towards a unifying framework - ptolemy project...towards a unifying framework rainer bohme ? and...

Modeling Cyber-InsuranceTowards a Unifying Framework

Rainer Bohme?and Galina Schwartz†

∗University of Munster, Germany †EECS, UC Berkeley

November 10 - 11, 2010TRUST Workshop at Stanford University

Cyber-Insurance: Research Papers

2011. . .

2002 2003 2004 2005 2006 2007 2008 2009 2010

formal modelsinterdependent security (IDS)

correlated riskinformation asymmetries

enthusiasm

obstacles

Galina Schwartz Cyber-Insurance

Cyber-Insurance: Research Papers

2011. . .

2002 2003 2004 2005 2006 2007 2008 2009 2010

formal modelsinterdependent security (IDS)

correlated riskinformation asymmetries

enthusiasm

obstacles

Galina Schwartz Cyber-Insurance

Talk Outline

1. Characteristics of Cyber-Risk

2. Framework Overview

3. Selected FeaturesI Network topologyI Unified approach to interdependent security and correlated risk

4. Discussion and Conclusion

Galina Schwartz Cyber-Insurance

1Characteristics of Cyber-Risk

Galina Schwartz Cyber-Insurance

What Is Specific to Cyber-Risks ?

success factors of ICT

Cyber-risks [focal features]

distribution & interconnection

→ interdependent securityown security dependson other parties’ actions(security)

universality & reuse

→ correlated risksincidents cause furtherincidents

+

= complexity → imperfect information

Galina Schwartz Cyber-Insurance

What Is Specific to Cyber-Risks ?

success factors of ICT Cyber-risks [focal features]

distribution & interconnection → interdependent securityown security dependson other parties’ actions(security)

universality & reuse

→ correlated risksincidents cause furtherincidents

+

= complexity → imperfect information

Galina Schwartz Cyber-Insurance

What Is Specific to Cyber-Risks ?

success factors of ICT Cyber-risks [focal features]

distribution & interconnection → interdependent securityown security dependson other parties’ actions(security)

universality & reuse → correlated risksincidents cause furtherincidents

+

= complexity → imperfect information

Galina Schwartz Cyber-Insurance

What Is Specific to Cyber-Risks ?

success factors of ICT Cyber-risks [focal features]

distribution & interconnection → interdependent securityown security dependson other parties’ actions(security)

universality & reuse → correlated risksincidents cause furtherincidents

+

= complexity → imperfect information

Galina Schwartz Cyber-Insurance

Examples

Textbook risks [economics & insurance literature]

neither interdependence nor correlation

Airline baggage security

interdependence, but no correlation

Kunreuther & Heal, 2003

Natural disasters in the actuarial literature

spatial correlation, but no interdependence

Embrechts et al., 1999

Cyber-insurance

BOTH interdependence and correlation. . .

Galina Schwartz Cyber-Insurance

Examples

Textbook risks [economics & insurance literature]

neither interdependence nor correlation

Airline baggage security

interdependence, but no correlation

Kunreuther & Heal, 2003

Natural disasters in the actuarial literature

spatial correlation, but no interdependence

Embrechts et al., 1999

Cyber-insurance

BOTH interdependence and correlation[never modeled together so far]

Galina Schwartz Cyber-Insurance

Cyber-Insurance: Research Papers

2011. . .

2002 2003 2004 2005 2006 2007 2008 2009 2010

formal models

interdependent security (IDS)

correlated riskinformation asymmetries

enthusiasm

obstacles

Galina Schwartz Cyber-Insurance

Focusof the Cyber-Insurance Models

interdependent security (IDS)correlated risk

information asymmetries

Ogut et al., 2005

Hofmann, 2007

Bolot & Lelarge, 2008

Lelarge & Bolot, 2009

Schwartz et al., 2009

Radosavac et al., 2008

Bandyopadhyay et al., 2009

Bohme, 2005

Bohme & Kataria, 2006

Galina Schwartz Cyber-Insurance

2Framework Overview

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature 4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature 4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature 4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

Cyber-Insurance: Research Papers

2011. . .

2002 2003 2004 2005 2006 2007 2008 2009 2010

formal models

interdependent security (IDS)

correlated riskinformation asymmetries

enthusiasm

obstacles

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature 4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature

4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature

4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

Overview of Model Attributes

1. network environment 2. demand side 3. supply side

defense function node control market structurenetwork topology heterogeneity insurer risk aversionrisks features agent risk aversion insurer markupattacker model action space &

timingcontract design

4. information structure 5. organizational environment

Information asymmetries regulator(s)Their timing: ICT manufacturersex ante (adverse selection) network intermediariesex post (moral hazard) security service providers

Galina Schwartz Cyber-Insurance

Variables of Interest

Cyber-insurance market

Under which conditions will cyber-insurance thrive?

Network security

Can we expect fewer attacks if cyber-insurance is broadlyadopted?

Social welfare

Will the world be a better place with cyber-riskreallocation?

Galina Schwartz Cyber-Insurance

3Selected Features

Galina Schwartz Cyber-Insurance

Network TopologyExamples

ideosyncratic fully connected single-factor model Erdos-Renyi graph

hardware failure email spam OS vulnerability inter-organizationaldependence

→ Comprehensive insurance policies are bundles of contracts.

