Wei Huang,Chengguo Weng,Yi Zhang

DOI: https://doi.org/10.1002/asmb.1981

2014-01-01

Applied Stochastic Models in Business and Industry

Abstract:In this paper, we consider four common types of ruin probabilities for a discrete-time multivariate risk model, where the insurer is assumed to be exposed to a vector of net losses resulting from a number of business lines over each period. By assuming a large initial capital for the risk model and regularly varying distributions for the net losses, we establish some interesting asymptotic estimates for ruin probabilities in terms of the upper tail dependence function of the net loss vector. Our results insightfully characterize how the dependence structure among the individual net losses affect the ruin probabilities in an asymptotic sense, and more importantly, from our main results, explicit asymptotic estimates for those ruin probabilities can be obtained via specifying a copula for the net loss vectors. Copyright © 2013 John Wiley & Sons, Ltd.

Ranjan Pal

DOI: https://doi.org/10.48550/arXiv.1202.0884

2012-02-04

Cryptography and Security

Abstract:Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as \emph{self-defense} mechanisms. However, according to security experts, such software (and their subsequent advancements) will not completely eliminate risk. Recent research efforts have considered the problem of residual risk elimination by proposing the idea of \emph{cyber-insurance}. In this regard, an important research problem is resolving information asymmetry issues associated with cyber-insurance contracts. In this paper we propose \emph{three} mechanisms to resolve information asymmetry in cyber-insurance. Our mechanisms are based on the \emph{Principal-Agent} (PA) model in microeconomic theory. We show that (1) optimal cyber-insurance contracts induced by our mechanisms only provide partial coverage to the insureds. This ensures greater self-defense efforts on the part of the latter to protect their computing systems, which in turn increases overall network security, (2) the level of deductible per network user contract increases in a concave manner with the topological degree of the user, and (3) a market for cyber-insurance can be made to exist in the presence of monopolistic insurers under effective mechanism design. Our methodology is applicable to any distributed network scenario in which a framework for cyber-insurance can be implemented.

Henry Skeoch,Christos Ioannidis

2023-08-17

Abstract:Efficient risk transfer is an important condition for ensuring the sustainability of a market according to the established economics literature. In an inefficient market, significant financial imbalances may develop and potentially jeopardise the solvency of some market participants. The constantly evolving nature of cyber-threats and lack of public data sharing mean that the economic conditions required for quoted cyber-insurance premiums to be considered efficient are highly unlikely to be met. This paper develops Monte Carlo simulations of an artificial cyber-insurance market and compares the efficient and inefficient outcomes based on the informational setup between the market participants. The existence of diverse loss distributions is justified by the dynamic nature of cyber-threats and the absence of any reliable and centralised incident reporting. It is shown that the limited involvement of reinsurers when loss expectations are not shared leads to increased premiums and lower overall capacity. This suggests that the sustainability of the cyber-insurance market requires both better data sharing and external sources of risk tolerant capital.

General Economics

Zhengming Li,Jianxi Su,Maochao Xu,Jimmy Yuen

2024-08-30

Abstract:The remarkable growth of digital assets, starting from the inception of Bitcoin in 2009 into a 1 trillion market in 2024, underscores the momentum behind disruptive technologies and the global appetite for digital assets. This paper develops a framework to enhance actuaries' understanding of the cyber risks associated with the developing digital asset ecosystem, as well as their measurement methods in the context of digital asset insurance. By integrating actuarial perspectives, we aim to enhance understanding and modeling of cyber risks at both the micro and systemic levels. The qualitative examination sheds light on blockchain technology and its associated risks, while our quantitative framework offers a rigorous approach to modeling cyber risks in digital asset insurance portfolios. This multifaceted approach serves three primary objectives: i) offer a clear and accessible education on the evolving digital asset ecosystem and the diverse spectrum of cyber risks it entails; ii) develop a scientifically rigorous framework for quantifying cyber risks in the digital asset ecosystem; iii) provide practical applications, including pricing strategies and tail risk management. Particularly, we develop frequency-severity models based on real loss data for pricing cyber risks in digit assets and utilize Monte Carlo simulation to estimate the tail risks, offering practical insights for risk management strategies. As digital assets continue to reshape finance, our work serves as a foundational step towards safeguarding the integrity and stability of this rapidly evolving landscape.

