Premium Calculation for Insurance Businesses Based on Cyber Risks in IP-Based Power Substations

Insurance is a promising risk transfer tool against switching cyberattacks on power grids that can disrupt operation and potentially lead to widespread outages. This paper emphasizes on a framework of premium calculation for cyber insurance businesses by modeling potential electronic intrusion with steady-state simulation results and its direct hypothesized impacts. The proposed actuarial framework models the operational monetary losses with the hypothesized power outages based on the cyber-reliability assessment and its expected mean time to restore power (MTTRP). The ruin probability is employed as the fundamental formula to determine the feasible insurance premium pool. Hypothesized spatial correlation studies on multiple substation contingencies associated with switching attacks have shown estimated operational losses and expected duration of power restoration, which is translated into the calculation of insurance premium. The proposed actuarial framework is validated using generalized IEEE test cases with modified parameters on substations. The potential implications of grid’s hypothetical scenarios are discussed.


I. INTRODUCTION
The rise of cyber threats in the horizon has become a critical issue for infrastructural planning [1]. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance has now published more clauses in order to implement necessary technologies for improving the cyber awareness of information communication security across power control networks [2]- [5]. Additionally, the observed frequent attempts of intrusions within critical infrastructure networks reveal the cyber threats that the U.S power grid confronts now and the urgent need for improving cybersecurity defense protection [6], [7].
The associate editor coordinating the review of this manuscript and approving it for publication was Shiwei Xia .
A switching attack is disruptive because the electronic manipulation on substation's circuit breakers and disconnectors will abruptly change the system operation. The attack is undergone through the controls of compromised substation network to pivot from a console of other remote locations. Insurance is proposed to cover the economic loss and liabilities, which would incentivize utility owners to optimize their investment spending [8]- [10]. The Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) has included stakeholders to work on the critical topics of risk management in security [11], which would help improve the security posture in terms of: (1) promoting the adoption of preventative measures; and (2) encouraging the integration of best practice of self-protection based on their existing network architectures. Insurance frameworks, as a tool of risk transfer for utilities, are aimed to estalibsh avoiding large infrastructure investment. A switching attack to trip substation's circuit breakers can incur system overload and other implications. Investing more transmission lines would be an option but it can be an over-reaction in anticipating a low-probability, high-impact event. There are other alternatives to hedge the risks. Accurately modeling the consequence-based attacks can be an attractive option based on presumed switching attack and technologyinvesting strategies to thwart electronic intrusion from the outside network. However, this requires more understanding in the context of actuarial science and power engineering knowledge to work on the synergies of cyber-physical systems (CPS) security [12], [13].

A. UNIFYING ACTUARIAL FRAMEWORK
A unifying framework in modeling cyber insurance has been established recently to address the niche area of the CPS risks and infrastructural interdependencies [14]. It is suggested that an internal failure of information system can be modeled in a general insurance market with residual risk classification associated with security [14], [15]. From the perspective of network security, stochastic processes have been employed to model the pricing based on security risks of information and communication technology (ICT) using the network topology [13]. However, security at the user level should be also incorporated as an integral part of the overall security modeling [16], [17]. By integrating the physical impacts and mitigation strategies for a power grid with the cyber aspects, pricing for insurance premium can be estimated [18].

B. GRID SECURITY COMPLIANCE
The grid balancing authority works closely with utilities to oversee the NERC CIP compliance and establish strategies to follow those guidelines and execute plans. The audit is often done every other years and pending issues will be followed up. Spot check on any utility is randomly chosen and each utility shall establish a strategic plan to work closely in implementing the plan. Penalties may impose to non-compliant utilities after a grace period. NERC CIP does not provide standardized performance metrics to quantify residual risks associated with electronic intrusion to control network.
Most asset owners have their own way to secure their control networks [19]. The implementation of an enterprise risk management (ERM) varies, depending on organizational leadership with set priorities and allocated resources each year. The approach is to address and ensure pressing issues on the compliance list be rectified, such as password policy of their critical cyber assets and how they manage their remote access control to contractors or their temporary employees. If insurance companies can harness the digital evidence from the ERM cyber systems and hypothetically enumerate some nightmare scenarios to replay the cascading outcomes, the consequence-based assessment would help to mature this emerging market. The risk theory can provide the quintessential basis to most insurance models and problems [20]. Estimating risks can be calculated using the ruin probability from the direct calculation method, which is known to be the basic risk model [20]- [23]. Assessment of risk and its profiles and its assessment on operational performance on computerized management system are proposed to address the SCADA aspect of feeder automation in distribution networks [24]. Such risk profile could take into account of electronic and physical perimeters where the critical cyber assets are deployed.

