{"id":"https://openalex.org/W7128072486","doi":"https://doi.org/10.1007/s10207-025-01192-z","title":"A bonus and penalty mechanism as an incentive for cybersecurity investments","display_name":"A bonus and penalty mechanism as an incentive for cybersecurity investments","publication_year":2026,"publication_date":"2026-02-05","ids":{"openalex":"https://openalex.org/W7128072486","doi":"https://doi.org/10.1007/s10207-025-01192-z"},"language":"en","primary_location":{"id":"doi:10.1007/s10207-025-01192-z","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-025-01192-z","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-025-01192-z.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10207-025-01192-z.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5016282493","display_name":"Artsiom Yautsiukhin","orcid":"https://orcid.org/0000-0002-8493-1915"},"institutions":[{"id":"https://openalex.org/I4210130157","display_name":"Institute of Informatics and Telematics","ror":"https://ror.org/02gdcn153","country_code":"IT","type":"facility","lineage":["https://openalex.org/I4210130157","https://openalex.org/I4210155236"]}],"countries":["IT"],"is_corresponding":true,"raw_author_name":"Artsiom Yautsiukhin","raw_affiliation_strings":["Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, via Moruzzi 1, Pisa, PI, Italy"],"affiliations":[{"raw_affiliation_string":"Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, via Moruzzi 1, Pisa, PI, Italy","institution_ids":["https://openalex.org/I4210130157"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5125154515","display_name":"Natallia Kavalionak","orcid":null},"institutions":[{"id":"https://openalex.org/I4210130157","display_name":"Institute of Informatics and Telematics","ror":"https://ror.org/02gdcn153","country_code":"IT","type":"facility","lineage":["https://openalex.org/I4210130157","https://openalex.org/I4210155236"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Natallia Kavalionak","raw_affiliation_strings":["Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, via Moruzzi 1, Pisa, PI, Italy"],"affiliations":[{"raw_affiliation_string":"Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, via Moruzzi 1, Pisa, PI, Italy","institution_ids":["https://openalex.org/I4210130157"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5016282493"],"corresponding_institution_ids":["https://openalex.org/I4210130157"],"apc_list":{"value":2590,"currency":"EUR","value_usd":3190},"apc_paid":{"value":2590,"currency":"EUR","value_usd":3190},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.21371733,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"25","issue":"2","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.48579999804496765,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.48579999804496765,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11807","display_name":"Infrastructure Resilience and Vulnerability Analysis","score":0.2198999971151352,"subfield":{"id":"https://openalex.org/subfields/2205","display_name":"Civil and Structural Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11864","display_name":"Supply Chain Resilience and Risk Management","score":0.1412000060081482,"subfield":{"id":"https://openalex.org/subfields/1408","display_name":"Strategy and Management"},"field":{"id":"https://openalex.org/fields/14","display_name":"Business, Management and Accounting"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/incentive","display_name":"Incentive","score":0.666100025177002},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.5849999785423279},{"id":"https://openalex.org/keywords/investment","display_name":"Investment (military)","score":0.4765999913215637},{"id":"https://openalex.org/keywords/critical-infrastructure","display_name":"Critical infrastructure","score":0.46000000834465027},{"id":"https://openalex.org/keywords/mechanism","display_name":"Mechanism (biology)","score":0.4311000108718872},{"id":"https://openalex.org/keywords/information-asymmetry","display_name":"Information asymmetry","score":0.4205999970436096},{"id":"https://openalex.org/keywords/honesty","display_name":"Honesty","score":0.420199990272522},{"id":"https://openalex.org/keywords/cyber-threats","display_name":"Cyber threats","score":0.3828999996185303}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.689300000667572},{"id":"https://openalex.org/C29122968","wikidata":"https://www.wikidata.org/wiki/Q1414816","display_name":"Incentive","level":2,"score":0.666100025177002},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.5849999785423279},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5368000268936157},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.49720001220703125},{"id":"https://openalex.org/C27548731","wikidata":"https://www.wikidata.org/wiki/Q88272","display_name":"Investment (military)","level":3,"score":0.4765999913215637},{"id":"https://openalex.org/C29852176","wikidata":"https://www.wikidata.org/wiki/Q373338","display_name":"Critical infrastructure","level":2,"score":0.46000000834465027},{"id":"https://openalex.org/C89611455","wikidata":"https://www.wikidata.org/wiki/Q6804646","display_name":"Mechanism (biology)","level":2,"score":0.4311000108718872},{"id":"https://openalex.org/C137577040","wikidata":"https://www.wikidata.org/wiki/Q431965","display_name":"Information asymmetry","level":2,"score":0.4205999970436096},{"id":"https://openalex.org/C2777293324","wikidata":"https://www.wikidata.org/wiki/Q337349","display_name":"Honesty","level":2,"score":0.420199990272522},{"id":"https://openalex.org/C3018725008","wikidata":"https://www.wikidata.org/wiki/Q4071928","display_name":"Cyber threats","level":2,"score":0.3828999996185303},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3779999911785126},{"id":"https://openalex.org/C153517567","wikidata":"https://www.wikidata.org/wiki/Q26090","display_name":"Mechanism design","level":2,"score":0.3538999855518341},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.351500004529953},{"id":"https://openalex.org/C68799949","wikidata":"https://www.wikidata.org/wiki/Q977871","display_name":"Insurance