{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T10:40:13Z","timestamp":1775040013827,"version":"3.50.1"},"reference-count":100,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2017,11,17]],"date-time":"2017-11-17T00:00:00Z","timestamp":1510876800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Inf Syst Front"],"published-print":{"date-parts":[[2019,10]]},"DOI":"10.1007\/s10796-017-9808-5","type":"journal-article","created":{"date-parts":[[2017,11,17]],"date-time":"2017-11-17T18:55:05Z","timestamp":1510944905000},"page":"997-1018","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":47,"title":["Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance"],"prefix":"10.1007","volume":"21","author":[{"given":"Arunabha","family":"Mukhopadhyay","sequence":"first","affiliation":[]},{"given":"Samir","family":"Chatterjee","sequence":"additional","affiliation":[]},{"given":"Kallol K.","family":"Bagchi","sequence":"additional","affiliation":[]},{"given":"Peteer J.","family":"Kirs","sequence":"additional","affiliation":[]},{"given":"Girja K.","family":"Shukla","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,11,17]]},"reference":[{"issue":"3","key":"9808_CR1","doi-asserted-by":"publisher","first-page":"219","DOI":"10.1016\/j.cose.2006.10.002","volume":"26","author":"OH Alhazmi","year":"2007","unstructured":"Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security, 26(3), 219\u2013228.","journal-title":"Computers and Security"},{"key":"9808_CR2","unstructured":"Austin, R.D., Darby, C.R.A. (2003). The myth of secure computing. Harvard Business Review on Point Enhanced Edition."},{"issue":"3","key":"9808_CR3","doi-asserted-by":"publisher","first-page":"50","DOI":"10.1109\/MSP.2007.57","volume":"5","author":"WS Baer","year":"2007","unstructured":"Baer, W. S., & Parkinson, A. (2007). Cyber insurance in IT security management. IEEE Security and Privacy, 5(3), 50\u201356.","journal-title":"IEEE Security and Privacy"},{"key":"9808_CR4","first-page":"684","volume":"12","author":"K Bagchi","year":"2003","unstructured":"Bagchi, K., & Udo, G. (2003). An Analysis of the growth of the computer and internet security breaches. Communications of the AIS, 12, 684\u2013700.","journal-title":"Communications of the AIS"},{"key":"9808_CR5","doi-asserted-by":"publisher","unstructured":"Bandyopadhyay, T., Mookerjee, V. (2017). A model to analyze the challenge of using cyber insurance. Information Systems Frontiers, 1\u201325. https:\/\/doi.org\/10.1007\/s10796-017-9737-3 .","DOI":"10.1007\/s10796-017-9737-3"},{"issue":"11","key":"9808_CR6","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1145\/1592761.1592780","volume":"52","author":"T Bandyopadhyay","year":"2009","unstructured":"Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why it managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68\u201373.","journal-title":"Communications of the ACM"},{"issue":"4","key":"9808_CR7","doi-asserted-by":"publisher","first-page":"375","DOI":"10.1145\/162124.162127","volume":"25","author":"RL Baskerville","year":"1993","unstructured":"Baskerville, R. L. (1993). Information systems security design methods: implication for information systems development. ACM Computing Surveys, 25(4), 375\u2013414.","journal-title":"ACM Computing Surveys"},{"key":"9808_CR8","unstructured":"Baskerville, R. L. (2008). Strategic information security risk management. In W. D. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security, policy, processes and practices (pp. 112\u2013122). Routledge: M E Sharpe."},{"key":"9808_CR9","unstructured":"McCann, E. (2014). Breach alert: Hackers swipe data of 4.5M. http:\/\/www.healthcareitnews.com\/news\/breach-alert-hackers-swipe-data-45m . Accessed 7 Nov 2007"},{"key":"9808_CR10","volume-title":"Secure computer systems: A refinement of the mathematical model","author":"ED Bell","year":"1974","unstructured":"Bell, E. D. (1974). Secure computer systems: A refinement of the mathematical model. Bedford: NTIS U.S. Department of Commerce, Mitre Corporation."},{"key":"9808_CR11","unstructured":"Biba, J. K. (1977). Integrity considerations for secure computer systems. MTR-3153, The Mitre Corporation, April 1977."