C. CONTRIBUTIONS TO CPS-RELATED INSURANCE
This paper proposes an actuarial framework for grid insurance with policies protecting deployed cyberinfrastructure against electronic manipulation of circuit breakers via a remote access intrusion to electrically disconnect substation off grid, known as ''disruptive switching attacks,'' which isolates all connected lines, local loads and generating units. This is assumed to be determined by two major aspects: (i) the probability of successful intrusion into the substation(s) which will presumably result in disruptive switching attack from the compromised substation(s) and (ii) the discrete distribution of claim size of each potential attack scenario [21]- [23]. The vulnerability and the steady-state probability of potential electronic intrusion to each power substation have been studied in the papers [25], [26], which are derived from the firewall and password models using Markov chain. The steady-state probabilities [25], [27] are further updated introducing protective intelligent electronic devices (IED) models and honeynet models, and utilized as an effective tool to generate the discrete distribution of the hypothesized scenario. The proposed claim size of power utilities is assumed to be equal to the estimated economic loss that is directly related to substation outages. To address the impact of the hypothesized cyberattacks, following assumptions are included in the proposed framework: • The risk index studies [28]- [31], using the extended combination method and reverse pyramid model (RPM), generate the risk-based ''bottleneck list.'' The ''critical'' combinations would lead to the potential uncertainty with identified unstable cases of the power system in steady-state analysis. The definition of ''unstable" refers to power flow diverged solutions for the combinations of multiple substation outages using the RPM models [31].
• The surveys on the operational loss [32]-[34] and the electricity prices [35], [36] are included in the paper to conduct a comparative study of the economic loss of the hypothesized power outages. It is assumed that the operational loss discussed in the paper only covers the direct loss that has been studied in [32]- [34].
• The studies on the mean time to restore power (MTTRP) [37]- [39] of the hypothesized power system outages are also performed, which estimate the expected restoring time of a system after a presumed switching cyberattack. Deriving from the previous model [29]- [31], the hypothesized substation outages have been incorporated with VOLUME 8, 2020 overload implications of transmission lines. The extended enumerations on the substation outage contingencies by hypothesized switching attacks would electrically disconnect associated transmission lines, generators, and transformers. The permanent damage induced by cyberattacks are not covered in this work. This proposed insurancebased solution would help to formulate an actuarial framework to transfer the cyber risk of potential substation compromise.
The paper is organized as follows. Section II illustrates the probability and the distribution of the cyber insurance model using the developed cyber and phyical components. Section III provides the calculation details of the ruin probability based on the risk model. Section IV demonstrates the numerical results. Section V summarizes and concludes with future research opportunities.

II. PROBABILITY DISTRIBUTION BASED ON CYBER-RELIABILITY ASSESSMENT MODEL A. PROBABILITY MASS DISTRIBUTION OF THE HYPOTHESIZED SCENARIO
The vulnerability of the control networks has been evaluated by modeling intrusions and consequences of a cyberattack on control networks [25], [26]. Assuming that the system contains S substations and the substations set is denoted as S sub = [1, 2, · · · , S]. Let T be the substations collection of all non-empty elements with the index of t, where each element in the collection T is a tuple, denoted as T , which satisfies T ⊆ S sub . Let's assume substation collection T consists of all k-combinations of S with k = 1, 2, · · · , S. The probability of the t-th substation combinationp(t, x t ) is defined as: where i and j in (1) denote the indices of substations, and ρ i denotes the intrusion probability to substation i that additionally denotes the claim size of the t-th substation combination. The cardinality |T| of set T is equal to 2 S − 1, and the sum of the probabilityp(t, x t ) calculated in (1) may not necessarily be equal to 1. As a consequence, the probability mass function of the discrete substation combination can be normalized that will be summed up to 1.0: Equation (2) formulates the basic discrete probability distribution of hypothesized substation outages. The p(t, x t ) is the function of t in which it cannot be directly applied to the premium calculations because the different substation outages could claim the same size of economic loss. The following section would further illustrate the formulation of the claim size and the necessary modifications to (2).