Applications,Computational Engineering, Finance, and Science

Matteo Malavasi,Gareth W. Peters,Pavel V. Shevchenko,Stefan Trück,Jiwook Jang,Georgy Sofronov

DOI: https://doi.org/10.1016/j.insmatheco.2022.05.003

2022-09-01

Insurance: Mathematics and Economics

Abstract:In this study an exploration of insurance risk transfer is undertaken for the cyber insurance industry in the United States of America, based on the leading industry dataset of cyber events provided by Advisen. We seek to address two core unresolved questions. First, what factors are the most significant covariates that may explain the frequency and severity of cyber loss events and are they heterogeneous over cyber risk categories? Second, is cyber risk insurable in regards to the required premiums, risk pool sizes and how would this decision vary with the insured companies industry sector and size? We address these questions through a combination of regression models based on the class of Generalized Additive Models for Location Shape and Scale (GAMLSS) and a class of ordinal regressions. These models will then form the basis for our analysis of frequency and severity of cyber risk loss processes. We investigate the viability of insurance for cyber risk using a utility modeling framework with premiums calculated by classical certainty equivalence analysis utilizing the developed regression models. Our results provide several new key insights into the nature of insurability of cyber risk and rigorously address the two insurance questions posed in a real data driven case study analysis.

English Else

Ranjan Pal,Leana Golubchik

DOI: https://doi.org/10.48550/arXiv.1103.1552

2011-03-08

Cryptography and Security

Abstract:Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important research problem is the analysis of optimal user self-defense investments and cyber-insurance contracts under the Internet environment. In this paper, we investigate two problems and their relationship: 1) analyzing optimal self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective and 2) designing optimal cyber-insurance contracts for Internet users, where a contract is a (premium, coverage) pair.

Rui Zhang,Quanyan Zhu

DOI: https://doi.org/10.1109/tcss.2021.3117905

2021-01-01

IEEE Transactions on Computational Social Systems

Abstract:With the recent growing number of cyberattacks and the constant lack of effective defense methods, cyber risks have become ubiquitous in enterprise networks, manufacturing plants, and government computer systems. Cyber insurance provides a valuable approach to transfer the cyber risks to insurance companies and further improve the security status of the insured. The designation of effective cyber-insurance contracts requires considerations from both the insurance market and the dynamic properties of the cyber risks. To capture the interactions between the users and the insurers, we present a dynamic moral-hazard type of principal–agent model incorporated with Markov decision processes, which are used to capture the dynamics and correlations of the cyber risks as well as the user's decisions on the protections. We study and fully analyze a case with a two-state two-action user under linear coverage insurance and further show the risk compensation, Peltzman effect, linear insurance contract principle, and zero-operating profit principle in this case. Numerical experiments are provided to verify our conclusions and further extend to cases of a four-state three-action user under linear coverage insurance and threshold coverage insurance.

English Else

Andrew Fleck,Edward Furman,Yang Shen

2024-10-19

Abstract:In order to properly manage risk, practitioners must understand the aggregate risks they are exposed to. Additionally, to properly price policies and calculate bonuses the relative riskiness of individual business units must be well understood. Certainly, Insurers and Financiers are interested in the properties of the sums of the risks they are exposed to and the dependence of risks therein. Realistic risk models however must account for a variety of phenomena: ill-defined moments, lack of elliptical dependence structures, excess kurtosis and highly heterogeneous marginals. Equally important is the concern over industry-wide systematic risks that can affect multiple business lines at once. Many techniques of varying sophistication have been developed with all or some of these problems in mind. We propose a modification to the classical individual risk model that allows us to model company-wide losses via the class of Multivariate Stable Distributions. Stable Distributions incorporate many of the unpleasant features required for a realistic risk model while maintaining tractable aggregation and dependence results. We additionally compute the Tail Conditional Expectation of aggregate risks within the model and the corresponding allocations.

