University of Worcester Worcester Research and Publications

An Insurance-based Approach to Improving SME Cyber Security

Henson, Richard and Sutcliffe, D. (2017) An Insurance-based Approach to Improving SME Cyber Security. In: Special Topics in Economics & Management : An Introduction. ATINER, Athens, pp. 171-186. ISBN 978-960-598-103-7

[img] Text
C__research_rhdsgreece2013rev16.doc - Submitted Version
Restricted to Repository staff only

Download (96kB) | Request a copy
C__research_rhdsgreece2013rev16 (1).pdf - Accepted Version

Download (103kB) | Preview


There has been increasing concern in recent years about the lack of urgency in SMEs regarding security of their information. Concern stems not only from the risks the SMEs are taking not only with their own data, but also with the data they share with supply chain partners. Current surveys have shown that the situation is getting worse with human error compounded by cybercriminals exploiting weaknesses in SME systems and using them to hack supply chain hubs.

In this paper, a researcher and a practitioner from the UK investigate possible reasons for SME apparent lack of interest in securing data, or developing information security management systems (ISMSs). In the absence of UK legislation, the only way SMEs are likely en masse to improve their information security is through pressure from supply chain partners and particularly supply chain hubs. The authors present an interesting development in cyber liability insurance which provides the basis for a cost-effective solution that will encourage good information assurance across the supply chain.

The solution offered in association with a major International insurer is explained in detail in this paper. It has the dual advantages for participating SMEs of ensuring that they achieve a level of information assurance that will offer them actual protection, and at the same time provide them with insurance that will protect them financially against data breaches or other costly consequences of weak information security. The scheme used will provide actuarial evidence for the insurer to further refine the model. Clients that cannot show evidence of a base level of security will not get insurance cover; by contrast those assessed as being more secure will be eligible for a discount. The tool used in this model is a self-assessed version of the IASME or Cyber Essentials information assurance standards, both recently developed in the UK to meet the needs of SMEs wishing to safeguard their precious information but not possessing the resources to achieve the ISO27001 standard.

Item Type: Book Section
Additional Information:

The full-text of the online publication can be accessed via the Official URL.

Uncontrolled Discrete Keywords: SME, information risk management, information assurance, ISMS, Information Security Management Systems, data protection legislation, economics of information security, supply chain, standard, ISO27001, IASME, self-assessment, insurance, cyber liability, cyber essentials
Subjects: H Social Sciences > HD Industries. Land use. Labor > HD61 Risk Management
Divisions: College of Business, Psychology and Sport > Worcester Business School
Related URLs:
Depositing User: Richard Henson
Date Deposited: 10 Aug 2017 07:20
Last Modified: 17 Jun 2020 17:18

Actions (login required)

View Item View Item
Worcester Research and Publications is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.