B. THE CLAIM SIZE OF THE HYPOTHESIZED SUBSTATION OUTAGES
Determining the claim size due to the hypothesized substation outage is important for insurance companies to implement their insurance policy because of the direct effect on their own business strategy. In the following formulation, the data is obtained from the previous cyber-based contingency analysis in the steady-state studies [28]- [31] and the claim size x is assumed to be equal to the direct loss due to the hypothesized power outages, which is determined by three variables: 1) the power loss PL (MW) due to the substation outages in steady-state evaluation [28]- [31], 2) the expected mean time to restore power H (hour) from the abnormal status to normal steady-state conditions [37]- [39], and 3) the direct costs γ ($/MWh) during the power outages [32]- [34]. Thus, the claim size x t ($) for the t-th substation combination is defined as: (3) Figure 1 depicts the flowchart of an enumerative algorithm for calculating the claim size based on (3). The ''critical'' lists C is generated using the extended enumeration model in [31]. The ''critical'' combination of substation(s) recorded in C may cause system unstable in the steady-state analysis, which is considered as the blackout situation in this formulation. The critical list C is applied here to identify the size of blackouts of the substations combination set T ∈ T. The MTTRP simulation is conducted based on the concept of generic restoration milestones (GRMs) [37]. The italicised MTTRP represents the vector that records the restoration time of each substation and L is the total restoration time initiated from the black start units. It should be noted that the claim size in the premium calculations in this paper are based on mean claim sizes for a given combination of substation outages. This leads that different combination sets t 1 and t 2 that may have the different p(t 1 , x t 1 ) and p(t 2 , x t 2 ) but share the same claim size; that is, x t 1 = x t 2 . In order to create the probability mass function of the claim size x t i , which the cyber insurance company focuses on, the probability distribution function determined in the (2) needs to be modified by aggregating all p(t i , x t i ) that have the same claim size: Equation (4) formulates the PMF of the diverse claim sizes x t and the variable t has been canceled out. Compared with (2), (4) is more clear and convenient to be applied in the ruin probability calculations to determine the insurance premium.

III. DETERMINATION OF CYBER INSURANCE PREMIUM USING RUIN THEORY A. RUIN PROBABILITY CALCULATION
Ruin theory has been widely implemented since the beginning of last century and has demonstrated its effectiveness in evaluating the long-run viability of insurance portfolios [21]- [23]. In actuarial context, ruin refers to the event that the surplus of a business unit goes below zero. Ruin probability is thus used to measure the riskiness of a business line. In this section, this concept shall be applied to study the insurer's financial position and appropriate the amount of premium so as to control the insurer's ruin probability at a low level. The mathematical model is formulated as follows. Suppose an insurer covers all the cyber-related losses from an utility and receives claims according to a Poisson process N (t) with arrival intensity λ. Assume the claim sizes {Y 1 , Y 2 , . . .} are independent and have a common distribution as Y , whose distribution is specified by formula (4). Furthermore, the insurance premium is charged with a safe loading coefficient of θ. That is, the premium charged over a time period of length t equals the expected value of the total claim over the period plus a safe loading, or mathematically (1 + θ)λµt, where µ = E[Y ]. With an initial reserve of u, the insurer's surplus at time t is represented as The ruin probability, depending on u, is defined to be ψ(u) = P{inf t>0 U t < 0}. Readers are referred to [40] for a comprehensive review of ruin theory. Generally, ruin probability may be difficult to obtain. With a compound Poisson setup as specified in the above model, the calculation of ruin probability can be related to the calculation of a compound geometric aggregate loss model, as seen in [21]. Following [21], consider the independent and identically distributed (i.i.d.) ladder heights L 1 , L 2 , . . . of Model (5), that is, the sizes of drops of U t . When these drops aggregate to exceed the initial reserve u, ruin occurs. In this sense, the ruin probability can be expressed as ψ(u) = P{M > u}, where the maximum aggregate loss M is defined as where N is the number of drops, following a geometric distribution with parameter q = ψ(0) = 1/(1 + θ). Furthermore, the probability density function of the common drop size L can be obtained based on the distributional information of Y as follows: Note that the distribution of L is continuous. In order to derive a recursive formula to compute the ruin probability, the distribution of L has to be discretized. The discretization can be realized in different ways. Here, we follow the moment matching approach provided by [21]. Specifically, set a step size h such that u/h is an integer and assume a distribution on {0, h, 2h, . . .} with probabilities {f x : x = 0, 1, 2, . . .} to be solved from the following system so as to match the range probabilities and the first two moments to the original distribution of L: Based on the above discretization, [21] provides a recursive formula to compute the ruin probability ψ(u) = P{M > u}:

