Müller, G., Pfitzmann, A. (eds.):Mehrseitige Sicherheit in der Kommunikationstechnik, Vol. 1: Verfahren, Kompo-nenten, Integration.Addison-Wesley-Longman, Bonn et al. 1997. [27] Müller, G., Rannenberg, K. (eds.):Multilateral Security in Communications, Vol. 3: Technology, Infrastructure, Economy. Addison-Wesley-Longman, 1999. [28] Müller, G., Stapf, K.-H. (eds.):Mehrseitige Sicherheit in der Kommunikationstechnik, Vol. 2: Erwartung, Akzeptanz, Nutzung.Addison-Wesley-Longman, Bonn et al. 1998. [29] Pfitzmann, A.:Diensteintegrierende Kommunikationsnetze mit teilnehmerüberprüfbarem Datenschutz. Springer, Berlin, Heidelberg 1990. [30] Rannenberg, K.: Electronic Commerce und Mehrseitige Sicherheit – Baustellen, Fortschritte und Perspektiven. In: Informatik Forschung und Entwicklung (IFE), subject „Electronic Commerce“, 2000, pp. 193-206. [31] Rannenberg, K.:Zertifizierung mehrseitiger IT-Sicherheit: Kriterien und organisatorische Rahmenbedingungen. Vieweg, Braunschweig, Wiesbaden 1998. [32] Rannenberg, K.; Pfitzmann, A., Müller, G.: Sicherheit, insbesondere mehrseitige IT-Sicherheit. In:Informa-tionstechnik und technische Informatik (it+ti), 4/1996, pp. 7-10. [33] Rannenberg, K.; Pfitzmann, A., Müller, G.: Sicherheit, insbesondere mehrseitige Sicherheit. In: Müller, G., Pfitzmann, A. (eds.):Mehrseitige Sicherheit in der Kom-munikationstechnik, Vol. 1: Verfahren, Komponenten, Inte-gration. Addison-Wesley-Longman, Bonn et al. 1997, pp. 21-27. [34] Rejda, G. E.:Principles of Risk Management and Insurance, 4th edition, HarperCollins, New York 1992.
[35] Rippberger, T.:Ökonomik des Vertrauens – Analyse eines Organisationsprinzips. Mohr Siebeck, Tübingen, 1998. [36] Romeike, F.: IT Risiken und Grenzen traditioneller Risiko-finanzierungsprodukte. In:Zeitschrift für Versicher-ungswesen, 17/2000, pp. 603-610. [37] Schuy, A.:Risiko-Management: Eine theoretische Analyse zum Risiko und Risikowirkungsprozeß als Grundlage für ein risikoorientiertes Management unter besonderer Berücksichtigung des Marketing. Lang, Frankfurt am Main, Bern, New York, Paris 1989. [38] Spooner, H.: Risk Management: A Study in Technique. In: The Post Magazine, (135) 1974, pp. 2038-2040.
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-3502) 0-7695-1435-9/02 $17.00 © 2002IEEE
[39] N.N.: „Hacker“-Versicherung für Internet-Firmen. In: Versicherungswirtschaft, 9/2000, p. 644. [40] N.N.: Dem „Data loss“ folgt oft das Aus. In: Versicherungswirtschaft, 20/1999, p. 1482. [41] Wagner, F.:Risk Management im Erstversicherungsunter-nehmen: Modelle, Strategien, Ziele, Mittel. VVW, Karls-ruhe 2000. [42] Die Welt, 19.4.2000.