improving assessment of technological and …...improving assessment of technological and portfolio...
TRANSCRIPT
![Page 1: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/1.jpg)
Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University
Linfeng Zhang, Jay Kesan and David Nicol University of Illinois at Urbana-Champaign
![Page 2: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/2.jpg)
Cybersecurity is a National Concern • Cybersecurityis,edtothehealthoftheU.S.economy.
Maliciouscybera9ackscouldthrowthefinancialindustryintochaos.– TheWorldEconomicForumes,matesthatineffec,vecybersecurity
maycosttheworld’seconomyasmuchas$3trillionby2020.• Cybersecurityisalsona,onalsecurity.Cri,calinfrastructure
systems,fromtransporta,ontonuclearpower,arevulnerabletocybera9acks.– Hospitalsandpolicedepartmentshavebeentargetedwith
ransomwarethatseversaccesstovitalinforma,on.
![Page 3: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/3.jpg)
Backward-Looking Cybersecurity
• Current approaches to cybersecurity are often backward-looking. – Cyberattack happens à Analyze the hacked system to
identify what vulnerability was exploited. – The presence of a cyberattack is essentially treated as
evidence that cybersecurity procedures were inadequate. • There is a need for a holistic, forward-looking
approach – one that is premised on risk assessment (which leads to mitigation and resilience).
![Page 4: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/4.jpg)
Solving the Cybersecurity Crisis (the “3 Ds”) • Defend
– Strengtheningsystemsecurity– Suppor,ngcybersecurityresearch– AddressingsoNwarevulnerabili,esastheyarediscovered– Adop,onofcybersecuritystandardslikeNIST’sCybersecurityFramework
• Deter– Deterrencebydenial– Criminallawsandpunishment
• De-escalate– Resilience,whichisalsoaddressedintheNISTCybersecurityFramework– Acyberinsuranceregimecanimproveresiliencethroughfinancialresourcesand
connec,ngpolicyholderstotechnicalresources
![Page 5: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/5.jpg)
Cyber-insurance
Self-protection Self-insurance
“Substitutes” (High demand for one lowers demand for the other)
“Complements” if premiums are tied to self-protection level (Cyberinsurance increases self-protection, i.e. no moral hazard)
“Substitutes” (Availability of one would discourage the other. Self-insurance likely to create a moral hazard)
Relationships Between Different Approaches to Security and Prevention
Source: Kesan, Majuca, and Yurcik, “The Economic Case for Cyberinsurance,” 2004
![Page 6: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/6.jpg)
Cyberinsurance as a Risk Transference Vehicle • Theonlyexis,ngfinancialinstrumentdesignedfortransferring
cyber-risk.• Cyberinsurancepreservesmarketautonomy.• Cyberinsuranceprovidescarrotsands,cksforpolicyholdersto
maintaintheirsystems,poten,allybenefi,ngsocietyasawhole.
• Otherinstrumentslikeop,onsandfutureshavebeenproposed.– TheCreditSuisseGrouprecentlysoldatypeofbondthatfocusedoninternalcatastropheslikeroguetradingandcybersecurityevents.
![Page 7: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/7.jpg)
Current Issues with the Cyberinsurance Market
• Adverseselec,on• Moralhazard
Informa,onAsymmetry
• Natureofcyber-risk• Correla,onDataScarcity
![Page 8: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/8.jpg)
Issues with Cyberinsurance Market (“PEC” Strategy)
![Page 9: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/9.jpg)
Underwriting – Process of Distinguishing Risk Levels
• Underwriterlooksatseverala9ributesofanapplicantandthendecides:– Whethertotaketherisk– Howmuchcoveragetooffer– Howmuchpremiumtocharge
• Underwri,nga9ributesvaryamonginsurancecompanies• Keya9ributesarenotiden,fied• Underwri,ngprocessesincyberinsurancearemostly
ques,onnaireand/orinterview-based
![Page 10: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/10.jpg)
Issues with Cyberinsurance Underwriting
• Theimportanceofmanysignificanta9ributess,llremainunknown
• Nodirectmeasurementofinsuranceapplicant’srisk,ini,allyandsubsequently
• Createsopportuni,esandpossibili,esfordishonesty
![Page 11: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/11.jpg)
Risk Assessment is the Key
• Theessen,alsolu,ontotheinforma,onalasymmetryproblemisbe#erriskassessment.– Narrow down the information gap between the insureds and the insurers. – Separate insureds with different risk levels and price policies more
accurately. – Periodical risk assessment helps insurers monitor their risk exposures. – Better estimation of cost after losses.
