Method for insuring IT risks

This paper explains in detail the method behind the insurance database estimated maximum information technology loss (EMitL). The database has been a crucial tool to make it possible to insure IT perils. It helps to insure IT-perils financially in the same professional way as consequences of traditional perils like fire, flood, and robbery are insured, and thereby secures shareholders\´ investments. EMitL estimates the security awareness in an existing IT-platform. Based on that information, existing security measures can be "priced" as they may reduce the estimated maximum loss figures - and thereby the costs for the insurance. In addition, a more cost-effective decision can be made on additional security measures. Furthermore, the costs for the loss exposure inherent in a business service/product can be estimated in a better way, and thereby be incorporated in the product\´s price. The IT insurances are based on the traditional industries\´ classes: liability, loss of property, and business interruption. The insurance class liability is divided into insurance policies for: business interruption, fraud and embezzlement, robbery and theft, defamation, infringement of privacy, and infringement of code, trademark etc. The insurance policies in the class loss of property are: fraud and embezzlement, and robbery and theft. The database EMitL layers insurance covers, which is a common method in the insurance industry. This means that the insurance policies are layered according to the amount of financial cover they provide. The insurance levels relate and are converted to security levels. These levels are built on the IT security properties integrity, availability and confidentiality, and are utilized differently, depending on the insurance level and the type of insurance policy. The properties and the levels constitute the base of the security polices produced by EMitL; they are used for the estimation of security awareness and as terms of insurance.