An empirical analysis of the behavioral influences and information sources affecting the cyber insurance decisions of German SMEs
Briefing: Behavioral and Informational Drivers of SME Cyber Insurance Decisions in Germany
Executive Summary
This document synthesizes the findings of an empirical analysis of the factors influencing the cyber insurance purchasing decisions of German Small and Medium‑sized Enterprises (SMEs). Based on a questionnaire survey of 1,248 SME executives, the research identifies a significant gap in the market: despite the increasing threat of cyberattacks, SMEs remain reluctant to purchase cyber insurance, with large corporations representing 81% of the market share compared to just 18% for SMEs.
The study reveals that SME decisions are heavily influenced by specific behavioral and informational factors. The most critical takeaways are:
- Financial Impact and Anxiety are Key Drivers: The estimated financial cost and the level of anxiety about a potential cyberattack are significant positive predictors of purchasing cyber insurance. A one‑unit increase in perceived financial impact (on a six‑point scale) increases the likelihood of purchase by 40.3%, while a similar increase in anxiety (on a seven‑point scale) raises it by 30.3%.
- Probability and Experience are Not Significant: Counterintuitively, the perceived probability of an attack and prior personal experience with successful cyberattacks do not significantly influence the decision to buy insurance. This is likely due to the difficulty SMEs face in accurately estimating cyber risk probabilities.
- External Expertise Outweighs Internal Assessment: Assistance from external cybersecurity specialists has a significant positive impact on insurance demand. In contrast, an organization's internal cyber risk assessment has no significant influence, suggesting SMEs lack the internal capability for effective risk evaluation.
- Internet Research has a Negative Effect: Independent Internet research significantly decreases the likelihood of an SME purchasing cyber insurance. A one‑unit increase in reliance on the Internet as an information source reduces the probability of purchase by 38.2%. This is attributed to information overload, which overwhelms SME decision‑makers.
- Firm Size Matters: The demand for cyber insurance increases significantly with firm size. Micro‑enterprises are 72.6% less likely to purchase cyber insurance than large enterprises.
These findings suggest that to increase cyber insurance penetration in the vital SME sector, insurers should develop marketing and distribution strategies that make risks tangible, focus on financial consequences and emotional responses, and leverage external experts to overcome SME resource constraints and information overload.
--------------------------------------------------------------------------------
1. Context: The SME Cyber Insurance Gap in Germany
Small and Medium‑sized Enterprises (SMEs) are the backbone of the German economy, representing 99.3% of all businesses and generating 27.3% of the country's total turnover in 2022. Despite their economic significance, they are increasingly targeted by cyberattacks, with a 12% rise in affected enterprises from 2022 to 2023. The average financial loss for an SME following a successful cyberattack is estimated at €66,812.
Despite this clear and growing threat, a significant gap exists in cyber insurance coverage. While large corporations are the primary customers, SMEs remain hesitant.
- Low Penetration: A 2024 Gothaer survey found that only 25% of 1,022 surveyed German SMEs have cyber insurance.
- Market Share Disparity: According to Germany's Federal Financial Supervisory Authority (BaFin), in 2023, large corporations accounted for 81% of the total cyber insurance market share (by premium income), while SMEs accounted for only 18%.
This reluctance is counterintuitive, as SMEs face particular challenges in cyber risk management‑such as resource constraints, limited technical skills, and a lack of IT experts‑that the assistance services included in cyber insurance policies (e.g., 24/7 claims hotlines, data recovery specialists) are designed to address. The research aims to uncover the behavioral and informational factors driving this discrepancy.
2. Research Overview and Methodology
The analysis is based on data from a standardized online questionnaire completed by 1,248 German SME executives. The study's objective was to evaluate the influence of behavioral factors (risk perception, prior experience, confidence, anxiety) and information sources (internal assessment, external experts, Internet research) on the decision to purchase cyber insurance.
The core research method employed was a logistic regression analysis to determine which factors significantly predict whether an enterprise demands cyber insurance. The final sample consisted of:
- Micro‑enterprises (up to 9 employees): 23.5%
- Small enterprises (10‑49 employees): 45.8%
- Medium‑sized enterprises (50‑249 employees): 21.8%
- Large enterprises (>249 employees): 9.0%
Of the respondents, 67.3% were members of the management board and 43.3% were responsible for IT.
3. Key Determinants of Cyber Insurance Demand
The logistic regression model identified several factors that significantly influence an SME's decision to purchase cyber insurance. The findings challenge conventional assumptions about risk assessment and highlight the power of emotional and external influences.
3.1. Behavioral Influences: Perception, Emotion, and Experience
The study confirms that subjective and emotional factors play a crucial role in decision‑making, while objective experience and rational probability estimates do not.
