Does insurance provide a model for cybersecurity pricing?

Outcome or results based pricing has become a hot topic again. Many see it as the ultimate form of pricing, and of value based pricing, as it ties the price paid directly to the value received, eliminating risk for the buyer. Outcome based pricing is only possible when (i) the outcome can be defined, (ii) the attribution is clear and (iii) the results and pricing are predictable.

Earlier we wrote on Can Cybersecurity Companies Leverage Outcome Based Pricing? Here we ask a different question.

How does one price in the case of cybersecurity, where the desired outcome is that nothing happens?

This is the central question for cybersecurity pricing. To date, most cybersecurity pricing has focussed on what is secured and how much of it there in: signals, endpoints, threat surface and so on.

What is another service where one pays in the hope that nothing will happen? Insurance comes to mind.

Are there lessons and ideas from insurance pricing that could be applied to cybersecurity?

A concept blend to apply ideas from insurance to cybersecurity

One way to combine ideas from two different disciplines to create something new is concept blending. In this approach one has an overall domain (in this case pricing) that is used as a frame and then two things that one wants to blend, in this case cybersecurity and insurance pricing.

To learn more about concept blending see Mark Turner’s excellent website and my own musing on concept blending and innovation. Ibbaka is using concept blending in its work on generative pricing, a new approach to pricing that combines value based pricing and dynamic pricing.

Generative AI is a powerful way to explore concept blends. In this work we developed a set of context documents on cybersecurity, insurance pricing and concept blending and then constructed a prompt that asked a series of LLMs (Large Language Models) to generate a concept blend (we used GPT4.o, Sonar Huge based on Llama 3.1 70B and Claude 3.5 Sonnet from Anthropic). In working with genAI it is important to test and combine results across multiple models. We then compared and combined the results to get the following (this is the actual text generated, not edited.

“Risk-Based Dynamic Cybersecurity Pricing

The blend creates a novel pricing approach with these key characteristics:

Risk Assessment Framework:

• Historical threat data analysis

• Real-time vulnerability scanning

• Compliance posture evaluation

• Asset value assessment

Premium Structure:

• Base protection level (like insurance minimum coverage)

• Risk-adjusted pricing based on security posture

• Dynamic premium adjustments based on threat landscape

• Incident response coverage levels

Value Multipliers:

• Security improvement incentives

• Proactive protection measures

• Compliance maintenance

• Threat intelligence sharing

Implementation Components

Technical Pricing:

• Core security services baseline

• Risk-adjusted premiums

• Usage-based components

• Compliance requirements

Market Adjustments:

• Competitive positioning

• Industry-specific risk factors

• Geographic threat landscapes

• Technology adoption levels

Customer Engagement:

• Security posture assessments

• Risk mitigation guidance

• Incident response planning

• Compliance advisory

This blend creates a more sophisticated and responsive pricing model that aligns security investment with actual risk exposure while providing clear incentives for improved security practices.”

This is a long way from an actual pricing model. Any pricing model should be built out from a formal value model. But there are a lot of interesting ideas in here to explore for cybersecurity pricing model innovation.

The cybersecurity sector needs its own version of the ACORD reference model

One interesting thing that the insurance industry has done is to invest in a shared reference model. The model is known as ACORD.

The ACORD Reference Architecture provides an enterprise architecture framework for the insurance industry. It consists of business processes, product models, development frameworks, information models, data models, and capability models which help organizations to run, develop, modify, and maintain various insurance industry applications.

Cybersecurity is becoming more and more complex, with new threats appearing and threat surfaces expanding and diversifying.
No one vendor is likely to provide everything needed and it is becoming increasingly important to be able to piece solutions together from parts. This is what the ACORD framework has done for the insurance industry. Does cybersecurity need its own equivalent to this framework?

It would help vendors to understand where their solutions fit in and to see gaps that they could fill. Buyers would be better able to combine offers from different vendors to cover the full threat surface and materially reduce risk.

I am not sure that cybersecurity, which is brutally competitive and where there are many overlapping offers is ready to collaborate at this level. Some will be afraid that it will hinder innovation and others that it will expose too much of their secret sauce. But having a shared understanding between buyers and sellers of key concepts (the Business Glossary), logs (the information model that informs the data model), components of a complete cybersecurity system (and no vendor does it all), along with capabilities (and many cybersecurity vendors sell capabilities as well as products) and processes would help everyone develop better prodcuts.

How to price those products? Well. that is where Ibbaka comes in ;-)

Contact Ibbaka for insights on value, packaging and pricing.