},{"key":"9808_CR12","unstructured":"Biswas B., Mukhopadhyay A. (2017). Phishing detection and loss computation hybrid model: A machine-learning approach. ISACA Journal, 1, 22\u201329"},{"key":"9808_CR13","doi-asserted-by":"crossref","unstructured":"Biswas B., Pal S., Mukhopadhyay A. (2016). AVICS-Eco framework: An approach to attack prediction and vulnerability assessment in a cyber Ecosystem. Proceedings of the 22nd Americas Conference on Information Systems. San Diego: Association for Information Systems.","DOI":"10.2139\/ssrn.2792074"},{"key":"9808_CR14","unstructured":"Biswas, B., Mukhopadhyay, A., Dhillon, G. (2017). GARCH-based risk assessment and mean-variance-based risk mitigation framework for software vulnerabilities. In Proceedings of 23rd Americas Conference on Information Systems. Association for Information Systems."},{"key":"9808_CR15","first-page":"97","volume-title":"Information security is information risk management. Proceedings of the workshop on New security paradigms (NSPW '01)","author":"B Blakley","year":"2001","unstructured":"Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the workshop on New security paradigms (NSPW '01) (pp. 97\u2013104). New York: ACM."},{"key":"9808_CR16","volume-title":"Cyber-insurance revisited","author":"R B\u00f6hme","year":"2005","unstructured":"B\u00f6hme, R. (2005). Cyber-insurance revisited. Harvard: Workshop on the Economics of Information Security (WEIS)."},{"key":"9808_CR17","unstructured":"B\u00f6hme, R., Kataria, G. (2006). Models and measures for correlation in cyber-insurance. UK: Workshop on the Economics of Information Security (WEIS) University of Cambridge, 2006, June."},{"key":"9808_CR18","unstructured":"B\u00f6hme, R., Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. Harvard: Workshop on the Economics of Information Security (WEIS), 2010, June."},{"key":"9808_CR19","volume-title":"Cyber insurance as an incentive for internet security","author":"J Bolot","year":"2008","unstructured":"Bolot, J., & LeLarge, M. (2008). Cyber insurance as an incentive for internet security. Hanover: Workshop on the Economics of Information Security (WEIS)."},{"issue":"3","key":"9808_CR20","doi-asserted-by":"publisher","first-page":"523","DOI":"10.2307\/25750690","volume":"34","author":"B Bulgurcu","year":"2010","unstructured":"Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523\u2013548.","journal-title":"MIS Quarterly"},{"key":"9808_CR21","volume-title":"2009 internet crime report","author":"Bureau of Justice Assistance","year":"2009","unstructured":"Bureau of Justice Assistance. (2009). 2009 internet crime report. Washington, D.C: U.S. Department of Justice."},{"key":"9808_CR22","unstructured":"Calandro, J., Matrejek, E., Pollard, N. (2014). Managing cyber risks with insurance: key factors to consider when evaluating how cyber insurance can enhance your security program. Price Water House Publication number BS-14-0534-A.0614. Available at http:\/\/www.pwc.com\/us\/en\/increasing-it-effectiveness\/publications\/assets\/pwc-managing-cyber-risks-with-insurance.pdf ."},{"key":"9808_CR23","doi-asserted-by":"publisher","first-page":"431","DOI":"10.3233\/JCS-2003-11308","volume":"11","author":"K Campbell","year":"2003","unstructured":"Campbell, K., Gordon, L. A., & Loeb, M. P. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11, 431\u2013448.","journal-title":"Journal of Computer Security"},{"issue":"1","key":"9808_CR24","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1080\/10864415.2004.11044320","volume":"9","author":"H Cavusoglu","year":"2004","unstructured":"Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69\u2013105.","journal-title":"International Journal of Electronic Commerce"},{"issue":"4","key":"9808_CR25","doi-asserted-by":"publisher","first-page":"657","DOI":"10.1287\/mnsc.1070.0794","volume":"54","author":"H Cavusoglu","year":"2008","unstructured":"Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2008). Security patch management: share the burden or share the damage? Management Science, 54(4), 657\u2013670.","journal-title":"Management Science"},{"key":"9808_CR26","volume-title":"SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2","author":"CCTA","year":"1991","unstructured":"CCTA. (1991). SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. London: Central Computer and Telecommunications Agency, IT Security and Privacy Group, Her Majesty\u2019s Government."