Factor | Finding | Detailed Insights |
Estimated Financial Impact (Cost) | Significant Positive Influence | Executives who estimate a higher financial impact from a cyberattack are significantly more likely to purchase insurance. A one‑unit increase in perceived financial impact (on a 6‑point scale) increases the purchase likelihood by 40.3%. This suggests that making the financial consequences tangible is a powerful motivator. |
Perceived Anxiety | Significant Positive Influence | A higher level of anxiety about future cyberattacks is a strong predictor of insurance demand. A one‑unit increase in perceived anxiety (on a 7‑point Likert scale) increases the likelihood of purchase by 30.3%. This supports the "risk as feelings" model, where emotions influence risk decisions. |
Perceived Probability of Attack | No Significant Influence | The perceived likelihood of a future cyberattack does not have a statistically significant impact on the insurance decision. This is attributed to the inherent complexity and uncertainty of cyber risks, which makes probability estimation challenging for SMEs with limited assessment capabilities. |
Prior Experience | No Significant Influence | Having previously experienced a financially damaging cyberattack does not significantly increase the likelihood of purchasing insurance. This finding is linked to the insignificance of probability perception; the availability heuristic suggests that prior experience primarily influences probability estimates, which were found to be non‑determinative. |
Confidence in Own Defenses | No Significant Influence | Confidence in the organization's existing cyber risk management measures was found to have an insignificant (though positive) influence on demand. This refutes the hypothesis that overconfidence leads SMEs to forgo insurance. Instead, it suggests that cyber insurance is viewed as a complementary part of a robust risk management system, not a substitute. |
3.2. Information Sources and Decision‑Making Processes
The way SMEs gather information and seek advice is a critical factor, with a stark contrast between the value of professional guidance and the negative impact of independent online research.
Information Source | Finding | Detailed Insights |
External Cybersecurity Experts | Significant Positive Influence | Assistance from external cybersecurity specialists in risk assessment and insurance decisions significantly drives demand. A one‑unit increase in reliance on external experts (on a 7‑point scale) increases the likelihood of purchasing insurance by 16.5%. This highlights the need for professional, curated advice. |
Independent Internet Research | Significant Negative Influence | Contrary to expectations, SMEs that rely on independent Internet research are significantly less likely to purchase cyber insurance. A one‑unit increase in reliance on the Internet (on a 7‑point scale) decreases the purchase likelihood by 38.2%. This is likely due to "information overload," as SMEs find the volume and complexity of online information overwhelming and "beyond my needs." |
Internal Cyber Risk Assessment | No Significant Influence | Conducting an internal cyber risk assessment does not significantly influence the demand for insurance. This suggests that the internal risk management processes in many SMEs are not sophisticated enough to provide a realistic assessment of their cyber risk exposure, thus failing to motivate the purchase of insurance. |
3.3. Organizational Characteristics
Consistent with market data, firm size was confirmed as a major determinant of cyber insurance demand.
- Hypothesis: Smaller enterprises purchase significantly less cyber insurance than larger organizations.
- Result: Confirmed.
- Micro‑enterprises are 72.6% less likely to purchase cyber insurance compared to large enterprises.
- Small enterprises are 64.2% less likely to purchase cyber insurance compared to large enterprises.
- The difference between medium‑sized and large enterprises was not statistically significant.
This finding runs contrary to the bankruptcy cost hypothesis, which posits that smaller firms should value insurance more due to higher relative bankruptcy costs.
4. Summary of Hypotheses and Results
The following table provides a consolidated view of the study's hypotheses and the outcomes of the logistic regression analysis.
Hypothesis | Variable | Predicted Relationship | Result |
H1 | Organizational Size | Smaller firms purchase less insurance. | Confirmed |
H2a | Perceived Financial Impact (Cost) | Higher impact perception increases demand. | Confirmed |
H2b | Perceived Probability | Higher probability perception increases demand. | Rejected |
H3 | Prior Experience | Prior experience increases demand. | Rejected |
H4 | Confidence in Own CRM | Higher confidence decreases demand. | Rejected |
H5 | Perceived Anxiety | Higher anxiety increases demand. | Confirmed |
H6a | Internal Risk Assessment | Increases demand. | Rejected |
H6b | External Expert Assistance | Increases demand. | Confirmed |
H6c | Independent Internet Research | Increases demand. | Rejected (Negative Relationship Found) |
5. Practical Implications and Conclusion
The research provides actionable insights for insurers, policymakers, and SME support organizations aiming to improve cyber resilience.
- For Insurers:
- Marketing Focus: Shift marketing from abstract probabilities to tangible financial consequences. Use vivid case studies and scenarios to increase perceived financial impact and anxiety.
- Emphasize Service, Not Just Indemnity: Highlight the value of assistance services (e.g., incident response, legal support) that address SME resource and expertise gaps.
- Distribution Channels: Collaborate with external IT service providers and cybersecurity consultants, as they are trusted advisors and a key positive influence on SMEs' decisions.
- Simplify and Customize: Develop clear, simple, and well‑suited cyber insurance products for the heterogeneous SME segment to combat information overload and unlock significant market growth potential.
- For SMEs and Policymakers:
- The study underscores the challenges SMEs face in self‑assessing complex risks. This points to a need for greater access to affordable external expertise.
- Given the critical economic role of SMEs, enhancing their protection against cyber risk through better insurance access contributes to the overall stability of the German economy.
The study concludes that behavioral biases and information processing challenges significantly shape the SME cyber insurance market. By understanding that decisions are driven more by the perceived magnitude of loss and emotional anxiety than by rational probability calculations, stakeholders can more effectively communicate the value of cyber insurance and help close the critical protection gap.