--- Bridging the Gap Between Businesses and Insurers: A Systematic Review of Cyber Insurance Research
Author(s): HARALDSSON, Annie; PADYAB, Ali; AL SALEK, Aous
Author(s) keywords: Cyber insurance, Cyber insurer, cybersecurity, Insurance adoption, Policy coverage, Systematic literature review, Underwriting
Reference keywords: business, cyber insurance, cybersecurity
Abstract:
Cyber insurance has become a complementary risk-transfer mechanism to traditional cybersecurity investments. While firm-level adoption (policy purchase) has risen in recent years, many organizations remain hesitant due to unclear policy terms, high premiums, and complex underwriting. At the same time, insurers face difficulties in pricing coverage, assessing heterogeneous risks, and addressing systemic threats. This paper presents a systematic literature review of cyber-insurance research published between 2015 and 2025, examining both business and insurer perspectives. We analyzed 41 peer-reviewed sources using thematic coding to identify recurring themes, barriers, and enablers. On the business side, studies frame cyber insurance as an investment decision, investigating adoption drivers, policy comprehension, and cost-effectiveness. On the insurer side, research highlights challenges in premium calculation, loss modeling, data collection, and standardization. Across both perspectives, moral hazard, asymmetric information, and the lack of harmonized policy language remain central obstacles. The review also identifies emerging opportunities, including the use of AI and standardized frameworks to improve risk assessment and underwriting. We conclude with a research agenda outlining six directions for future work with implications for both academia and industry.
References:
[1]. Abdul Hamid, N.H.A., Mat Nor, N.I., Hussain, F.M., Raju, R., Naseer, H., Ahmad,A.: Barriers and enablers to adoption of cyber insurance in developing countries: An exploratory study of malaysian organizations. Computers & Security 122, 102893 (2022). https://doi.org/10.1016/j.cose.2022.102893.
[2]. Adriko, R., Nurse, J.R.C.: Does cyber insurance promote cyber security best practice? an analysis based on insurance application forms. Digital Threats: Research and Practice 5(3), 1-39 (2024). https://doi.org/10.1145/3676283.
[3]. Axon, L., Erola, A., Janse Van Rensburg, A., Nurse, J.R.C., Goldsmith, M., Creese,S.: Practitioners’ views on cybersecurity control adoption and effectiveness. In: Proceedings of the 16th International Conference on Availability, Reliability and Security. pp. 1-10 (2021). https://doi.org/10.1145/3465481.3470038.
[4]. Biswas, B., Mukhopadhyay, A., Kumar, A., Delen, D.: A hybrid framework using explainable ai (xai) in cyber-risk management for defence and recovery against phishing attacks. Decision Support Systems 177, 114102 (2024). https://doi.org/10.1016/j.dss.2023.114102.
[5]. Bodin, L.D., Gordon, L.A., Loeb, M.P., Wang, A.: Cybersecurity insurance andrisk-sharing. Journal of Accounting and Public Policy 37(6), 527-544 (2018). https://doi.org/10.1016/j.jaccpubpol.2018.10.004.
[6]. Branley-Bell, D., Coventry, L., Briggs, P.: Cyber insurance from the stakeholder’s perspective: A qualitative analysis of barriers and facilitators to adoption. In: Proceedings of the 2022 European Symposium on Usable Security. pp. 151-159 (2022). https://doi.org/10.1145/3549015.3554206.
[7]. Charalambous, M., Farao, A., Kalantzantonakis, G., Kanakakis, P., Salamanos,N., Kotsifakos, E., Froudakis, E.: Analyzing coverages of cyber insurance policies using ontology. In: Proceedings of the 17th International Conference on Availability, Reliability and Security. pp. 1-7 (2022). https://doi.org/10.1145/3538969.3544453.
[8]. Cremer, F., Sheehan, B., Fortmann, M., Mullins, M., Murphy, F.: Cyber exclusions: An investigation into the cyber insurance coverage gap. In: 2022 Cyber Research Conference - Ireland (Cyber-RCI). pp. 1-10 (2022). https://doi.org/10.1109/Cyber-RCI55324.2022.10032678.