policy","level":2,"score":0.35100001096725464},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.34700000286102295},{"id":"https://openalex.org/C201307755","wikidata":"https://www.wikidata.org/wiki/Q4071928","display_name":"Cyber-attack","level":2,"score":0.3133000135421753},{"id":"https://openalex.org/C129915516","wikidata":"https://www.wikidata.org/wiki/Q17083550","display_name":"Risk aversion (psychology)","level":3,"score":0.310699999332428},{"id":"https://openalex.org/C205706631","wikidata":"https://www.wikidata.org/wiki/Q2319304","display_name":"Expected utility hypothesis","level":2,"score":0.3018999993801117},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.2962000072002411},{"id":"https://openalex.org/C2777027219","wikidata":"https://www.wikidata.org/wiki/Q1284190","display_name":"Constant (computer programming)","level":2,"score":0.2921000123023987},{"id":"https://openalex.org/C162118730","wikidata":"https://www.wikidata.org/wiki/Q1128453","display_name":"Actuarial science","level":1,"score":0.2824000120162964},{"id":"https://openalex.org/C91810955","wikidata":"https://www.wikidata.org/wiki/Q7731670","display_name":"Incentive compatibility","level":3,"score":0.26840001344680786},{"id":"https://openalex.org/C179768478","wikidata":"https://www.wikidata.org/wiki/Q1120057","display_name":"Cyber-physical system","level":2,"score":0.265500009059906},{"id":"https://openalex.org/C42475967","wikidata":"https://www.wikidata.org/wiki/Q194292","display_name":"Operations research","level":1,"score":0.2603999972343445},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.25529998540878296}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1007/s10207-025-01192-z","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-025-01192-z","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-025-01192-z.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1007/s10207-025-01192-z","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-025-01192-z","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-025-01192-z.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Industry, innovation and infrastructure","id":"https://metadata.un.org/sdg/9","score":0.4103936553001404}],"awards":[{"id":"https://openalex.org/G3936454970","display_name":"Data Usage Control for empowering digital sovereignty for All citizens","funder_award_id":"101086308","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G507880695","display_name":null,"funder_award_id":"PE00000014","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G8893660128","display_name":null,"funder_award_id":"PE0000001","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7128072486.pdf","grobid_xml":"https://content.openalex.org/works/W7128072486.grobid-xml"},"referenced_works_count":34,"referenced_works":["https://openalex.org/W656455340","https://openalex.org/W1533691955","https://openalex.org/W2015959847","https://openalex.org/W2074035703","https://openalex.org/W2099263883","https://openalex.org/W2118468036","https://openalex.org/W2149137922","https://openalex.org/W2165799395","https://openalex.org/W2165913973","https://openalex.org/W2338241168","https://openalex.org/W2590695271","https://openalex.org/W2607691437","https://openalex.org/W2734999728","https://openalex.org/W2791656101","https://openalex.org/W2794377947","https://openalex.org/W2902609798","https://openalex.org/W2918490372","https://openalex.org/W2968869838","https://openalex.org/W2980973928","https://openalex.org/W3084831628","https://openalex.org/W3108935870","https://openalex.org/W3121234917","https://openalex.org/W3157740782","https://openalex.org/W4206247906","https://openalex.org/W4213292645","https://openalex.org/W4293697625","https://openalex.org/W4317770587","https://openalex.org/W4317910498","https://openalex.org/W4376880711","https://openalex.org/W4401242572","https://openalex.org/W4405282430","https://openalex.org/W4408373541","https://openalex.org/W4408919612","https://openalex.org/W4412455249"],"related_works":[],"abstract_inverted_index":{"Cyber":[0],"insurance":[1,121,148],"was":[2],"expected":[3],"to":[4,61,71,140],"incentivise":[5,62],"stronger":[6],"self-protection":[7,143],"by":[8,96],"rewarding":[9],"improved":[10],"cybersecurity":[11,55],"with":[12,117,146],"lower":[13],"premiums.":[14],"However,":[15],"theoretical":[16,156],"results":[17],"show":[18],"that":[19,81],"rational":[20],"insureds":[21],"often":[22],"reduce":[23],"their":[24],"cyber":[25,43,49,84,113,120,147],"investment,":[26,114],"relying":[27],"instead":[28],"on":[29,66,112],"coverage.":[30,149],"In":[31],"critical":[32],"infrastructure":[33],"(CI),":[34],"this":[35],"dynamic":[36],"is":[37,92],"particularly":[38],"problematic,":[39],"as":[40],"it":[41],"heightens":[42],"risk":[44,50,126],"across":[45],"supply":[46],"chains.":[47],"Effective":[48],"mitigation":[51],"requires":[52,82],"oversight":[53],"of":[54,108],"among":[56],"all":[57],"partners.":[58],"Existing":[59],"mechanisms":[60],"investment":[63],"largely":[64],"depend":[65],"insureds\u2019":[67],"honesty":[68],"or":[69,99],"access":[70],"sensitive":[72],"data.":[73],"This":[74],"paper":[75],"proposes":[76],"a":[77,123,131],"simple-to-implement":[78],"bonus\u2013penalty":[79],"mechanism":[80],"only":[83],"incident":[85,89],"occurrence":[86],"status,":[87],"no":[88],"history,":[90],"and":[91,110,118,130,153],"intended":[93],"for":[94],"deployment":[95],"the":[97,105,137,142,155],"state":[98],"large":[100],"CI":[101],"organisations.":[102],"We":[103,135],"analyse":[104],"separate":[106],"effects":[107],"penalties":[109],"bonuses":[111],"comparing":[115],"scenarios":[116],"without":[119],"under":[122],"constant":[124],"absolute":[125],"aversion":[127],"utility":[128],"framework":[129],"generic":[132],"probability":[133],"function.":[134],"assess":[136],"mechanism\u2019s":[138],"ability":[139],"prevent":[141],"drop":[144],"associated":[145],"Numerical":[150],"examples":[151],"illustrate":[152],"support":[154],"findings.":[157]},"counts_by_year":[],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2026-02-07T00:00:00"}