Svetlana Radosavac,James Kempf,Ulaş C. Kozat

DOI: https://doi.org/10.1145/1403027.1403037

2008-01-01

Abstract:Managing security risks in the Internet has so far mostly involved methods to reduce the risks and the severity of the damages. Those methods reduce but do not eliminate risk, and the question remains on how to handle the residual risk. Current schemes applied by Internet Service Providers (ISPs) penalize the users, who suffer from the consequences. In this paper, we take a new approach to the problem of Internet security and advocate managing the residual risk by buying insurance against it and consequently re-arranging the incentive chain. We first analyze the current state of the Internet and investigate if it is possible to alleviate the existing problems by introducing insurance schemes. By performing detailed analysis we define an insurance policy that can survive in a competitive market. Following that, we analyze the impact of insurance-based ISPs on the rest of the network and attempt to answer whether using insurance can increase the overall security of the system and provide incentive to other ISPs to implement such policies.

Ranjan Pal,Leana Golubchik

DOI: https://doi.org/10.48550/arXiv.1103.1552

2011-03-08

Cryptography and Security

Abstract:Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important research problem is the analysis of optimal user self-defense investments and cyber-insurance contracts under the Internet environment. In this paper, we investigate two problems and their relationship: 1) analyzing optimal self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective and 2) designing optimal cyber-insurance contracts for Internet users, where a contract is a (premium, coverage) pair.

Ranjan Pal

DOI: https://doi.org/10.48550/arXiv.1202.0884

2012-02-04

Cryptography and Security

Abstract:Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as \emph{self-defense} mechanisms. However, according to security experts, such software (and their subsequent advancements) will not completely eliminate risk. Recent research efforts have considered the problem of residual risk elimination by proposing the idea of \emph{cyber-insurance}. In this regard, an important research problem is resolving information asymmetry issues associated with cyber-insurance contracts. In this paper we propose \emph{three} mechanisms to resolve information asymmetry in cyber-insurance. Our mechanisms are based on the \emph{Principal-Agent} (PA) model in microeconomic theory. We show that (1) optimal cyber-insurance contracts induced by our mechanisms only provide partial coverage to the insureds. This ensures greater self-defense efforts on the part of the latter to protect their computing systems, which in turn increases overall network security, (2) the level of deductible per network user contract increases in a concave manner with the topological degree of the user, and (3) a market for cyber-insurance can be made to exist in the presence of monopolistic insurers under effective mechanism design. Our methodology is applicable to any distributed network scenario in which a framework for cyber-insurance can be implemented.

Ranjan Pal,Leana Golubchik,Konstantinos Psounis

DOI: https://doi.org/10.48550/arXiv.1107.4785

2011-07-24

Cryptography and Security

Abstract:Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, and botnets. To reduce the probability of risk, an Internet user generally invests in self-defense mechanisms like antivirus and antispam software. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.) . These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as standard optimal contracts, i.e., contracts under security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as non-security related failures. We propose \emph{Aegis}, a novel cyber-insurance model in which the user accepts a fraction \emph{(strictly positive)} of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that given an option, Internet users would prefer Aegis contracts to traditional cyber-insurance contracts, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users.

Ranjan Pal,Pan Hui

DOI: https://doi.org/10.48550/arXiv.1202.0885

2012-02-04

Cryptography and Security

Abstract:In recent years, researchers have proposed \emph{cyber-insurance} as a suitable risk-management technique for enhancing security in Internet-like distributed systems. However, amongst other factors, information asymmetry between the insurer and the insured, and the inter-dependent and correlated nature of cyber risks have contributed in a big way to the failure of cyber-insurance markets. Security experts have argued in favor of operating system (OS) platform switching (ex., from Windows to Unix-based OSs) or secure OS adoption as being one of the techniques that can potentially mitigate the problems posing a challenge to successful cyber-insurance markets. In this regard we model OS platform switching dynamics using a \emph{social gossip} mechanism and study three important questions related to the nature of the dynamics, for Internet-like distributed systems: (i) which type of networks should cyber-insurers target for insuring?, (ii) what are the bounds on the asymptotic performance level of a network, where the performance parameter is an average function of the long-run individual user willingness to adopt secure OSs?, and (iii) how can cyber-insurers use the topological information of their clients to incentivize/reward them during offering contracts? Our analysis is important to a profit-minded cyber-insurer, who wants to target the right network, design optimal contracts to resolve information asymmetry problems, and at the same time promote the increase of overall network security through increasing secure OS adoption amongst users.