[9]. Dou, W., Tang, W., Wu, X., Qi, L., Xu, X., Zhang, X., Hu, C.: An insurance theory based optimal cyber-insurance contract against moral hazard. Information Sciences 527, 576-589 (2020). https://doi.org/10.1016/j.ins.2018.12.051.
[10]. Eling, M., Jung, K.: Copula approaches for modeling cross-sectional dependence of data breach losses. Insurance: Mathematics and Economics 82, 167-180 (2018). https://doi.org/10.1016/j.insmatheco.2018.07.003.
[11]. Eling, M., Jung, K.: Optimism bias and its impact on cyber risk management decisions. Risk Sciences 1, 100001 (2025). https://doi.org/10.1016/j.risk.2024.100001.
[12]. Eling, M., Jung, K., Shim, J.: Unraveling heterogeneity in cyber risks using quantile regressions. Insurance: Mathematics and Economics 104, 222-242 (2022). https://doi.org/10.1016/j.insmatheco.2022.03.001.
[13]. Eling, M., Loperfido, N.: Data breaches: Goodness of fit, pricing, and risk measurement. Insurance: Mathematics and Economics 75, 126-136 (2017). https://doi.org/10.1016/j.insmatheco.2017.05.008.
[14]. Farkas, S., Lopez, O., Thomas, M.: Cyber claim analysis using generalized Pareto regression trees with applications to insurance. Insurance: Mathematics and Economics 98, 92-105 (2021). https://doi.org/10.1016/j.insmatheco.2021.02.009.
[15]. FBI: Internet crime report 2024. https://www.fbi.gov/news/press-releases/fbireleases-annual-internet-crime-report (April 23, 2025), press Release.
[16]. Feng, S., Xiong, Z., Niyato, D., Wang, P.: Competitive security pricing in cyber-insurance market: A game-theoretic analysis. In: 2018 IEEE 88th Vehicular Technology Conference (VTC-Fall). pp. 1-5 (2018). https://doi.org/10.1109/VTCFall.2018.8690762.
[17]. Fortune Business Insight: Cyber insurance market size, share, growth, trends &demand report, 2032. https://www.fortunebusinessinsights.com/cyber-insurancemarket-106287 (January 20, 2025).
[18]. Franke, U., Draeger, J.: Two simple models of business interruption accumulation risk in cyber insurance. In: 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). pp. 1-7 (2019). https://doi.org/10.1109/CyberSA.2019.8899678.
[19]. Ganapathi Subramaniam, B., Chithralekha, T., Amudhambigai, B.: What ails cyber insurance? An analysis of barriers and drivers using fuzzy TOPSIS method. SN Computer Science 5(1), 1-19 (2024). https://doi.org/10.1007/s42979-023-02266-2
[20]. Gibbs, G.: Analyzing qualitative data. SAGE (2012).
[21]. Granato, A., Polack, A.: The growth and challenges of cyber insurance. https://www.chicagofed.org/publications/chicago-fed-letter/2019/426 (2019), Federal Reserve Bank of Chicago.
[22]. Ishikawa, T., Sakurai, K.: A study of security management with cyber insurance. In: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication. pp. 1-6 (2016). https://doi.org/10.1145/2857546.2857615.
[23]. Joshi, K., Pande Joshi, K., Mittal, S.: A semantic approach for automating knowledge in policies of cyber insurance services. In: 2019 IEEE International Conference on Web Services (ICWS). pp. 33-40 (2019). https://doi.org/10.1109/ICWS.2019.00018.
[24]. Kesan, J.P., Zhang, L.: Analysis of cyber incident categories based on losses.ACM Transactions on Management Information Systems 11(4), 1-28 (2020). https://doi.org/10.1145/3418288.
[25]. Khalili, M.M., Naghizadeh, P., Liu, M.: Designing cyber insurance policies in the presence of security interdependence. In: Proceedings of the 12th Workshop on the Economics of Networks, Systems and Computation. pp. 1-6 (2017). https://doi.org/10.1145/3106723.3106730.
