Abstract Nowadays, cyber threats are considered among the most dangerous risks by top management of enterprises. One way to deal with these risks is to insure them, but cyber insurance is still quite expensive. The insurance fee can be reduced if organisations improve their cyber security protection, i.e., reducing the insured risk. In other words, organisations need an investment strategy to decide the optimal amount of investments into cyber insurance and self-protection. In this work, we propose an approach to help a risk-averse organisation to distribute its cyber security investments in a cost-efficient way. What makes our approach unique is that next to defining the amount of investments in cyber insurance and self-protection, our proposal also explicitly defines how these investments should be spent by selecting the most cost-efficient security controls. Moreover, we provide an exact algorithm for the control selection problem considering several threats at the same time and compare this algorithm with other approximate algorithmic solutions.

中文翻译：

---

通过选择具有成本效益的安全控制来优化网络保险范围。

摘要 如今，网络威胁被企业高层视为最危险的风险之一。应对这些风险的一种方法是为其投保，但网络保险仍然相当昂贵。如果组织改善其网络安全保护，即降低保险风险，则可以降低保险费用。换句话说，组织需要一种投资策略来决定网络保险和自我保护的最佳投资额。在这项工作中，我们提出了一种方法来帮助规避风险的组织以具有成本效益的方式分配其网络安全投资。我们的方法的独特之处在于，除了定义网络保险和自我保护的投资金额外，我们的提案还通过选择最具成本效益的安全控制，明确定义了这些投资的使用方式。此外，我们为同时考虑多种威胁的控制选择问题提供了一种精确算法，并将该算法与其他近似算法解决方案进行了比较。