},{"key":"9808_CR27","unstructured":"Clark, D., Wilson, D. (1988). Evolution of a model for computer integrity. 11th National Computer Security Conference, Postscript to Proceedings, NIST\/NCSC (pp. 14\u201327). October 1998."},{"issue":"2","key":"9808_CR28","first-page":"28","volume":"45","author":"TR Cleman","year":"1999","unstructured":"Cleman, T. R., & Reilly, T. (1999). Correlations and copulas for decision and risk analysis. Management Science, 45(2), 28\u2013224.","journal-title":"Management Science"},{"key":"9808_CR29","first-page":"97","volume-title":"Security risk assessment in electronic data processing","author":"R Courtney","year":"1977","unstructured":"Courtney, R. (1977). Security risk assessment in electronic data processing (pp. 97\u2013104). Arlington: AFIPS."},{"key":"9808_CR30","doi-asserted-by":"crossref","unstructured":"Cutler, D. M., & Zeckhauser, R. (2003). Extending the theory to meet the practice of insurance. Brookings-Wharton Papers on Financial Services (pp. 1\u201353). Washington, DC: Brookings Institution Press.","DOI":"10.1353\/pfs.2004.0002"},{"key":"9808_CR31","doi-asserted-by":"crossref","unstructured":"Das, S., Mukhopadhyay, A., & Anand, M. (2012). The stock Market response to public announcement of information security breach on a firm: an Exploratory study using firm and attack characteristics. Journal of Information Privacy and Security JIPS, 7(4), 27\u201355.","DOI":"10.1080\/15536548.2012.10845665"},{"key":"9808_CR32","doi-asserted-by":"publisher","unstructured":"Das, S., Mukhopadhyay, A., Shukla, G. K. (2013). i-HOPE framework for predicting cyber breaches: a logit approach. Proceedings of the 46th Hawaii International Conference on System Sciences (HICSS) (pp. 3008\u20133017). Hawaii: IEEE. https:\/\/doi.org\/10.1109\/HICSS.2013.256 .","DOI":"10.1109\/HICSS.2013.256"},{"key":"9808_CR33","unstructured":"Dash, E. (2011). City data theft points up a nagging problem. New York Times, June 9, 2011."},{"issue":"7","key":"9808_CR34","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1145\/341852.341877","volume":"43","author":"G Dhillon","year":"2000","unstructured":"Dhillon, G., & Backhouse, J. (2000). Information system security management in the new millennium. Communications of the ACM, 43(7), 125\u2013127.","journal-title":"Communications of the ACM"},{"issue":"8","key":"9808_CR35","doi-asserted-by":"publisher","first-page":"715","DOI":"10.1016\/S0167-4048(01)00813-6","volume":"20","author":"G Dhillon","year":"2001","unstructured":"Dhillon, G., & Moores, S. (2001). Computer crimes: theorizing about the enemy within. Computers & Security, 20(8), 715\u2013723.","journal-title":"Computers & Security"},{"issue":"3","key":"9808_CR36","doi-asserted-by":"publisher","first-page":"293","DOI":"10.1111\/j.1365-2575.2006.00219.x","volume":"16","author":"G Dhillon","year":"2006","unstructured":"Dhillon, G., & Torkzadeh, G. (2006). Value focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293\u2013314.","journal-title":"Information Systems Journal"},{"issue":"4","key":"9808_CR37","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1002\/spip.322","volume":"12","author":"R Di","year":"2007","unstructured":"Di, R., Hillairet, M., Picard, M., Rifaut, A., Bernard, C., Hagen, D., Maar, P., & Reinard, D. (2007). Operational risk management in financial institutions: process assessment in concordance with Basel II. Software Process: Improvement and Practice, 12(4), 321\u2013330.","journal-title":"Software Process: Improvement and Practice"},{"key":"9808_CR38","unstructured":"Dutta, K., & Perry, J. (2011). A tale of tails: an empirical analysis of loss distribution models for estimating operational risk capital. Working paper No.06\u201313, Federal Reserve Bank of Boston."