Wanchun Dou,Wenda Tang,Xiaotong Wu,Lianyong Qi,Xiaolong Xu,Xuyun Zhang,Chunhua Hu

DOI: https://doi.org/10.1016/j.ins.2018.12.051

IF: 8.1

2020-01-01

Information Sciences

Abstract:As an important method of risk control in information systems and networks, cyber-insurance has attracted particular attention from both industry and academia. However, two prominent problems hamper the further growth of cyber-insurance. The correlated and interdependent properties of cyber-risks increase the economic risk of insurance companies considerably ; risk pooling can be impeded by these two properties. Further, this situation can be aggravated because cyber-insurance affects the investment for self-protection negatively. This phenomenon is regarded as the ex ante moral hazard. In this study, we establish a mathematical model based on a classic insurance theory to address the abovementioned problems, and propose an optimal cyber-insurance contract scheme that maximizes the expected utility of users. We also propose two personalized contract schemes to incentivize users to invest in self-protection under the no moral hazard and ex ante moral hazard conditions. Extensive experiments are conducted to evaluate the proposed approach, and the experimental results demonstrate the effectiveness and efficiency of the approach. (C) 2018 Published by Elsevier Inc.

M. Adler,P. van Moerbeke,P. Vanhaecke

DOI: https://doi.org/10.48550/arXiv.math-ph/0601020

2006-01-11

Abstract:In a recent publication, it was shown that a large class of integrals over the unitary group U(n) satisfy difference equations over $n$, involving a finite number of steps; special cases are generating functions appearing in questions of longest increasing subsequences in random permutations and words. The main result of the paper states that these difference equations have the \emph{discrete Painlevé property}; roughly speaking, this means that, after a finite number of steps, the solution to these difference equations may develop a pole (Laurent solution), depending on the maximal number of free parameters, and immediately after be finite again (``\emph{singularity confinement}''). The technique used in the proof is based on an intimate relationship between the difference equations (discrete time) and the Toeplitz lattice (continuous time differential equations); the point is that the ``Painlevé property'' for the discrete relations is inherited from the ``Painlevé property'' of the (continuous) Toeplitz lattice.

Mathematical Physics

Ranjan Pal,Pan Hui

DOI: https://doi.org/10.48550/arXiv.1104.0594

2011-04-04

Cryptography and Security

Abstract:Modern distributed communication networks like the Internet and censorship-resistant networks (also a part of the Internet) are characterized by nodes (users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term 'effort', we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve its security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to co-operate with other users on sharing effort information. In this paper, we adopt a non-cooperative game-theoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its underlying neighborhood connectivity structure, as well as the presence of positive externalities arising from efforts exerted by neighboring nodes. We investigate the equilibrium behavior of nodes and show 1) the existence of symmetric Bayesian Nash equilibria of efforts and 2) better connected nodes choose lower efforts to exert but earn higher utilities with respect to security improvement irrespective of the nature of node degree correlations amongst the neighboring nodes. Our results provide ways for Internet users to appropriately invest in security mechanisms under realistic environments of information uncertainty.

Ranjan Pal,Leana Golubchik,Konstantinos Psounis,Pan Hui

DOI: https://doi.org/10.48550/arXiv.1607.02598

2016-07-09

Abstract:Despite the promising potential of network risk management services (e.g., cyber-insurance) to improve information security, their deployment is relatively scarce, primarily due to such service companies being unable to guarantee profitability. As a novel approach to making cyber-insurance services more viable, we explore a symbiotic relationship between security vendors (e.g., Symantec) capable of price differentiating their clients, and cyber-insurance agencies having possession of information related to the security investments of their clients. The goal of this relationship is to (i) allow security vendors to price differentiate their clients based on security investment information from insurance agencies, (ii) allow the vendors to make more profit than in homogeneous pricing settings, and (iii) subsequently transfer some of the extra profit to cyber-insurance agencies to make insurance services more viable. \noindent In this paper, we perform a theoretical study of a market for differentiated security product pricing, primarily with a view to ensuring that security vendors (SVs) make more profit in the differentiated pricing case as compared to the case of non-differentiated pricing. In order to practically realize such pricing markets, we propose novel and \emph{computationally efficient} consumer differentiated pricing mechanisms for SVs based on (i) the market structure, (ii) the communication network structure of SV consumers captured via a consumer's \emph{Bonacich centrality} in the network, and (iii) security investment amounts made by SV consumers.

