“Officials can look at the probabilities of attacks succeeding and probabilities that these result in different depths of financial losses. Then officials can factor in how adopting different preventive measures might draw down those costs. This lets officials estimate how much investing in a better backup system or in anti-phishing training, for example, might reduce losses and compare these against other possible approaches.
Governments can then consider whether they’d rather self-insure or purchase commercial insurance to handle any remaining costs unlikely to be mitigated by defensive measures. Using the model, they can predict how those choices could play out. For example, a government might find an 8 percent — or one-in-12 years — chance of incurring losses that outstrip the funds they have saved and can then decide whether they’re comfortable with this or prefer to purchase commercial insurance to cover such a scenario, the report states.”
Source: Panelists: In Govt Cybersecurity, Insurance Should Be ‘Plan D’