[26]. Khalili, M.M., Naghizadeh, P., Liu, M.: Designing cyber insurance policies: The role of pre-screening and security interdependence. IEEE Transactions on Information Forensics and Security 13(9), 2226-2239 (2018). https://doi.org/10.1109/TIFS.2018.2812205.
[27]. Laszka, A., Johnson, B., Grossklags, J.: On the assessment of systematic risk in networked systems. ACM Transactions on Internet Technology 18(4), 48:1-48:28 (2018). https://doi.org/10.1145/3166069.
[28]. Malavasi, M., Peters, G.W., Shevchenko, P.V., Trück, S., Jang, J., Sofronov, G.: Cyber risk frequency, severity and insurance viability. Insurance: Mathematics and Economics 106, 90-114 (2022). https://doi.org/10.1016/j.insmatheco.2022.05.003.
[29]. Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Computer Science Review 24, 35-61 (2017). https://doi.org/10.1016/j.cosrev.2017.01.001.
[30]. McGregor, R., Reaiche, C., Boyle, S., Corral de Zubielqui, G.: Cyberspace and personal cyber insurance: A systematic review. Journal of Computer Information Systems 64(1), 157-171 (2024). https://doi.org/10.1080/08874417.2023.2185551.
[31]. Meland, P.H., Seehusen, F.: When to treat security risks with cyber insurance. In: 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). pp. 1-8 (2018). https://doi.org/10.1109/CyberSA.2018.8551456.
[32]. Mott, G., Turner, S., Nurse, J.R.C., MacColl, J., Sullivan, J., Cartwright, A., Cartwright, E.: Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Computers & Security 128, 103162 (2023). https://doi.org/10.1016/j.cose.2023.103162.
[33]. Mukhopadhyay, A., Jain, S.: A framework for cyber-risk insurance against ransomware: A mixed-method approach. International Journal of Information Management 74, 102724 (2024). https://doi.org/10.1016/j.ijinfomgt.2023.102724.
[34]. Nurse, J.R.C., Axon, L., Erola, A., Agrafiotis, I., Goldsmith, M., Creese,S.: The data that drives cyber insurance: A study into the underwriting and claims processes. In: 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1-8 (2020). https://doi.org/10.1109/CyberSA49311.2020.9139703.
[35]. Pa, R., Duan, K., Sequeira, R.X., Siegel, M.: Is systemic cyber risk management for enterprises sustainable? In: 2024 Winter Simulation Conference (WSC). pp. 572-583 (2024). https://doi.org/10.1109/WSC63780.2024.10838727.
[36]. Pal, R., Golubchik, L., Psounis, K., Bandyopadhyay, T.: On robust estimates of correlated risk in cyber-insured it firms: A first look at optimal ai-based estimates under "small" data. ACM Transactions on Management Information Systems 10(3), 1-18 (2019). https://doi.org/10.1145/3351158.
[37]. Pal, R., Hui, P.: The impact of secure oss on internet security: What cyber-insurers need to know. https://arxiv.org/abs/1202.0885 (2012).
[38]. Pal, R., Sequeira, R.X., Yin, X., Zeijlemaker, S., Kotala, V.: How should enterprises quantify and analyze (multi-party) apt cyber-risk exposure in their industrial IoT network? ACM Transactions on Management Information Systems p. 3605949 (2023). https://doi.org/10.1145/3605949.
[39]. Panda, S., Woods, D.W., Laszka, A., Fielder, A., Panaousis, E.: Post-incident audits on cyber insurance discounts. Computers & Security 87, 101593 (2019). https://doi.org/10.1016/j.cose.2019.101593.
[40]. Radu, R., Săndescu, C., Grigorescu, O., Rughiniş, R.: Analyzing risk evaluation frameworks and risk assessment methods. In: 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet). pp. 1-6 (2020). https://doi.org/10.1109/RoEduNet51892.2020.9324879.