B. PREMIUM CALCULATION USING RUIN THEORY
Based on the details of ruin probability calculation in previous section, the premium amount, I, is defined [40]: where θ f is the feasible premium loading that can be identified in the ruin probability calculation. The lambda λ denotes the expected number of claims of the process and can be obtained by using (1). Compared with the traditional insurance policy, the frequency of claims for the cyber insurance VOLUME 8, 2020 on the power system outage may be much less because of its low occurrence in the historical data. The mu µ is the mean of the successive claims that can be derived through (2) and (6). Additionally, θ f may not be unique if the insurance company provides an acceptable range of ruin probabilities, which would affect the range of θ and the feasible premium amount. In Section IV, we provide a list of the feasible ruin probabilities with different choices of θ's and different settings of initial reserve u.

C. SPATIAL CORRELATION VERIFICATION
The proposed model incorporates the assumption of spatial correlation with two layers: 1) at the attack stage, which is at the cyber level, 2) at the enumeration stage, which is at the physical level and it is based on its presumed resulting impacts. The second level of spatial correlation has been addressed in the steady-state enumeration model, which identifies the ''critical'' substation combination outages and assume it as diverged case with the highest claim size. In the actuarial framework, the variable of severity losses have been incorporated into the mean of claim sizes µ in (10). It is noticed that the variable µ includes a high correlation ratio for diverged cases. For example, let the substation s, where s ∈ S sub , has been identified pivotal substation in steady-state analysis. From (3), the claim size x of all events of substation outages that contain s would be diverged and aligned with the same highest claim size, which would be reflected in the mean of claims sizes µ. For this reason, the highly dependent correlation among those diverged events have been verified in terms of claim sizes.
For the first layer of spatial correlation at attack level. We assume outside attacks occur from control center networks [25] and different control networks would be deployed with diverse cybersecurity technologies. Let SN l denote the set of substations that can be accessed through sub-network l. It is assumed L sub-networks are deployed in the system. For the substations in different sub-network SN l and SN l+1 , the intrusion probability on these two sets are independent while within the sub-network, the intrusion probability would be dependent with a correlation ratio. Let's denote binary results 1 and 0 in a Bernoulli trial be the successful and failure intrusion attempt accordingly. The expected number of claims of the process λ without the spatial correlation assumption is defined: In contrast, in an extreme case with correlation ratio 1 within each sub-network, the λ is modified as: In (12),λ denotes the expected number of claims with spatial correlation assumption. Theρ(·) represents the probability of intrusions on the substation in the set SN l . Since the number L of sub-network would be less than the substation number S, it can be easily seen thatλ < λ, ifρ(·) ≤ ρ(·). This means that the probability of no claims within the insurance contract period becomes smaller in the existence of strong correlations in the cyber-systems within each sub-network and of strong cyber defense systems. This iterates the importance of discarding weak cyber defense systems and placing stronger systems on more critical substations in lowering insurance premium. This implies that using a smaller number of cyber defense systems can be cost-effective, so long as those in use are the strongest possible ones.

IV. NUMERICAL ILLUSTRATION A. TEST CASE SETUP 1) STEADY-STATE PROBABILITIES
The steady-state probabilities for substation attacks are derived according to the proposed procedure that is demonstrated in [27]. For each substation, it is assumed that 4 firewalls and 6 machines are deployed in the cyber-net, and for each firewall rule, the probability of packets passing through is randomly selected from assumed probabilities [0.0096, 0.0049, 0.0080, 0.0014]. The firewall execution rate is assumed to be 0.001. of ''Model 1'' and ''Model 3'' from ''outside'' attack in [25], denoted as π 1 and π 3 , respectively. Notice that π 1 ∈ 1 and π 3 ∈ 3 , where 1 and 3 are two probability sets for different models.
In order to improve the feasibility of the model, the authors also assume that the substations with generation units installed are deployed with more secure protective parameters, which would lead to a higher rate of packets rejection. For example, in the IEEE 14-bus system (10 substations), substations 1 and 2 are equipped with generators with the rejection rate settings of [0.975, 0.985], i.e. ρ(1) = 0.0012 and ρ(2) = 0.0017. Fig. 2 gives the detailed settings of the steady-state probability for each system, highlighted in blue bar and based on the left-side axis.