• Wecanaddressthisproblemfromseveralangles:– TechnologicalRisk– Por;olioRisk– LegalRisk
![Page 12: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/12.jpg)
TECHNOLOGICAL RISK
©2016CIRI/AHomelandSecurityCenterofExcellence 12
![Page 13: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/13.jpg)
Research Goals
• Measureandpriceriskforcyberthreatsimpac,ngcyberinsurancemarket.
• Economicmodelingandcyberriskmanagementframeworkwilladdressfollowingques,ons
• Howdowemeasureenterpriseriskandpor_oliorisk?• Whichvulnerabili,esimpactenterpriserisk?• Howdoweconductscenario-basedpor_olioriskassessment?
• Developacloudbasedcyberinsuranceriskmanagementtooltoprovideempiricalscores
© 2016 CIRI / A Homeland Security Center of Excellence 13
![Page 14: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/14.jpg)
Research Goals
©2016CIRI/AHomelandSecurityCenterofExcellence 14
Economic Modeling • Empirical analysis of
insurance sector and clients
• Understand market-based and regulatory incentives
Cyber Risk Management • Modeling technique to
quantify cyber risk • Real time analytics,
analyze historical datasets and predict future risks
Measure and Price Risk in Cyber Insurance
![Page 15: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/15.jpg)
Measuring Enterprise Risk for Cloud Services
© 2016 CIRI / A Homeland Security Center of Excellence 15
Problem • Need for quantifying security risk posed
by provisioning services on the cloud.
• Specification requirements for software and hardware components in cloud focus solely on functionality.
• Although, the security risk for each of the components for known threats is available, the risk score for cloud services during provisioning is unknown
![Page 16: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/16.jpg)
Measuring Enterprise Risk for Cloud Services
©2016CIRI/AHomelandSecurityCenterofExcellence 16
• Understanding of attack surfaces impacting enterprise risk • Identify and continuous monitoring of attack surfaces
present in the hardware, software, virtualized systems, networks, etc. for enterprises
• Evaluate impact of vulnerabilities in attack surfaces
• Leverage vulnerability databases to categorize and quantify risk
• Modeling exploitable vulnerabilities
• Identify attack paths based on adversarial strategies
• Develop verifiable risk scores for known vulnerabilities • Integrate vulnerability database and threat intelligence
feeds into the attack path model • Compute risk scores • Weighing risk scores differently based on criticality of
attack situation
![Page 17: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/17.jpg)
Measuring Enterprise Risk for Cloud Services
©2016CIRI/AHomelandSecurityCenterofExcellence 17
Challenges Solu@onsIdentification of Attack Surfaces in Cloud Services
Acquisition of vulnerability scores from live threat intelligence feeds and vulnerability databases
Identification of Exploitable Attack Paths
Network Vulnerability Tests and Attack graph generation
Modeling and assessing risk for cyber-insurance
Graph modeling and monte carlo simulation techniques to categorize attack paths by impact, cost and degree of difficulty
On demand and real-time access to quantifiable cyber risks
Cloud based risk assessment tool
![Page 18: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/18.jpg)
Measuring Enterprise Risk for Cloud Services
Cyber Risk Scoring and Mitigation (CRISM) • Security risk assessment for cloud based services. • Vulnerability detection, attack graph analysis, and risk
assessment. • Diverse network configurations and dynamic scaling cloud
environment. • Risk assessment models for generating, analysis and
evaluation of attack paths based on security requirements and cloud service configuration.
• Quantitative risk assessment and categorizes attack paths based on the impact to cloud services.
• Illustrates the security risk scores via different visual metaphors which allow practitioners to process information at several levels of granularity.
© 2016 CIRI / A Homeland Security Center of Excellence 18
CyberRiskModelingandAnalysis
![Page 19: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/19.jpg)
Measuring Enterprise Risk for Cloud Services
Bayesian Attack Graph • Extract topology and vulnerability
information for enterprise systems and network from scanning, vulnerability tests and vulnerability databases
• Generation of attack graph to model security state of enterprise system and network
• Developed probabilistic security metric using Bayesian Networks by leveraging attack graph
• Encoding contribution of different security conditions during system compromise.
