Difference between revisions of "Models and Measures for Correlation in Cyber-Insurance"

From Cybersecurity Wiki
Jump to navigation Jump to search
Line 10: Line 10:
  
 
==Categorization==
 
==Categorization==
 
+
mics of Cyber Security]]; [[Insurance]]  
* Issues: [[Economics of Cyber Security]]; [[Insurance]]  
 
  
 
==Key Words==
 
==Key Words==
Line 17: Line 16:
  
 
==Synopsis==
 
==Synopsis==
 +
High correlation in failure of information systems due to worms and viruses has been cited as major impediment to cyber-insurance. However, of the many cyber-risk classes that influence failure of information systems, not all exhibit similar correlation properties. In this paper, the author introduces a new classification of correlation properties of cyber-risks based on a twin-tier approach. At the first tier, is the correlation of cyber-risks within a firm i.e. correlated failure of multiple systems on its internal network. At second tier, is the correlation in risk at a global level i.e. correlation across independent firms in an insurer’s portfolio. Various classes of cyber-risks exhibit different level of correlation at two tiers, for instance, insider attacks exhibit high internal but low global correlation. While internal risk correlation within a firm influences its decision to seek insurance, the global correlation influences insurers’ decision in setting the premium. Citing real data, the articles studies the combined dynamics of the two-step risk arrival process to determine conditions conducive to the existence of cyber-insurance market.
  
THIS BOY'S MINE (j.albert)
+
===The Correlated Nature of IT Security Risks===
 
+
Section 2 elaborates on the source of correlation of IT risks and explains how different classes of risk vary in terms of relative importance of internal and global risk correlation. Due to significant homogeneity and presence of dependencies in computer systems their failure is highly correlated. Recent spate of Internet worms like MS-Blaster and Sasser have highlighted this very threat. These worms exploited vulnerabilities present in ubiquitous Microsoft Windows operating system to infect millions of computers worldwide. Computer viruses like worms are also highly contagious. Using email to spread, Mydoom virus compiled for Win32 platform – generic for Windows operating system – was able to infect an estimated million computers worldwide within 5 days of its release. Although worms and viruses receive maximum media attention, other factors that can cause significant economic damage to a firm’s information system include, insider attacks, spam, configuration errors, hardware failure, software bugs, and theft among others
 
 
 
 
''Abstract:''
 
High correlation in failure of information systems due to worms and viruses has been cited as major impediment to cyber-insurance. However, of the many cyber-risk classes that influence failure of information systems, not all exhibit similar correlation properties. In this paper, we introduce a new classification of correlation properties of cyber-risks based on a twin-tier approach. At the first tier, is the correlation of cyber-risks within a firm i.e. correlated failure of multiple systems on its internal network. At second tier, is the correlation in risk at a global level i.e. correlation across independent firms in an insurer’s portfolio. Various classes of cyber-risks exhibit different level of correlation at two tiers, for instance, insider attacks
 
exhibit high internal but low global correlation. While internal risk correlation within a firm influences its decision to seek insurance, the global correlation influences insurers’ decision in setting the premium. Citing real data we study the combined dynamics of the two-step risk arrival process to determine conditions conducive to the existence of cyber-insurance market.
 
 
 
''Major themes:''
 
 
 
'''Correlation in IT risks'''
 
It is impossible to eliminate security risks in today's IT environment. Most security is intended to deter risk, such as firewall, antivirus, encryption. The residual risk, hopefully, is manageable by the firm protecting itself. If not, security must be outsourced and insurance, purchased.
 
