Models and Measures for Correlation in Cyber-Insurance

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Models and Measures for Correlation in Cyber-Insurance

Full Citation

Rainer Bohme, Models and Measures for Correlation in Cyber-Insurance, Workshop on the Economics of Information Security (2006). Web



Key Words



THIS BOY'S MINE (j.albert)

Abstract: High correlation in failure of information systems due to worms and viruses has been cited as major impediment to cyber-insurance. However, of the many cyber-risk classes that influence failure of information systems, not all exhibit similar correlation properties. In this paper, we introduce a new classification of correlation properties of cyber-risks based on a twin-tier approach. At the first tier, is the correlation of cyber-risks within a firm i.e. correlated failure of multiple systems on its internal network. At second tier, is the correlation in risk at a global level i.e. correlation across independent firms in an insurer’s portfolio. Various classes of cyber-risks exhibit different level of correlation at two tiers, for instance, insider attacks exhibit high internal but low global correlation. While internal risk correlation within a firm influences its decision to seek insurance, the global correlation influences insurers’ decision in setting the premium. Citing real data we study the combined dynamics of the two-step risk arrival process to determine conditions conducive to the existence of cyber-insurance market.

Major themes:

Correlation in IT risks It is impossible to eliminate security risks in today's IT environment. Most security is intended to deter risk, such as firewall, antivirus, encryption. The residual risk, hopefully, is manageable by the firm protecting itself. If not, security must be outsourced and insurance, purchased.

Though this approach seems appropriate, it creates a widening rift between security experts who would employ standardized best practices and deploy homogeneous software to enhance system manageability and redue vulnerabilities, versus those who propose using cyber-insurance as a means of transferring risks associated with system vulnerabilities. This is because insurance relies on the principle of independent risks while standardized system environments by themselves create a global monolithic risk manifested in virtually every standardized system. Unlike in physical world where risks are geographically dispersed, in information world, network exploits, worms and viruses span all boundaries. All systems that run standardized software and processes are vulnerable, because bugs in them, once discovered, are common knowledge and can be exploited anywhere. This potentially creates a situation where not only all systems within an organization could fail by virtue of their being identical and vulnerable to same exploits, but all similar systems worldwide could fail affecting many organizations simultaneously as seen in case of worms like SQL Slammer, Code Red etc. The existence of high correlation in breach or failure of information systems adds a new dimension to risk management that has rarely been looked at in the context of information security.

Correlated risk and insurance While global risk correlation influences insurers’ decision in setting the premium, the internal correlation within a single firm influences its individual decision to seek insurance. A risk-averse firm prefers low variance of loss and hence low correlation of failure amongst its internal systems.

Additional Notes and Highlights