},{"issue":"3","key":"9808_CR39","doi-asserted-by":"publisher","first-page":"399","DOI":"10.1007\/s10796-012-9348-y","volume":"16","author":"F Fang","year":"2014","unstructured":"Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3), 399\u2013416.","journal-title":"Information Systems Frontiers"},{"key":"9808_CR40","unstructured":"FBI. (2009). High-tech heist: 2,100 ATMs worldwide hit at once. Available at: http:\/\/www.fbi.gov\/news\/stories\/2009\/november\/atm_111609 ."},{"key":"9808_CR41","unstructured":"Finkle, J. Freifeld, K. (2014). http:\/\/www.reuters.com\/article\/2014\/04\/03\/us-experian-databreach-idUSBREA321SL20140403 . April 2014."},{"key":"9808_CR42","doi-asserted-by":"publisher","unstructured":"Geer Jr., D., Hoo, K. S., & Jaquith, A. (2003). Information security: why the future belongs to the quants. IEEE Security and Privacy, 99(4), 24\u201332. https:\/\/doi.org\/10.1109\/MSECP.2003.1219053","DOI":"10.1109\/MSECP.2003.1219053"},{"issue":"5","key":"9808_CR43","first-page":"26","volume":"84","author":"LA Gordon","year":"2002","unstructured":"Gordon, L. A., & Loeb, M. P. (2002). Return on information security investments, myths vs realities. Strategic Finance, 84(5), 26\u201331.","journal-title":"Strategic Finance"},{"issue":"3","key":"9808_CR44","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1145\/636772.636774","volume":"46","author":"LA Gordon","year":"2003","unstructured":"Gordon, L. A., Loeb, M. P., & Sohai, T. L. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81\u201385.","journal-title":"Communications of the ACM"},{"key":"9808_CR45","unstructured":"Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R. (2009). CSI\/FBI computer crime and security survey. GoCSI.com."},{"key":"9808_CR46","unstructured":"Gorman, S. (2012). Alert on hacker power play: U.S. official signals growing concern over anonymous group's capabilities. http:\/\/online.wsj.com\/article_email\/SB10001424052970204059804577229390105521090-lMyQjAxMTAyMDIwMDEyNDAyWj.html ."},{"key":"9808_CR47","doi-asserted-by":"crossref","unstructured":"Grzebiela, T. (2002). Insurability of electronic commerce risks. Proceedings of the Hawaii International Conference on System Sciences, 35, USA.","DOI":"10.1109\/HICSS.2002.994177"},{"issue":"6","key":"9808_CR48","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1016\/0167-4048(87)90030-7","volume":"6","author":"S Guarrao","year":"1987","unstructured":"Guarrao, S. (1987). Principles and procedures of the LRAM approach to information systems risk analysis and management. Computers & Security, 6(6), 493\u2013504.","journal-title":"Computers & Security"},{"key":"9808_CR49","unstructured":"Harmantzis, C.F. (2003). Operational risk management. ORMS Today, 30(1)."},{"key":"9808_CR50","unstructured":"Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks: the growing threat (pp. 1\u201327). USA: Insurance Information Institute."},{"key":"9808_CR51","unstructured":"Herath, H., Herath, T. (2011). Copula based actuarial model for pricing cyber, insurance policies insurance markets and companies: analyses and actuarial computations, 2."},{"key":"9808_CR52","unstructured":"Hoffman, J. et al. (1978). SECURATE\u2014security evaluation and analysis using fuzzy metrics (pp. 531\u2013540). Proceedings of the AFIPS National Conference Proceedings, Arlingtion"},{"key":"9808_CR53","volume-title":"Introduction to statistics with applications to general insurance","author":"BI Hossack","year":"1983","unstructured":"Hossack, B. I., Pollard, J., & Zehnwirth, B. (1983). Introduction to statistics with applications to general insurance. Cambridge: Cambridge University Press."},{"key":"9808_CR54","unstructured":"Identity Theft Center. (2007). http:\/\/www.idtheftcenter.org\/ . Last consulted 5\u20136-2007."},{"key":"9808_CR55","volume-title":"Introduction to Bayesian networks","author":"FV Jensen","year":"1996","unstructured":"Jensen, F. V. (1996). Introduction to Bayesian networks. Secaucus: Springer-Verlag New York, Inc."},{"key":"9808_CR56","unstructured":"Jueneman, R.R. (1989). Integrity controls for military and commercial applications CSC professional. Report CSC\/PR-89\/3001."