  
Though this approach seems appropriate, it creates a widening rift between security experts
+
===Modeling the Market for Cyber-Insurance====
who would employ standardized best practices and deploy homogeneous software to enhance system manageability and redue vulnerabilities, versus those who propose using cyber-insurance as a means of transferring risks associated with system vulnerabilities. This is because insurance relies on the principle of independent risks while standardized system environments by themselves create a global monolithic risk manifested in virtually every standardized system. Unlike in physical world where risks are geographically dispersed, in information world, network exploits, worms and viruses span all boundaries. All systems that run standardized software and processes are vulnerable, because bugs in them, once discovered, are common knowledge and can be exploited anywhere. This potentially creates a situation where not only all systems within an organization could fail by virtue of their being identical and vulnerable to same exploits, but all similar systems worldwide could fail affecting many organizations simultaneously as seen in case of worms like SQL Slammer, Code Red etc. The existence of high correlation in breach or failure of information systems adds a new dimension to risk management that has rarely been looked at in the context of information security.
+
Section 3 proposes a comprehensive equilibrium model for the cyber-insurance market. The model captures specific features of information assets and includes both types of risk correlation as exogenous parameters. A simulation experiment in the same section demonstrates under which configurations of internal and global correlation a cyber-insurance market may thrive. The formal model presented consists of supply- (Sect. 3.1) and demand-side (3.2) of a cyber-insurance market and the equilibrium conditions (3.3). Inference from the model is drawn using Monte Carlo simulation methods (3.4).
  
'''Correlated risk and insurance'''
+
===Empirical Estimation of Correlation in Risk-Arrival due to Network Exploits===
While global risk correlation influences insurers’ decision in setting the premium, the internal
+
The second main contribution of this paper is discussed in Section 4, where the author presents a method to empirically estimate the size of correlation from distributed honeynet data. The existence of correlation in cyber-risks is taken as a plausible presumption in the literature though the evidence is merely anecdotal. In this section, the authors uses quantitative longitudinal data on attack intensity to obtain rough estimates for the range of realistic correlation parameters. He gives broad estimates for global and internal correlation, compare different models of correlation structure, and address requirements for future data collection to yield more valid and reliable results.
correlation within a single firm influences its individual decision to seek insurance. A risk-averse
 
firm prefers low variance of loss and hence low correlation of failure amongst its internal systems.
 
  
 
==Additional Notes and Highlights==
 
==Additional Notes and Highlights==
 +
Outline:
 +
  1. Introduction
 +
  2 The Correlated Nature of IT Security Risks
 +
    2.1 Classes of Cyber-Risk and Correlation
 +
    2.2 Implications for Cyber-Insurance Policy Design
 +
  3 Modeling the Market for Cyber-Insurance
 +
    3.1 Supply-Side: Two-Step Risk Arrival with Correlation
 +
        3.1.1 Intra-Firm Risk Correlation
 +
        3.1.2 Global Risk Correlation
 +
    3.2 Demand-Side: Information Security Risk Management
 +
        3.2.1 Modeling Information Assets
 +
        3.2.2 Firm’s Decision to Seek Insurance
 +
        3.3 Market Equilibrium Conditions
 +
        3.4 Simulation Results
 +
  4 Empirical Estimation of Correlation in Risk-Arrival due to Network Exploits
 +
    4.1 Description of Data
 +
    4.2 Estimation of Global Correlation
 +
        4.2.1 Beta-Binomial Model
 +
        4.2.2 One-factor Latent Risk Model
 +
        4.2.3 Comparison of Models for Global Correlation
 +
        4.3 Estimation of Internal Correlation
 +
    4.4 Validity and Robustness
 +
  5 Discussion
 +
    5.1 Summary of Results
 +
    5.2 Implications
 +
    5.3 Directions for Future Research

Revision as of 11:42, 29 July 2010

Full Title of Reference

Models and Measures for Correlation in Cyber-Insurance

Full Citation

Rainer Bohme, Models and Measures for Correlation in Cyber-Insurance, Workshop on the Economics of Information Security (2006). Web