2) CRITICAL LIST OF HYPOTHESIZED SUBSTATION OUTAGES
The critical list C is derived using the extended RPM [31], which enumerates all the hypothesized substation combinations, and the ''worst'' combinations are identified. The extended reverse pyramid model (RPM) [29] is applied to identify the critical substations and ''worst-case'' substation combinations. The extended RPM applies a steady-state approach to enumerate all events of hypothesized substation outage combinations. Additionally, the overload implications of transmission lines are incorporated in the model. In the 14-bus system, 3 ''critical'' substations are identified, which are substation 2, 4 and 5. There are 8 substations identified be critical in the 30-bus system, which are substation 2, 4, 5, 6, 10, 17, 20 and 22. Similarly, in the 57-and the 118-bus system, 18 and 42 ''critical'' substations are found, which may lead the system diverged in terms of steady-state analysis.
Based on the critical list, the complete combination list T would be determined to identify the hypothesized power outages. In this study, the threshold of intrusion attempts per year is assumed within the interval [8000, 10000], every single attack is assumed to be independent. Figure 2 gives the detailed settings of the successful intrusion probability for each system, highlighted in blue bar and based on the left-side axis. The generic restoration milestones (GRMs) have been applied in this paper to estimate the expected mean time to restore power (MTTRP) [37]. The GRMs introduces a practical method for construction of system restoration process by applying numerous constraints on status-assessment, optimization of generation outputs, and load pickup. The GRMs consists of six major thrusts and each process contains an objective function with different constraint settings. MTTRP simulations demonstrate that it takes 3, 6, 3 and 8 steps to restore 14-, 30-, 57-, and 118-bus systems respectively, which cost 118, 404, 373, and 414 minutes in total. In Fig. 2, the expected restoration time H of each system is marked in red based on the right-side axis.

B. NUMERICAL RESULTS OF RUIN PROBABILITY AND PREMIUM AMOUNT
In this simulation part, the direct operational costs γ ($/MWh) incurred by the hypothesized substation outage are extracted from four different studies: 1) the studies on value of loss load (VOLL) [33], [34]; 2) the surveys on the estimated direct costs (DC) in the previous power outage [32]; 3) the statistical studies of the average retail electricity price (AREP) [35]; and 4) the basic local marginal price (LMP) from the optimal power flow (OPF) solution [41]. Based on the results of the contingency analysis C and the MTTRP simulations, the operational loss of substations, denoted as γ 1−4 and with four colors shown in Fig. 3.
By combining (6), (7) and (9), the results of ruin probability and the corresponding feasible premium amounts are summarized in Table 1. In the table, θ is selected from 0 to 1 with the increment of 0.2. The initial reserve u are selected among 0, 10 and 100, which, refer to (7), would determine the recursive level for calculating the ruin probability ψ. It is observed that, when u is 0, (7) could be written as ψ(0) = (1 − f 0 )/(1 + θ − f 0 ), which only involves the first iteration. In the row of ''System constants,'' parameter λ denotes the  frequency of the claim that have been formulated through (1), which is 0.019537, 0.080008, 0.062407, and 0.094434 in the 14-, 30-, 57-, and 118-bus systems, respectively. It is observed that in (7), variable h denotes the general increment for each global moment, here the authors consider the formulation of the proposed problem as a two-moment process which would optimally cover the whole interval of the claim size.
It indicates that each interval would cover half of the claim size. To distinguish the general increment h, h is introduced as the proportion of the coverage.
From Table 1, among all the test systems, ψ(0) is always larger than 0.75. It might be ''too risky'' and may not be an acceptable probability. Additionally, it is found that the ruin probability ψ(u) in each case would be decreasing with θ increased, which coincides with (7). Consider ψ(0) with a larger θ and ψ(0) with a smaller θ , it can be calculated that for the first ruin probability, it holds: ψ(0) < ψ(0) . Since the ψ(u) is calculated recursively based on the first item ψ(0), then the probability of ψ(u) with a larger θ would be eventually smaller than ψ(u) . Therefore, ψ(u) is a decreasing function as θ increases. For this reason, the authors are able to give a reasonable guess of certain ruin probability even without a determined value of θ. Take the calculation results of IEEE 30-bus system as an example, even though the ruin probability ψ(10) under the condition of θ = 0.9 is not provided, it is reasonable to conclude that the probability ψ(10) would locate the interval [4.175×10 −3 , 1.790 × 10 −3 ], which are the lower and upper bounds of the probability detailed in the table when θ = 0.8 and 1.0.
According to (10), Table 1 also provides estimated premium amounts for each IEEE test system with different settings of γ , where θ f is assumed to be 0.8. In a more general case, for example, if the insurance company would be able to accept the ruin probability that less than 5.0 × 10 −3 for the 57-bus system, with the initial reserve settings of 10 and cost settings of γ 1 , the feasible set of θ can be determined from the  (7), ψ(0) = θ/(1 + θ) is determined as survival probability [40]. It is observed that the survival probability would increase as the premium loading θ increases. In other words, the insurance company sells more expensive policies to utilities, as premium loading increased, which would accordingly increase their survival probability.