Risk Management,Portfolio Management

Brianna Bace,Elisabeth Dubois,Unal Tatar

DOI: https://doi.org/10.3390/electronics13142768

IF: 2.9

2024-07-15

Electronics

Abstract:Catastrophic cyber incidents—events of low probability but high impact, with the potential to incur billions of dollars in damages—are prompting insurers to elevate premiums, create higher barriers for potential buyers, and tighten policies with exclusions. While these responses of the insurance industry are important to prevent its insolvency during catastrophic incidents due to excessive claims, they lead to a notable gap in market protection. Using a content analysis of multistakeholder comments submitted in response to a Treasury Department Request for Information (RFI), this study seeks to define what constitutes a catastrophic cyber event, identify mitigation strategies, evaluate the current capacity of the cyber insurance sector to handle such incidents, and investigate the potential roles and support mechanisms that the government can provide to enhance the insurance sector's capacity to manage these extreme risks. This paper is one of the pioneering studies using data and a multistakeholder perspective to provide essential guidance for policymakers, regulators, the insurance industry, and the cybersecurity sector in formulating robust policies and strategies to address catastrophic cyber risks, ultimately enhancing national economic and technological resilience.

engineering, electrical & electronic,physics, applied,computer science, information systems

Petar Radanliev,David De Roure,Rob Walton,Max Van Kleek,Rafael Mantilla Montalvo,La’Treall Maddox,Omar Santos,Peter Burnap,Eirini Anthi

DOI: https://doi.org/10.1007/s42452-020-03559-4

2020-10-06

SN Applied Sciences

Abstract:Abstract We explore the potential and practical challenges in the use of artificial intelligence (AI) in cyber risk analytics, for improving organisational resilience and understanding cyber risk. The research is focused on identifying the role of AI in connected devices such as Internet of Things (IoT) devices. Through literature review, we identify wide ranging and creative methodologies for cyber analytics and explore the risks of deliberately influencing or disrupting behaviours to socio-technical systems. This resulted in the modelling of the connections and interdependencies between a system's edge components to both external and internal services and systems. We focus on proposals for models, infrastructures and frameworks of IoT systems found in both business reports and technical papers. We analyse this juxtaposition of related systems and technologies, in academic and industry papers published in the past 10 years. Then, we report the results of a qualitative empirical study that correlates the academic literature with key technological advances in connected devices. The work is based on grouping future and present techniques and presenting the results through a new conceptual framework. With the application of social science's grounded theory, the framework details a new process for a prototype of AI-enabled dynamic cyber risk analytics at the edge.

Yang Lu,Jinggong Zhang,Wenjun Zhu

DOI: https://doi.org/10.1080/03461238.2023.2289374

IF: 1.7821

2024-01-04

Scandinavian Actuarial Journal

Abstract:In the past decade, cyber risk has raised much interest in the economy, and cyber risk has evolved from a type of pure operational risk to both operational and liability risk. However, the modeling of cyber risk is still in its infancy. Compared with other financial risks, cyber risk has some unique features. In particular, discrete variables regularly arise both in the frequency component (e.g. number of events per unit time), and the severity component (e.g. the number of data breaches for each cyber event). In addition, the modeling of these count variables are further complicated by nonstandard properties such as zero inflation, serial and cross-sectional correlations, as well as heavy tails. Previous cyber risk models have largely focused on continuous models that are incompatible with many of these characteristics. This paper introduces a new count-based frequency-severity framework to model cyber risk, with a dynamic multivariate negative binomial autoregressive process for the frequency component, and the generalized Poisson inverse-Gaussian distribution for the severity component. We unify these new modeling tools by proposing a tractable Generalized Method of Moments for their estimation and applying them to the Privacy Rights Clearinghouse (PRC) dataset.

social sciences, mathematical methods,mathematics, interdisciplinary applications,statistics & probability

Martin Eling,Werner Schnell

DOI: https://doi.org/10.1080/10920277.2019.1641416

2019-10-30

North American Actuarial Journal

Abstract:Cyber risk is becoming more significant for insurance companies in both underwriting and operational risk terms, but the characteristics of cyber risk are still not yet well understood. We contribute to the literature by analyzing the role of cyber risk in insurance regulation frameworks. The aggregated cyber risk exposure of an insurer is estimated by fitting different marginal distributions and dependence models to historical cyber losses. This aggregated cyber exposure allows us to derive the insurer's survival probability and compare it with the goals of regulatory frameworks, such as the U.S. Risk Based Capital (RBC) or Solvency II (SII). Our findings indicate that regulatory models underestimate the potential risks associated with cyber threats. This is especially true for small cyber insurance portfolios, which are predominant in practice today. Regulatory models should be adapted to account for the heavy tails and dependence structure specific to cyber risks, instead of assuming "one size fits all."

