Models and Measures for Correlation in Cyber-Insurance

From Cybersecurity Wiki
Jump to: navigation, search

Full Title of Reference

Models and Measures for Correlation in Cyber-Insurance

Full Citation

Rainer Bohme and Gaurav Kataria, Models and Measures for Correlation in Cyber-Insurance, Workshop on the Economics of Information Security (2006). Web



Key Words

Botnet, Honeypot, Interdependencies, Phishing, Risk Modeling, SPAM, Worm


High correlation in failure of information systems due to worms and viruses has been cited as major impediment to cyber-insurance. However, of the many cyber-risk classes that influence failure of information systems, not all exhibit similar correlation properties. In this paper, the authors introduce a new classification of correlation properties of cyber-risks based on a twin-tier approach. At the first tier, is the correlation of cyber-risks within a firm i.e. correlated failure of multiple systems on its internal network. At second tier, is the correlation in risk at a global level i.e. correlation across independent firms in an insurer’s portfolio. Various classes of cyber-risks exhibit different level of correlation at two tiers, for instance, insider attacks exhibit high internal but low global correlation. While internal risk correlation within a firm influences its decision to seek insurance, the global correlation influences insurers’ decision in setting the premium. Citing real data, the articles studies the combined dynamics of the two-step risk arrival process to determine conditions conducive to the existence of cyber-insurance market.

The Correlated Nature of IT Security Risks

Section 2 elaborates on the source of correlation of IT risks and explains how different classes of risk vary in terms of relative importance of internal and global risk correlation. Due to significant homogeneity and presence of dependencies in computer systems their failure is highly correlated. Recent spate of Internet worms like MS-Blaster and Sasser have highlighted this very threat. These worms exploited vulnerabilities present in ubiquitous Microsoft Windows operating system to infect millions of computers worldwide. Computer viruses like worms are also highly contagious. Using email to spread, Mydoom virus compiled for Win32 platform – generic for Windows operating system – was able to infect an estimated million computers worldwide within 5 days of its release. Although worms and viruses receive maximum media attention, other factors that can cause significant economic damage to a firm’s information system include, insider attacks, spam, configuration errors, hardware failure, software bugs, and theft among others

Modeling the Market for Cyber-Insurance

Section 3 proposes a comprehensive equilibrium model for the cyber-insurance market. The model captures specific features of information assets and includes both types of risk correlation as exogenous parameters. A simulation experiment in the same section demonstrates under which configurations of internal and global correlation a cyber-insurance market may thrive. The formal model presented consists of supply- (Sect. 3.1) and demand-side (3.2) of a cyber-insurance market and the equilibrium conditions (3.3). Inference from the model is drawn using Monte Carlo simulation methods (3.4).

Empirical Estimation of Correlation in Risk-Arrival due to Network Exploits

The second main contribution of this paper is discussed in Section 4, where the authors present a method to empirically estimate the size of correlation from distributed honeynet data. The existence of correlation in cyber-risks is taken as a plausible presumption in the literature though the evidence is merely anecdotal. In this section, the authors use quantitative longitudinal data on attack intensity to obtain rough estimates for the range of realistic correlation parameters. He gives broad estimates for global and internal correlation, compare different models of correlation structure, and address requirements for future data collection to yield more valid and reliable results.

Additional Notes and Highlights

Expertise required: Economics - High


 1. Introduction
 2 The Correlated Nature of IT Security Risks
   2.1 Classes of Cyber-Risk and Correlation
   2.2 Implications for Cyber-Insurance Policy Design
 3 Modeling the Market for Cyber-Insurance
   3.1 Supply-Side: Two-Step Risk Arrival with Correlation
       3.1.1 Intra-Firm Risk Correlation
       3.1.2 Global Risk Correlation
   3.2 Demand-Side: Information Security Risk Management
       3.2.1 Modeling Information Assets
       3.2.2 Firm’s Decision to Seek Insurance
       3.3 Market Equilibrium Conditions
       3.4 Simulation Results
 4 Empirical Estimation of Correlation in Risk-Arrival due to Network Exploits
   4.1 Description of Data
   4.2 Estimation of Global Correlation
       4.2.1 Beta-Binomial Model
       4.2.2 One-factor Latent Risk Model
       4.2.3 Comparison of Models for Global Correlation
       4.3 Estimation of Internal Correlation
   4.4 Validity and Robustness
 5 Discussion
   5.1 Summary of Results
   5.2 Implications
   5.3 Directions for Future Research