},{"issue":"1","key":"9808_CR57","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1145\/35043.35050","volume":"31","author":"Y Kahane","year":"1988","unstructured":"Kahane, Y., Neumann, S., & Taperio, S. C. (1988). Computer backup pools, disaster recovery, and default risk. Communications of the ACM, 31(1), 78\u201383.","journal-title":"Communications of the ACM"},{"issue":"2","key":"9808_CR58","doi-asserted-by":"publisher","first-page":"263","DOI":"10.2307\/1914185","volume":"47","author":"D Kahneman","year":"1979","unstructured":"Kahneman, D., & Tversky, A. (1979). Prospect theory: an analysis of decision under risk. Economterica, 47(2), 263\u2013292.","journal-title":"Economterica"},{"key":"9808_CR59","unstructured":"Keily, G. (2014). eBay suffers massive security breach, all users must change their passwords. http:\/\/www.forbes.com\/sites\/gordonkelly\/2014\/05\/21\/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords\/ ."},{"key":"9808_CR60","volume-title":"Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study","author":"JP Kesan","year":"2005","unstructured":"Kesan, J. P., & Majuca, R. (2005). Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study. Harvard: Fourth Workshop on the Economics of Information Security (WEIS)."},{"key":"9808_CR61","unstructured":"Kesan, J.P., Ruperto, P.M., Willam, J.Y. (2004). The economic case for cyber insurance. Working Paper Series No. Paper No. LE04\u2013004, Illinois Law and Economics."},{"key":"9808_CR62","unstructured":"Kunreuther, H. (1997). Managing catastrophic risks through insurance and mitigation. Proceedings of the 5th Alexander Howden Conference on Financial Risk Management for Natural Catastrophes, August 24\u201326, 1997."},{"key":"9808_CR63","unstructured":"Majuca, P., Yurcik, W., Kesan, J.P. (2005). The evolution of cyber insurance. Available at: http:\/\/arxiv.org\/ftp\/cs\/papers\/0601\/0601020.pdf ."},{"key":"9808_CR64","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1093\/oxfordjournals.bjc.a014232","volume":"38","author":"S Mann","year":"1998","unstructured":"Mann, S. (1998). Netcrime: more change in the organization of thieving. British Journal of Criminology, 38, 201\u2013229.","journal-title":"British Journal of Criminology"},{"key":"9808_CR65","unstructured":"McLeod, D. (2015). Increased cyber losses means more litigation over claim. Business Insurance. Available at http:\/\/www.businessinsurance.com\/article\/20150222\/NEWS06\/303019999\/1248 ."},{"key":"9808_CR66","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1109\/MSP.2015.137","volume":"6","author":"PH Meland","year":"2015","unstructured":"Meland, P. H., Inger, A. T., & Solhaug, B. (2015). Mitigating risk with cyber insurance. IEEE Security and Privacy, 6, 38\u201343.","journal-title":"IEEE Security and Privacy"},{"key":"9808_CR67","unstructured":"Miccolis, J., Shaw, S.( 2000). Enterprise Risk Management: An Analytic Approach. New York:Tillinghast \u2013 Towers Perrin"},{"issue":"3","key":"9808_CR68","doi-asserted-by":"publisher","first-page":"565","DOI":"10.1287\/isre.2015.0587","volume":"26","author":"S Mitra","year":"2015","unstructured":"Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565\u2013584.","journal-title":"Information Systems Research"},{"key":"9808_CR69","volume-title":"Cybercrime: Investigating high-technology computer crime","author":"R Moore","year":"2005","unstructured":"Moore, R. (2005). Cybercrime: Investigating high-technology computer crime. Cleveland: Anderson Publishing."},{"key":"9808_CR70","doi-asserted-by":"crossref","unstructured":"Mukhopadhyay, A. Chakrabarti, B. B., Saha, D., Mahanti, A. (2007a). e-Risk management through self-insurance: an option model. Proceedings of the Hawaii International Conference on System Sciences, 40. Washington, DC: IEEE Computer Society.","DOI":"10.1109\/HICSS.2007.192"},{"key":"9808_CR71","doi-asserted-by":"publisher","unstructured":"Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan S. K. (2007b). Insuring big losses due to security breaches through insurance: A business model 2014. Proceedings of the 47th Hawaii International Conference on System Sciences. Hawaii: IEEE. https:\/\/doi.org\/10.1109\/HICSS.2007.280","DOI":"10.1109\/HICSS.2007.280"},{"key":"9808_CR72","unstructured":"Mukhopadhyay, A., Das, S., Sadhukhan, S. K. (2013a). Vulnerable path determination in mobile ad-hoc networks using Markov Model. Proceedings of the 19th Conference Amercias Conference on Information Systems (AMCIS)."