English Else

Ranjan Pal,Leana Golubchik,Konstantinos Psounis

DOI: https://doi.org/10.48550/arXiv.1107.4785

2011-07-24

Cryptography and Security

Abstract:Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, and botnets. To reduce the probability of risk, an Internet user generally invests in self-defense mechanisms like antivirus and antispam software. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.) . These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as standard optimal contracts, i.e., contracts under security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as non-security related failures. We propose \emph{Aegis}, a novel cyber-insurance model in which the user accepts a fraction \emph{(strictly positive)} of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that given an option, Internet users would prefer Aegis contracts to traditional cyber-insurance contracts, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users.

Wing Fung Chong,Runhuan Feng,Hins Hu,Linfeng Zhang

2023-10-23

Abstract:Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to manage. This paper proposes a two-pillar cyber risk management framework to address such difficulty. The first pillar, cyber risk assessment, blends the frequency-severity model in insurance with the cascade model in cybersecurity, to capture the unique feature of cyber risk. The second pillar, cyber capital management, provides informative decision-making on a balanced cyber risk management strategy, which includes cybersecurity investments, insurance coverage, and reserves. This framework is demonstrated by a case study based on a historical cyber incident dataset, which shows that a comprehensive cost-benefit analysis is necessary for a budget-constrained company with competing objectives for cyber risk management. Sensitivity analysis also illustrates that the best strategy depends on various factors, such as the amount of cybersecurity investments and the effectiveness of cybersecurity controls.

Risk Management,Cryptography and Security,Optimization and Control

Stefano Chiaradonna,Nicolas Lanchier

DOI: https://doi.org/10.1051/mmnp/2022041

2022-10-15

Mathematical Modelling of Natural Phenomena

Abstract:As cyber attacks have become more frequent, cyber insurance premiums have increased, resulting in the need for better modeling of cyber risk. Toward this direction, Jevtić and Lanchier [ Insur. Math. Econ. 91 (2020) 209–223] proposed a dynamic structural model of aggregate loss distribution for cyber risk of small and medium-sized enterprises under the assumption of a tree-based local-area-network topology that consists of the combination of a Poisson process, homogeneous random trees, bond percolation processes, and cost topology. Their model assumes that the contagion spreads through the edges of the network with the same fixed probability in both directions, thus overlooking a dynamic cyber security environment implemented in most networks, and their results give an exact expression for the mean of the aggregate loss but only a rough upper bound for the variance. In this paper, we consider a bidirectional version of their percolation model in which the contagion spreads through the edges of the network with a certain probability of moving toward the lower level assets of the network but with another probability of moving toward the higher level assets of the network, which results in a more realistic cyber security environment. In addition, our mathematical approach is quite different and leads to exact expressions for both the mean and the variance of the aggregate loss, and therefore an exact expression for the insurance premiums.

mathematics, applied, interdisciplinary applications,mathematical & computational biology

Wanchun Dou,Wenda Tang,Xiaotong Wu,Lianyong Qi,Xiaolong Xu,Xuyun Zhang,Chunhua Hu

DOI: https://doi.org/10.1016/j.ins.2018.12.051

IF: 8.1

2020-01-01

Information Sciences

Abstract:As an important method of risk control in information systems and networks, cyber-insurance has attracted particular attention from both industry and academia. However, two prominent problems hamper the further growth of cyber-insurance. The correlated and interdependent properties of cyber-risks increase the economic risk of insurance companies considerably ; risk pooling can be impeded by these two properties. Further, this situation can be aggravated because cyber-insurance affects the investment for self-protection negatively. This phenomenon is regarded as the ex ante moral hazard. In this study, we establish a mathematical model based on a classic insurance theory to address the abovementioned problems, and propose an optimal cyber-insurance contract scheme that maximizes the expected utility of users. We also propose two personalized contract schemes to incentivize users to invest in self-protection under the no moral hazard and ex ante moral hazard conditions. Extensive experiments are conducted to evaluate the proposed approach, and the experimental results demonstrate the effectiveness and efficiency of the approach. (C) 2018 Published by Elsevier Inc.