Computer Science and Game Theory

Rui Zhang,Quanyan Zhu

DOI: https://doi.org/10.1109/tcss.2021.3117905

2021-01-01

IEEE Transactions on Computational Social Systems

Abstract:With the recent growing number of cyberattacks and the constant lack of effective defense methods, cyber risks have become ubiquitous in enterprise networks, manufacturing plants, and government computer systems. Cyber insurance provides a valuable approach to transfer the cyber risks to insurance companies and further improve the security status of the insured. The designation of effective cyber-insurance contracts requires considerations from both the insurance market and the dynamic properties of the cyber risks. To capture the interactions between the users and the insurers, we present a dynamic moral-hazard type of principal–agent model incorporated with Markov decision processes, which are used to capture the dynamics and correlations of the cyber risks as well as the user's decisions on the protections. We study and fully analyze a case with a two-state two-action user under linear coverage insurance and further show the risk compensation, Peltzman effect, linear insurance contract principle, and zero-operating profit principle in this case. Numerical experiments are provided to verify our conclusions and further extend to cases of a four-state three-action user under linear coverage insurance and threshold coverage insurance.

English Else

Shutian Liu,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.2210.15010

2022-10-26

Cryptography and Security

Abstract:Risk perceptions are essential in cyber insurance contracts. With the recent surge of information, human risk perceptions are exposed to the influences from both beneficial knowledge and fake news. In this paper, we study the role of the risk perceptions of the insurer and the user in cyber insurance contracts. We formulate the cyber insurance problem into a principal-agent problem where the insurer designs the contract containing a premium payment and a coverage plan. The risk perceptions of the insurer and the user are captured by coherent risk measures. Our framework extends the cyber insurance problem containing a risk-neutral insurer and a possibly risk-averse user, which is often considered in the literature. The explicit characterizations of both the insurer's and the user's risk perceptions allow us to show that cyber insurance has the potential to incentivize the user to invest more on system protection. This possibility to increase cyber security relies on the facts that the insurer is more risk-averse than the user (in a minimization setting) and that the insurer's risk perception is more sensitive to the changes in the user's actions than the user himself. We investigate the properties of feasible contracts in a case study on the insurance of a computer system against ransomware.

Marc Lelarge,Jean Bolot

DOI: https://doi.org/10.48550/arXiv.0803.3455

2008-06-19

Abstract:Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. Our goal in this paper is to carefully model and quantify the impact of such externalities on the investment in, and deployment of, security features and protocols in a network. Specifically, we study a network of interconnected agents, which are subject to epidemic risks such as those caused by propagating viruses and worms, and which can decide whether or not to invest some amount to self-protect and deploy security solutions. We make three contributions in the paper. First, we introduce a general model which combines an epidemic propagation model with an economic model for agents which captures network effects and externalities. Second, borrowing ideas and techniques used in statistical physics, we introduce a Local Mean Field (LMF) model, which extends the standard mean-field approximation to take into account the correlation structure on local neighborhoods. Third, we solve the LMF model in a network with externalities, and we derive analytic solutions for sparse random graphs, for which we obtain asymptotic results. We explicitly identify the impact of network externalities on the decision to invest in and deploy security features. In other words, we identify both the economic and network properties that determine the adoption of security technologies.

Computer Science and Game Theory,Networking and Internet Architecture

Brenda Wells-Dietel,Asligul Erkan-Barlow

DOI: https://doi.org/10.52227/26579.2023

2023-01-01

Journal of Insurance Regulation

Abstract:This manuscript systematically reviews several strands of literature on cybersecurity and draws attention to the possible moral hazard problem associated with managers’ choices on information security-related investments. First, a careful synthesis of the literature shows that managers have incentives to behave myopically and to defer investments in data security to meet the financial market’s earnings expectations. Second, although adequate cyber risk management involves both risk mitigation and risk transfer, risk transfer through the purchase of cyber insurance is problematic. Despite the increase of insurers and written premiums suggesting growth in the cyber insurance industry, the most recent industry reports point out the increase in loss ratios, the decrease in available cyber insurance limits, and the implementation of more restrictive coverage as a sign of insurers controlling their risk exposure. Finally, existing regulatory frameworks in the U.S. and the European Union (EU) do not negate the trend of increasing numbers of cyberattacks. In conclusion, we argue that an optimal level of regulation is needed but has yet to be enacted to reduce the cyber risk exposure of businesses and insurers, as well as to protect consumers and the overall economy.