C. SENSITIVITY ANALYSIS AND SPATIAL CORRELATION STUDY
According to (3) and (4), the premium amount is calculated from two fundamental variables, the probability and the claim size of each event. For this reason, a comparison study is conducted in this section by allowing only one of the variable changes with a ratio and keep another variable constant. Figure 4 represents changes of premium amount, mean MTTRP, and maximum insurance claims corresponding to diverse system settings of generator ramping capacity, bus loads, and steady-state probability using the IEEE 30-bus system. The setting of economic cost γ is selected as VOLL. With the reference of initial power flow solution, the coefficient ratio is within the interval of [50%, 200%], which is assumed to be an acceptable threshold for the key parameters such as probability, ramping rate, and load. It is observed that in the sub-figure (a), premium amounts of all three conditions are the same if the coefficient is set with 1.0. It can be observed that raising the ramping rate would decrease the premium by reducing MTTRP, which directly decreases the claims size for each case. The premium amount increases most rapidly on the condition of the changes of the steadystate probability, which can be estimated from the (10) that the premium changes linearly with the expected number of claims λ. Increasing the steady-state probability would directly increase λ, which raises the premium level as shown in the sub-figure (a).
Sub-figure (b) gives a rough estimation by describing the relationship between the mean MTTRP and claim sizes under different coefficient conditions. The black coordinate axis at the left side denotes the mean of MTTRP and the right side color in blue represents the maximum insurance claims. As revealed from the sub-figure (b), in both conditions such as changes of ramping capacity and bus load, the claim size and MTTRP are highly correlated, which corresponds to the (3). As depicted in the sub-figure (a), the premium decreases as the loading condition increase from 120% to 150% which can be extrapolated from sub-figure (b), where the claim size decreases as the MTTRP decreases from this change. Specifically, it is observed that the GRMs simulation model takes few steps and less time to recover the system at the 150% loading condition compared with the restoration time at the condition of 120%. Although the system load increases from condition of 120% to 150%, the MTTRP has decreased, which would balance the claim size and premium in general.
The spatial correlation study is summarized in the Table 2. It is assumed that four different sub-networks are deployed in the control center of the IEEE 30-bus system with detailed correlation ratio given in each network. The joint probability VOLUME 8, 2020 with dependent Bernoulli trials 1 are generated through the Monte Carlo method with 10,000 trials [42], [43]. The spatial correlation for each sub-network is introduced as the offdiagonal elements of its correlation matrix. In contrast, in the case of independent Bernoulli trials, all off-diagonal elements are zero. The dimension of the correlation matrix would be determined by the size of SN l . For example, in the first row, the SN 1 represents the substation 1 to substation 6, thus the dimension of the correlation matrix is 6 by 6 and all 30 offdiagonal elements in the correlation matrix would be 0.05 and other 6 diagonal elements would be set as 1. The correlation matrix can be user-defined and would generate differentλ with corresponding premium, as summarized in the table. It is interesting that the stronger the correlation is, the smallerλ and premium are. As demonstrated in (12), the probability of zero claims, 1 −λ, would also increase.

V. CONCLUDING REMARKS
The preliminary establishment on cyber insurance premium using IEEE test cases has demonstrated the promise of actuary and correlation of problematic combinations of disruptive switching cyberattacks. The studies provide the simulation results of steady-state probability and its distribution function, the expected MTTRP for each substation, and the diverse settings of estimated operation loss. All factors provided here are the necessary setups to calculate the ruin probability. With detailed and numerous cases provided in the studies, the insurance companies can formulate the feasible premium amounts based on their owner-defined conditions and their base cases. Future work includes detailing the consequential events and their stochasticity, and how they may lead to brownout and/or blackout as well as establishing new models for security technologies. The results shown in the case study are based on the proposed model, the detailed sensitivity analysis can incorporate specified settings with regulatory issues can be elaborated in future research. This includes extensive analysis between probability and the claim size that can be further enhanced to incorporate other electrical settings, such as, ramping rates of generating units and variation of loading level.