},{"key":"9808_CR73","doi-asserted-by":"crossref","unstructured":"Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukan, S. K. (2013b). Cyber-Risk Decision Models: To Insure IT or Not?. Decision Support Systems, 56(1), 11\u201326.","DOI":"10.1016\/j.dss.2013.04.004"},{"key":"9808_CR74","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4899-3242-6","volume-title":"Generalized linear models, 2nd edition","author":"P McCullagh","year":"1989","unstructured":"McCullagh, P., & Nelder, J. A. (1989). Generalized linear models, 2nd edition. London: Chapman & HaI\/~CRC."},{"key":"9808_CR75","unstructured":"New York Times. (2007). Digital fears emerge after data siege in Estonia. May 29, 2007."},{"key":"9808_CR76","unstructured":"New York Times. (2008). Before the gunfire, cyber -attacks twitter. August 12, 2008."},{"key":"9808_CR77","unstructured":"Newman, J. (2013). Adobe security breach worse than originally thought. http:\/\/www.pcworld.com\/article\/2059002\/adobe-security-breach-worse-than-originallythought.html ."},{"key":"9808_CR78","volume-title":"Cyber insurance and IT security investment: Impact of interdependent risk","author":"H Ogut","year":"2005","unstructured":"Ogut, H., & Menon, N. (2005). Cyber insurance and IT security investment: Impact of interdependent risk. Harvard: Fourth Workshop on the Economics of Information Security (WEIS)."},{"issue":"3","key":"9808_CR79","doi-asserted-by":"publisher","first-page":"497","DOI":"10.1111\/j.1539-6924.2010.01478.x","volume":"31","author":"H \u00d6\u011f\u00fct","year":"2011","unstructured":"\u00d6\u011f\u00fct, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis, 31(3), 497\u2013512.","journal-title":"Risk Analysis"},{"key":"9808_CR80","unstructured":"Ozier, W. (1989). Risk quantification problems and Bayesian decision support system solutions. Information Age, 11(4), 229\u2013234."},{"issue":"4","key":"9808_CR81","doi-asserted-by":"publisher","first-page":"331","DOI":"10.1016\/S0167-4048(01)00411-4","volume":"20","author":"RC Reid","year":"2001","unstructured":"Reid, R. C., & Stephen, A. F. (2001). Extending the risk analysis model to include market-insurance. Computers & Security, 20(4), 331\u2013339.","journal-title":"Computers & Security"},{"key":"9808_CR82","volume-title":"Principles of risk management and insurance","author":"GE Rejda","year":"2010","unstructured":"Rejda, G. E. (2010). Principles of risk management and insurance (10th ed.). London: Pearson Publication.","edition":"10"},{"key":"9808_CR83","first-page":"1","volume-title":"CSI computer crime and security survey","author":"R Richardson","year":"2007","unstructured":"Richardson, R. (2007). CSI computer crime and security survey (pp. 1\u201328). San Francisco: Computer Security Institute Inc.."},{"key":"9808_CR84","unstructured":"Robertson, J. (2014). China\u2019s hack of 4.5 million U.S medical records? This chart will make you sick. http:\/\/www.bloomberg.com\/news\/2014-08-21\/china-s-hack-of-4-5-million-u-s-medical-records-this-chart-will-make-you-sick.html . August 2014."},{"key":"9808_CR85","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1016\/j.cose.2015.03.003","volume":"51","author":"Y Roumani","year":"2015","unstructured":"Roumani, Y., Nwankpa, J. K., & Rouman, Y. F. (2015). Time series modeling of vulnerabilities. Computers & Security, 51, 32\u201340.","journal-title":"Computers & Security"},{"key":"9808_CR86","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.cose.2015.07.001","volume":"55","author":"J Ruohone","year":"2015","unstructured":"Ruohone, J., Hyrynsalmi, S., & Lepp\u00e4nen, V. (2015). The sigmoidal growth of operating system security vulnerabilities: an empirical revisit. Computers & Security, 55, 1\u201320.","journal-title":"Computers & Security"},{"key":"9808_CR87","doi-asserted-by":"crossref","unstructured":"Salmela, H. (2008). Analyzing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185\u2013202.","DOI":"10.1057\/palgrave.jit.2000122"},{"key":"9808_CR88","unstructured":"Schneier, B. (2000). The insurance takeover. Information Security."