Shutian Liu,Quanyan Zhu

2023-12-06

Abstract:Cyber insurance is a complementary mechanism to further reduce the financial impact on the systems after their effort in defending against cyber attacks and implementing resilience mechanism to maintain the system-level operator even though the attacker is already in the system. This chapter presents a review of the quantitative cyber insurance design framework that takes into account the incentives as well as the perceptual aspects of multiple parties. The design framework builds on the correlation between state-of-the-art attacker vectors and defense mechanisms. In particular, we propose the notion of residual risks to characterize the goal of cyber insurance design. By elaborating the insurer's observations necessary for the modeling of the cyber insurance contract, we make comparison between the design strategies of the insurer under scenarios with different monitoring rules. These distinct but practical scenarios give rise to the concept of the intensity of the moral hazard issue. Using the modern techniques in quantifying the risk preferences of individuals, we link the economic impacts of perception manipulation with moral hazard. With the joint design of cyber insurance design and risk perceptions, cyber resilience can be enhanced under mild assumptions on the monitoring of insurees' actions. Finally, we discuss possible extensions on the cyber insurance design framework to more sophisticated settings and the regulations to strengthen the cyber insurance markets.

Cryptography and Security

Henry Skeoch,David Pym

DOI: https://doi.org/10.48550/arXiv.2302.04734

2023-02-09

General Economics

Abstract:Risks associated with information technology systems present a complex modelling challenge, combining the disciplines of operations management, security, and economics. The challenge is to establish a representation of an organization's operational and systems architecture that allows an assessment of the security postures of its various components able to support an assessment of its insurance risk. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, thereby linking systems-type and economic approaches to cyber-security assessments. The concept of a cyber-loss-adjuster is introduced, who reconciles cyber-incidents with economic losses. The work aims to bridge a number of disciplines to partly address a longstanding research challenge of accounting for organizational structure in the design and pricing of cyber-insurance. It is important to note the following: insurance companies have long experience of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. The contribution of the methodology proposed here is to provide a framework for calculating the effects of cyber-based risk on the frequency and magnitude of losses. This is achieved through a security analysis of the relationship between the operational structure of an organization and its information systems. It also provides a consistent means for those seeking insurance to describe and understand their security posture and for an insurance company to price its offer of coverage.

Shutian Liu,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.2203.12001

2022-03-22

Computer Science and Game Theory

Abstract:Cyber insurance is a risk-sharing mechanism that can improve cyber-physical systems (CPS) security and resilience. The risk preference of the insured plays an important role in cyber insurance markets. With the advances in information technologies, it can be reshaped through nudging, marketing, or other types of information campaigns. In this paper, we propose a framework of risk preference design for a class of principal-agent cyber insurance problems. It creates an additional dimension of freedom for the insurer for designing incentive-compatible and welfare-maximizing cyber insurance contracts. Furthermore, this approach enables a quantitative approach to reduce the moral hazard that arises from information asymmetry between the insured and the insurer. We characterize the conditions under which the optimal contract is monotone in the outcome. This justifies the feasibility of linear contracts in practice. This work establishes a metric to quantify the intensity of moral hazard and create a theoretic underpinning for controlling moral hazard through risk preference design. We use a linear contract case study to show numerical results and demonstrate its role in strengthening CPS security.

Pikkin Lau,Lingfeng Wang,Wei Wei,Zhaoxi Liu,Chee-Wooi Ten

DOI: https://doi.org/10.1109/TPWRS.2022.3164628

2024-03-17

Abstract:In this paper, a novel cyber-insurance model design is proposed based on system risk evaluation with smart technology applications. The cyber insurance policy for power systems is tailored via cyber risk modeling, reliability impact analysis, and insurance premium calculation. A stochastic Epidemic Network Model is developed to evaluate the cyber risk by propagating cyberattacks among graphical vulnerabilities. Smart technologies deployed in risk modeling include smart monitoring and job thread assignment. Smart monitoring boosts the substation availability against cyberattacks with preventive and corrective measures. The job thread assignment solution reduces the execution failures by distributing the control and monitoring tasks to multiple threads. Reliability assessment is deployed to estimate load losses convertible to monetary losses. These monetary losses would be shared through a mutual insurance plan. To ensure a fair distribution of indemnity, a new Shapley mutual insurance principle is devised. Effectiveness of the proposed Shapley mutual insurance design is validated via case studies. The Shapley premium is compared with existent premium designs. It is shown that the Shapley premium has high indemnity levels closer to those of Tail Conditional Expectation premium. Meanwhile, the Shapley premium is nearly as affordable as the coalitional premium and keeps a relatively low insolvency probability.