Shutian Liu,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.2210.15010

2022-10-26

Cryptography and Security

Abstract:Risk perceptions are essential in cyber insurance contracts. With the recent surge of information, human risk perceptions are exposed to the influences from both beneficial knowledge and fake news. In this paper, we study the role of the risk perceptions of the insurer and the user in cyber insurance contracts. We formulate the cyber insurance problem into a principal-agent problem where the insurer designs the contract containing a premium payment and a coverage plan. The risk perceptions of the insurer and the user are captured by coherent risk measures. Our framework extends the cyber insurance problem containing a risk-neutral insurer and a possibly risk-averse user, which is often considered in the literature. The explicit characterizations of both the insurer's and the user's risk perceptions allow us to show that cyber insurance has the potential to incentivize the user to invest more on system protection. This possibility to increase cyber security relies on the facts that the insurer is more risk-averse than the user (in a minimization setting) and that the insurer's risk perception is more sensitive to the changes in the user's actions than the user himself. We investigate the properties of feasible contracts in a case study on the insurance of a computer system against ransomware.

Michel Dacorogna,Marie Kratz

2023-02-05

Abstract:Not a day goes by without news about a cyber attack. Fear spreads out and lots of wrong ideas circulate. This survey aims at showing how all these uncertainties about cyber can be transformed into manageable risk. After reviewing the main characteristics of cyber risk, we consider the three layers of cyber space: hardware, software and psycho-cognitive layer. We ask ourselves how is this risk different from others, how modelling has been tackled and needs to evolve, and what are the multi-facetted aspects of cyber risk management. This wide exploration pictures a science in the making and points out the questions to be solved for building a resilient society.

Cryptography and Security

Na Ren,Xin Zhang

2024-08-26

Abstract:The frequent occurrence of cyber risks and their serious economic consequences have created a growth market for cyber insurance. The calculation of aggregate losses, an essential step in insurance pricing, has attracted considerable attention in recent years. This research develops a path-based k-generation risk contagion model in a tree-shaped network structure that incorporates the impact of the origin contagion location and the heterogeneity of security levels on contagion probability and local loss, distinguishing it from most existing models. Furthermore, we discuss the properties of k-generation risk contagion among multi-paths using the concept of d-separation in Bayesian network (BN), and derive explicit expressions for the mean and variance of local loss on a single path. By combining these results, we compute the mean and variance values for aggregate loss across the entire network until time $t$, which is crucial for accurate cyber insurance pricing. Finally, through numerical calculations and relevant probability properties, we have obtained several findings that are valuable to risk managers and insurers.

Risk Management

Ranjan Pal,Pan Hui

DOI: https://doi.org/10.48550/arXiv.1202.0885

2012-02-04

Cryptography and Security

Abstract:In recent years, researchers have proposed \emph{cyber-insurance} as a suitable risk-management technique for enhancing security in Internet-like distributed systems. However, amongst other factors, information asymmetry between the insurer and the insured, and the inter-dependent and correlated nature of cyber risks have contributed in a big way to the failure of cyber-insurance markets. Security experts have argued in favor of operating system (OS) platform switching (ex., from Windows to Unix-based OSs) or secure OS adoption as being one of the techniques that can potentially mitigate the problems posing a challenge to successful cyber-insurance markets. In this regard we model OS platform switching dynamics using a \emph{social gossip} mechanism and study three important questions related to the nature of the dynamics, for Internet-like distributed systems: (i) which type of networks should cyber-insurers target for insuring?, (ii) what are the bounds on the asymptotic performance level of a network, where the performance parameter is an average function of the long-run individual user willingness to adopt secure OSs?, and (iii) how can cyber-insurers use the topological information of their clients to incentivize/reward them during offering contracts? Our analysis is important to a profit-minded cyber-insurer, who wants to target the right network, design optimal contracts to resolve information asymmetry problems, and at the same time promote the increase of overall network security through increasing secure OS adoption amongst users.