BibTeX

Categorization

mics of Cyber Security]]; Insurance

Key Words

Insurance

Synopsis

High correlation in failure of information systems due to worms and viruses has been cited as major impediment to cyber-insurance. However, of the many cyber-risk classes that influence failure of information systems, not all exhibit similar correlation properties. In this paper, the author introduces a new classification of correlation properties of cyber-risks based on a twin-tier approach. At the first tier, is the correlation of cyber-risks within a firm i.e. correlated failure of multiple systems on its internal network. At second tier, is the correlation in risk at a global level i.e. correlation across independent firms in an insurer’s portfolio. Various classes of cyber-risks exhibit different level of correlation at two tiers, for instance, insider attacks exhibit high internal but low global correlation. While internal risk correlation within a firm influences its decision to seek insurance, the global correlation influences insurers’ decision in setting the premium. Citing real data, the articles studies the combined dynamics of the two-step risk arrival process to determine conditions conducive to the existence of cyber-insurance market.

The Correlated Nature of IT Security Risks

Section 2 elaborates on the source of correlation of IT risks and explains how different classes of risk vary in terms of relative importance of internal and global risk correlation. Due to significant homogeneity and presence of dependencies in computer systems their failure is highly correlated. Recent spate of Internet worms like MS-Blaster and Sasser have highlighted this very threat. These worms exploited vulnerabilities present in ubiquitous Microsoft Windows operating system to infect millions of computers worldwide. Computer viruses like worms are also highly contagious. Using email to spread, Mydoom virus compiled for Win32 platform – generic for Windows operating system – was able to infect an estimated million computers worldwide within 5 days of its release. Although worms and viruses receive maximum media attention, other factors that can cause significant economic damage to a firm’s information system include, insider attacks, spam, configuration errors, hardware failure, software bugs, and theft among others

Modeling the Market for Cyber-Insurance=

Section 3 proposes a comprehensive equilibrium model for the cyber-insurance market. The model captures specific features of information assets and includes both types of risk correlation as exogenous parameters. A simulation experiment in the same section demonstrates under which configurations of internal and global correlation a cyber-insurance market may thrive. The formal model presented consists of supply- (Sect. 3.1) and demand-side (3.2) of a cyber-insurance market and the equilibrium conditions (3.3). Inference from the model is drawn using Monte Carlo simulation methods (3.4).

Empirical Estimation of Correlation in Risk-Arrival due to Network Exploits

The second main contribution of this paper is discussed in Section 4, where the author presents a method to empirically estimate the size of correlation from distributed honeynet data. The existence of correlation in cyber-risks is taken as a plausible presumption in the literature though the evidence is merely anecdotal. In this section, the authors uses quantitative longitudinal data on attack intensity to obtain rough estimates for the range of realistic correlation parameters. He gives broad estimates for global and internal correlation, compare different models of correlation structure, and address requirements for future data collection to yield more valid and reliable results.

Additional Notes and Highlights

Outline:

 1. Introduction
 2 The Correlated Nature of IT Security Risks
   2.1 Classes of Cyber-Risk and Correlation
   2.2 Implications for Cyber-Insurance Policy Design
 3 Modeling the Market for Cyber-Insurance
   3.1 Supply-Side: Two-Step Risk Arrival with Correlation
       3.1.1 Intra-Firm Risk Correlation
       3.1.2 Global Risk Correlation
   3.2 Demand-Side: Information Security Risk Management
       3.2.1 Modeling Information Assets
       3.2.2 Firm’s Decision to Seek Insurance
       3.3 Market Equilibrium Conditions
       3.4 Simulation Results
 4 Empirical Estimation of Correlation in Risk-Arrival due to Network Exploits
   4.1 Description of Data
   4.2 Estimation of Global Correlation
       4.2.1 Beta-Binomial Model
       4.2.2 One-factor Latent Risk Model
       4.2.3 Comparison of Models for Global Correlation
       4.3 Estimation of Internal Correlation
   4.4 Validity and Robustness
 5 Discussion
   5.1 Summary of Results
   5.2 Implications
   5.3 Directions for Future Research