Computer Science and Game Theory,Systems and Control

Guang-Hai Cui,Zhen Wang,Jun-Li Li,Xing Jin,Zhi-Wang Zhang

DOI: https://doi.org/10.1016/j.amc.2020.125720

IF: 4.397

2021-03-01

Applied Mathematics and Computation

Abstract:<p>This paper studies how the purchase of insurance policies against epidemic security risks, a voluntary strategy of individuals, impacts the controlling of epidemic security risk propagation in networks and the profit of the insurer. For this purpose, we first formulated a modified agent-based framework that characterizes the coupled dynamics of individual security-protection investment behaviors and epidemic security risk propagation process, to study the effectiveness of insurance policies. Second, we proposed a novel insurance policy that follows the designed "precaution and dynamic post-indemnity" (PDPI) principle, taking the correlated and interdependent characteristics of epidemic security risks into account. We determined how the PDPI insurance policy affects security-protection investment coverage and epidemiological dynamics by tuning the allocation coefficient of insurance funds <em>α</em> and the ratio between the premium and the cost of investment <em>R</em>. The results indicated that, although insurance policies have negative influences on voluntary investment behaviors, the risk propagation can be controlled effectively by appropriate combination of <em>α</em> and <em>R</em>, because the precaution mechanism in the PDPI insurance policy can counteract this side effect by guaranteeing the security-protection investment coverage among insured individuals with larger degrees. We further found that, although the insurance policy cannot lead to the maximal profit when the policy has the best performance on risk propagation prevent, the insurer still can earn positive profits. Finally, some effective PDPI insurance policies against specific investment costs are given. The models and findings shed new and meaningful insights into designing and measuring effective insurance policies associated with security-protection investment in controlling the propagation of epidemic security risks.</p>

mathematics, applied

Zhengming Li,Jianxi Su,Maochao Xu,Jimmy Yuen

2024-08-30

Abstract:The remarkable growth of digital assets, starting from the inception of Bitcoin in 2009 into a 1 trillion market in 2024, underscores the momentum behind disruptive technologies and the global appetite for digital assets. This paper develops a framework to enhance actuaries' understanding of the cyber risks associated with the developing digital asset ecosystem, as well as their measurement methods in the context of digital asset insurance. By integrating actuarial perspectives, we aim to enhance understanding and modeling of cyber risks at both the micro and systemic levels. The qualitative examination sheds light on blockchain technology and its associated risks, while our quantitative framework offers a rigorous approach to modeling cyber risks in digital asset insurance portfolios. This multifaceted approach serves three primary objectives: i) offer a clear and accessible education on the evolving digital asset ecosystem and the diverse spectrum of cyber risks it entails; ii) develop a scientifically rigorous framework for quantifying cyber risks in the digital asset ecosystem; iii) provide practical applications, including pricing strategies and tail risk management. Particularly, we develop frequency-severity models based on real loss data for pricing cyber risks in digit assets and utilize Monte Carlo simulation to estimate the tail risks, offering practical insights for risk management strategies. As digital assets continue to reshape finance, our work serves as a foundational step towards safeguarding the integrity and stability of this rapidly evolving landscape.

Applications,Computational Engineering, Finance, and Science

Michael Bartholic,Zhengrong Gu,Jianan Su,Justin Goldstein,Shin'ichiro Matsuo

DOI: https://doi.org/10.48550/arXiv.2102.03410

2021-02-05

Cryptography and Security

Abstract:Data driven approaches to problem solving are, in many regards, the holy grail of evidence backed decision making. Using first-party empirical data to analyze behavior and establish predictions yields us the ability to base in-depth analyses on particular individuals and reduce our dependence on generalizations. Modern mobile and embedded devices provide a wealth of sensors and means for collecting and tracking individualized data. Applying these assets to the realm of insurance (which is a statistically backed endeavor at heart) is certainly nothing new; yet doing so in a way that is privacy-driven and secure has not been a central focus of implementers. Existing data-driven insurance technologies require a certain level of trust in the data tracking agency (i.e. insurer) to not misuse, mishandle, or over-collect user data. Smart contracts and blockchain technology provide us an opportunity to re-balance these systems such that the blockchain itself is a trusted agent which both insurers and the insured can confide in. We propose a "Smart Auto Insurance" system that minimizes data sharing while simultaneously providing quality-of-life improvements to both sides. Furthermore, we use a simple game theoretical argument to show that the clients using such a system are disincentivized from behaving adversarially.