摘要: | 隨著網路的蓬勃發展,各國之資安風險逐年上升,因此保險產業也積極在資安領域發展保險市場,但台灣之保險產業至今於該領域發展仍有限,原因在於對資安風險之歸類與衡量了解不足。事實上即便在資安保險起步較早的美國,保險業者也並未對於自身之風險評估模型抱持足夠信心,台灣有類似狀況自然也不足為奇。
本研究將先彙整與介紹各種資安風險事件之分類、頻率、途徑、損失狀況、嚴重性分級等,並以現實或假想案例具體重現情境,不僅可供保險公司設計產品及擬定保費時參考,也可被投保企業做為研擬資安對策時的依據。之後則講解Jack Freund與Jack Jones發展之FAIR(factor analysis of information risk)模型,以及NIST(National Institute of Standards and Technology)之資安框架,再根據論文前半部提及的資料擬定FAIR之參數,並結合NIST之資安框架,以醫療機構為例評估其資料外洩時的風險大小,最後再進一步模擬保險公司以風險值求取保費的過程,以供其參照。
研究結果呈現了以醫療產業為例的分析成果,且由於業務性質的相似性,我們可預期本研究的風險評估流程也可套用於許多其他類型的投保企業。此外,各產業遭遇不同資安事件時的損失型態差異也已列表整理,不論是投保企業或保險公司,皆可以此為基礎調整營運方針。 ;With the vigorous development of the cyber activity, the cyber risks of various countries have increased yearly. Therefore, the insurance industry is also actively developing the insurance market in the cyber security field. However, in Taiwan, the development of insurance industry in this field is still limited due to insufficient understanding of classification and measurement of cyber risks. In fact, even in the United States, where cyber insurance started early, insurers did not have enough confidence in their own risk assessment model. It is not surprising that Taiwan is in such a predicament.
This research will first summarize and introduce the classification, frequency, approach, loss status, severity classification, etc. of various cyber risk events, and use real or hypothetical cases to specifically reproduce the situation, which can not only be used as a reference for insurance enterprises when designing products and drawing up premiums, but also be used by the insured enterprises as a basis for the research and development of cyber security policies. After that, this research will explain FAIR (Factor Analysis of Information Risk) model developed by Jack Freund and Jack Jones, and NIST (National Institute of Standards and Technology) cyber security framework, then draw up the parameters in FAIR based on the information mentioned in the first half of the paper, and combined with NIST cyber security framework, several medical institutions are used as examples to evaluate the risk of data breach, and finally the process of insurers obtaining premiums based on risk value is further simulated for their reference.
The research results show the consequences of the analysis taking medical industry as example, and due to the similarity of business, we can expect that the process of risk assessment in this research can also be applied to many other types of insured industries. Besides, types of losses experienced by diverse industries in various cyber incidents have also been tabulated. That can be used by insureds or insurers as a basis to adjust operating policies. |