[41]. Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content analysis of cyber insurance policies: How do carriers price cyber risk? Journal of Cybersecurity 5(1), tyz002 (2019). https://doi.org/10.1093/cybsec/tyz002.
[42]. Sane, K., Joshi, K.P., Mittal, S.: Semantically rich framework to automate cyber insurance services. IEEE Transactions on Services Computing 16(1), 588-599 (2023). https://doi.org/10.1109/TSC.2021.3113272.
[43]. Shah, A., Dahake, S., J., S.H.H.: Valuing data security and privacy using cyber insurance. ACM SIGCAS Computers and Society 45(1), 38-41 (2015). https://doi.org/10.1145/2738210.2738217.
[44]. Skeoch, H.R.K.: Expanding the Gordon-Loeb model to cyber-insurance. Computers& Security 112, 102533 (2022). https://doi.org/10.1016/j.cose.2021.102533.
[45]. Srinidhi, B., Yan, J., Tayi, G.K.: Allocation of resources to cyber-security: The effect of misalignment of interest between managers and investors. Decision Support Systems 75, 49-62 (2015). https://doi.org/10.1016/j.dss.2015.04.011.
[46]. Tsohou, A., Diamantopoulou, V., Gritzalis, S., Lambrinoudakis, C.: Cyber insurance: State of the art, trends and future directions. International Journal of Information Security 22(3), 737-748 (2023). https://doi.org/10.1007/s10207-02300660-8.
[47]. Uuganbayar, G., Massacci, F., Yautsiukhin, A., Martinelli, F.: Cyber insurance andtime-to-compromise: An integrated approach. In: 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). pp. 1-8 (2019). https://doi.org/10.1109/CyberSA.2019.8899442.
[48]. Wadho, S.A., Yichiet, A., Lee, G.M., Kang, L.C., Akbar, R., Kumar, R.: Impact of cyber insurances on ransomware. In: 2023 IEEE 8th International Conference on Engineering Technologies and Applied Sciences (ICETAS). pp. 1-6 (2023). https://doi.org/10.1109/ICETAS59148.2023.10346341.
[49]. Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: Writing a literature review. MIS Quarterly 26(2), xiii-xxiii (2002).
[50]. Woods, D.W., Moore, T., Simpson, A.C.: The county fair cyber loss distribution: Drawing inferences from insurance prices. Digital Threats: Research and Practice 2(2), 1-21 (2021). https://doi.org/10.1145/3434403.
[51]. Yang, J., Liang, L., Qi, J.: A practical non-intrusive cyber security vulnerability assessment method for cyber-insurance. In: 2023 8th International Conference on Data Science in Cyberspace (DSC). pp. 261-269 (2023). https://doi.org/10.1109/DSC59305.2023.00045.
[52]. Yang, J.Z., Liu, F., Zhao, Y.J., Liang, L.L., Qi, J.Y.: Ninsrapm: An ensemble learning based non-intrusive network security risk assessment prediction model. In: 2022 7th IEEE International Conference on Data Science in Cyberspace (DSC). pp. 17-23 (2022). https://doi.org/10.1109/DSC55868.2022.00010.
[53]. Young, D., Lopez Jr, J., Rice, M., Ramsey, B., McTasney, R.: A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection 14, 43-57 (2016).
Article Title: Bridging the Gap Between Businesses and Insurers: A Systematic Review of Cyber Insurance Research
Author(s): HARALDSSON, Annie; PADYAB, Ali; AL SALEK, Aous
Date of Publication: 2025-12-24
Publication: International Journal of Information Security and Cybercrime
ISSN: 2285-9225 e-ISSN: 2286-0096
Digital Object Identifier: 10.19107/IJISC.2025.02.01
Issue: Volume XIV, Issue 2, Year 2025
Section: Advances in Information Security Research
Page Range: 9-24 (16 pages)
Copyright ©2012-2026
The International Journal of Information Security and Cybercrime (IJISC)
All rights reserved
The International Journal of Information Security and Cybercrime is a trademark of the Romanian Association for Information Security Assurance (RAISA).
No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.