| dc.description.abstract | With the vigorous development of the cyber activity, the cyber risks of various countries have increased yearly. Therefore, the insurance industry is also actively developing the insurance market in the cyber security field. However, in Taiwan, the development of insurance industry in this field is still limited due to insufficient understanding of classification and measurement of cyber risks. In fact, even in the United States, where cyber insurance started early, insurers did not have enough confidence in their own risk assessment model. It is not surprising that Taiwan is in such a predicament.
This research will first summarize and introduce the classification, frequency, approach, loss status, severity classification, etc. of various cyber risk events, and use real or hypothetical cases to specifically reproduce the situation, which can not only be used as a reference for insurance enterprises when designing products and drawing up premiums, but also be used by the insured enterprises as a basis for the research and development of cyber security policies. After that, this research will explain FAIR (Factor Analysis of Information Risk) model developed by Jack Freund and Jack Jones, and NIST (National Institute of Standards and Technology) cyber security framework, then draw up the parameters in FAIR based on the information mentioned in the first half of the paper, and combined with NIST cyber security framework, several medical institutions are used as examples to evaluate the risk of data breach, and finally the process of insurers obtaining premiums based on risk value is further simulated for their reference.
The research results show the consequences of the analysis taking medical industry as example, and due to the similarity of business, we can expect that the process of risk assessment in this research can also be applied to many other types of insured industries. Besides, types of losses experienced by diverse industries in various cyber incidents have also been tabulated. That can be used by insureds or insurers as a basis to adjust operating policies. | en_US |