},{"key":"9808_CR89","unstructured":"Schroeder, D. (2014). Cyber insurance: just one component of risk management. The Wall-Street Journal, May 27 2014. Available at http:\/blogs.wsj.com\/cio\/2014\/03\/27\/cyber-insurance-just-onecomponent-of-risk-management\/ ."},{"key":"9808_CR90","unstructured":"Shedden, P., Smith, W. R., Ahmad, A. (2010). Information security risk assessments: towards a business practice perspective. Edith Cowan University Research Online, http:\/\/ro.ecu.edu.au\/cgi\/viewcontent.cgi?article=1097&context=ism ."},{"key":"9808_CR91","volume-title":"Competitive cyber-insurance and internet security","author":"N Shetty","year":"2009","unstructured":"Shetty, N., Schwartz, G., Felegyhazi, M., & Walrand, J. (2009). Competitive cyber-insurance and internet security. London: Workshop on the Economics of Information Security (WEIS)."},{"issue":"2","key":"9808_CR92","doi-asserted-by":"publisher","first-page":"266","DOI":"10.1016\/S0167-4048(02)00313-9","volume":"21","author":"E Smith","year":"2002","unstructured":"Smith, E., & Eloff, J. H. P. (2002). A prototype for assessing information technology risks in health care. Computers & Security, 21(2), 266\u2013284.","journal-title":"Computers & Security"},{"key":"9808_CR93","unstructured":"Smith, S.T., & Lim, J.J. (1984). An automated method for assessing the effectiveness of computer security safeguards. In Computer Security A Global Challenge (pp. 321\u2013328). Amsterdam: North-Holland Publishing Co.."},{"key":"9808_CR94","unstructured":"Smithson, S., Song, P. (2004). Quantifying operational risk. Risk, 57\u201359."},{"issue":"6","key":"9808_CR95","doi-asserted-by":"publisher","first-page":"443","DOI":"10.1016\/j.cose.2005.07.003","volume":"24","author":"V Solms","year":"2005","unstructured":"Solms, V. (2005). Information security governance - compliance management vs operational management. Computers & Security, 24(6), 443\u2013447.","journal-title":"Computers & Security"},{"key":"9808_CR96","volume-title":"Ethics and technology: Ethical issues in an age of information and communication technology","author":"H Tavani","year":"2007","unstructured":"Tavani, H. (2007). Ethics and technology: Ethical issues in an age of information and communication technology. Hoboken: John Wiley."},{"key":"9808_CR97","unstructured":"TechFlash. (2009). Walmart, Amazon.com hit with denial of service attack. December 24, 2009. Available at: http:\/\/www.techflash.com\/seattle\/2009\/12\/walmart_amazoncom_hit_with_denial_of_service_atack.html ."},{"key":"9808_CR98","unstructured":"Times of India. (2013). http:\/\/timesofindia.indiatimes.com\/tech\/tech-news\/Cybercrimes-cost-India-4-billion-in-2013-Symantec\/articleshow\/24551193.cms . Accessed 7 Nov 2017"},{"issue":"4","key":"9808_CR99","doi-asserted-by":"publisher","first-page":"441","DOI":"10.2307\/249551","volume":"22","author":"W Straub","year":"1998","unstructured":"Straub, W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision-making. MIS Quarterly, 22(4), 441\u2013469.","journal-title":"MIS Quarterly"},{"key":"9808_CR100","volume-title":"Cyber insurance: A market solution to the internet security market failure","author":"W Yurcik","year":"2002","unstructured":"Yurcik, W. (2002). Cyber insurance: A market solution to the internet security market failure. Berkeley: Workshop on the Economics of Information Security (WEIS)."}],"container-title":["Information Systems Frontiers"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10796-017-9808-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10796-017-9808-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10796-017-9808-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,10,22]],"date-time":"2020-10-22T03:09:12Z","timestamp":1603336152000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10796-017-9808-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,11,17]]},"references-count":100,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2019,10]]}},"alternative-id":["9808"],"URL":"https:\/\/doi.org\/10.1007\/s10796-017-9808-5","relation":{},"ISSN":["1387-3326","1572-9419"],"issn-type":[{"value":"1387-3326","type":"print"},{"value":"1572-9419","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,11,17]]},"assertion":[{"value":"17 November 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}