Galina Schwartz Cyber-Insurance

Network TopologyExamples

ideosyncratic fully connected single-factor model Erdos-Renyi graph

hardware failure email spam OS vulnerability inter-organizationaldependence

→ Comprehensive insurance policies are bundles of contracts.

Galina Schwartz Cyber-Insurance

Network TopologyExamples

ideosyncratic fully connected single-factor model Erdos-Renyi graph

hardware failure email spam OS vulnerability inter-organizationaldependence

→ Comprehensive insurance policies are bundles of contracts.

Galina Schwartz Cyber-Insurance

Unifying “Interdependence” and “Correlation”

Defense function D for node i (security interdependence only):

Pi = D(li ,wi , s,G , . . . )

li – size of loss

wi – initial wealth

s – vector of security investments: s = si ∪ sj 6=i

G – network topology

Defense function D for node i (simplified):

pi = D(si , s,G , . . . )

Galina Schwartz Cyber-Insurance

Illustration

Node i

Node j

security si

security sj

probability pi

probability pj

loss event xi loss event xj

D

D

nature nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

Illustration

Node i

Node j

security si

security sj

probability pi

probability pj

loss event xi

loss event xj

D

D

nature

nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

Illustration

Node i Node j

security si security sj

probability pi probability pj

loss event xi loss event xj

D D

nature nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

Illustration

Node i Node j

security si security sj

probability pi probability pj

loss event xi loss event xj

D D

nature nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

Illustration

Node i Node j

security si security sj

probability pi probability pj

loss event xi loss event xj

D D

nature nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

Illustration

Node i Node j

security si security sj

probability pi probability pj

loss event xi loss event xj

D D

nature nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

Illustration

Node i Node j

security si security sj

probability pi probability pj

loss event xi loss event xj

D D

nature nature

Topology G

interdependent security

correlated risk

Modeling interdependence AND information asymmetries is hard;modeling correlated risks is hard. requires recursive methods; maylead to complex equilibrium configurations (& dynamics).

Galina Schwartz Cyber-Insurance

“Interdependence” and “Correlation” together

Security interdependence and correlated risk can be modeled jointly[D dependent on both security choices s and realizations x.]

Defense function D for node i

pi = D(si , s,G , x, . . . )

s – vector of security investments: s = si ∪ sj 6=i

G – network topology

pi – probability of loss for node i

Galina Schwartz Cyber-Insurance

4Discussion and Conclusion

Galina Schwartz Cyber-Insurance

Dependent Variablesin the Cyber-Insurance Literature

network securityinsurer market

social welfare

Ogut et al., 2005

Hofmann, 2007

Radosavac et al., 2008

Bolot & Lelarge, 2008

Lelarge & Bolot, 2009

Schwartz et al., 2010

Bandyopadhyay et al., 2009

Bohme, 2005

Bohme & Kataria, 2006

Galina Schwartz Cyber-Insurance

Discrepanciesbetween Statements and Models

Cyber-insurers will improve information about security

. . . but relevant parameters are not included in models.

Cyber-insurers will positively affect (i) agents’ securitydecisions (ii) the network environment

. . . but existing models of contracts do not reflect that;... real cyber-insurers do not condition premiums on security.

Broad adoption of cyber-insurance will change (i) insurermarket structure(s) and (ii) behavior of ICTmanufacturers

. . . but never modeled parametrically.

Galina Schwartz Cyber-Insurance

To Do

Future papers should model (i.e., endogenize) key parameters of:network environment, etc.

Example:endogenous network formation [model of platform switching]

Policy recommendations should be justified by formal (gametheory) models.

Galina Schwartz Cyber-Insurance

To Do

Future papers should model (i.e., endogenize) key parameters of:network environment, etc.

Example:endogenous network formation [model of platform switching]

Policy recommendations should be justified by formal (gametheory) models.

Galina Schwartz Cyber-Insurance

Framework

1.network

environment(nodes)

1.network

environment(nodes)

2.demand side

(agents)

2.demand side

(agents)

3.supply side(insurers)

3.supply side(insurers)

playersnature 4. information structure

5. organizational environment

4. information structure

5. organizational environment

design

utility

risk risk

Galina Schwartz Cyber-Insurance

To Do

Future papers should model (i.e., endogenize) key parameters of:network environment, etc.

Example:endogenous network formation [model of platform switching]

Policy recommendations should be justified by formal (gametheory) models.

Galina Schwartz Cyber-Insurance

Cyber-Insurance: Research Papers

2011. . .

2002 2003 2004 2005 2006 2007 2008 2009 2010

formal modelsinterdependent security (IDS)

correlated riskinformation asymmetries

enthusiasm

obstacles

Galina Schwartz Cyber-Insurance

Cyber-Insurance: Research Papers

2011. . .

2002 2003 2004 2005 2006 2007 2008 2009 2010

formal modelsinterdependent security (IDS)

correlated riskinformation asymmetries

enthusiasm

obstacles

Galina Schwartz Cyber-Insurance

Q & A

Thank you for your attention.

Rainer Bohme?and Galina Schwartz†

∗University of Munster, Germany †EECS, UC Berkeley

November 10 - 11, 2010TRUST Workshop at Stanford University

Galina Schwartz

Galina Schwartz