©2016CIRI/AHomelandSecurityCenterofExcellence 19
![Page 20: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/20.jpg)
Measuring Enterprise Risk for Cloud Services
Bayesian Attack Graph Analysis • Examples of vulnerabilities-
– Unsafe security policy, corrupted file, memory access permission, unsafe firewall properties, unauthorized access
• System and network states represented as attributes and modeled using Bernoulli distribution
• Attacker success to reach goal depends on state of attributes
• Bayesian Attack Graph captures cause-consequence relationships between attributes
©2016CIRI/AHomelandSecurityCenterofExcellence 20
![Page 21: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/21.jpg)
Measuring Enterprise Risk for Cloud Services
![Page 22: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/22.jpg)
Demonstration
![Page 23: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/23.jpg)
Future Technological Risk Work
• Model criticality of assets in the risk scoring
• Provide prioritized mitigation plan
• Simulating security remediation scenarios based on patching vulnerabilities vs enforcing security controls
©2016CIRI/AHomelandSecurityCenterofExcellence 23
![Page 24: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/24.jpg)
PORTFOLIO RISK
©2016CIRI/AHomelandSecurityCenterofExcellence 24
![Page 25: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/25.jpg)
Data Description
©2016CIRI/AHomelandSecurityCenterofExcellence 25
• Analysisaredoneusingthecyber-casesdatasetsprovidedby:– VerisCommunityDatabase,thethelargestnon-commercialcyber-incidentdatabase
• Over8000cyber-incidentsrecorded• Foreachincident,ithasinforma,onabout:
– Actors,Ac,ons,AffectedAssets,Outcome• Goodforprofilinga9ackersandac,onstheytook
– AdvisenLtd.,aleadingproviderofdataforthecommercialpropertyandcasualtyinsurancemarket
• Over40,000cyber-casesarerecordedinthedataset,andover35,000casestookplaceinUS• Therecordforeachcasecontains:
– Timeline(firstno,cedate,reportdata,etc.)– Casecharacteris,cs(casetype,causes,etc.)– Legalinforma,on(juristrigger,court,etc.)– Outcome(Lossamounts,injuries,etc.)– Vic,mcompanyinforma,on(name,sector,size,etc.)– Detaileddescrip,on– Possiblyapplicablelineofinsurancebusiness
• Goodforstudyingvic,mcompaniesandthelegalaspectofeachincident
![Page 26: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/26.jpg)
©2016CIRI/AHomelandSecurityCenterofExcellence 26
Source:VerisCommunityDatabase(VCDB)–thelargestnon-commercialcyber-incidentdatabase
Risk Profile Across Different Sectors
DataSource:AdvisenLtd.
![Page 27: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/27.jpg)
Risk Profile
©2016CIRI/AHomelandSecurityCenterofExcellence 27
DataSource:AdvisenLtd.
![Page 28: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/28.jpg)
Risk Profile
• Around14.2%ofthecasesinUShappenedtocompanieslocatedinCalifornia
DataprovidedbyAdvisenLtd.
![Page 29: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/29.jpg)
Risk Profile
(Chartinlogscale)• Weusenumberofemployeesasaproxyforcompanysize• Overall,lossamountgoesupforlargercompanies,butvarianceislarge• SmallcompaniescanoNenexperiencethesameorevenlargeramountof
lossthanlargecompanies
DataprovidedbyAdvisenLtd.
![Page 30: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/30.jpg)
Risk Profile
©2016CIRI/AHomelandSecurityCenterofExcellence 30
Monthlycyber-incidentnumbersince2010Datasource:VerisCommunityDatabase(VCDB)
![Page 31: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/31.jpg)
Risk Profile • Holt’s linear method with multiplicative errors - ETS(M, A, N) best describes the properties of the incident
count over time – Estimated parameters:
• Alpha = 0.42 (larger the value, less influence from the past) • Beta = 0.07 (trend component)
• Relatively Short memory
– Incidents from distant past has little influence on the future incidents
• Positive trend component – The overall incident number grows at a slow pace – The incident count is getting more volatile
• Possibly because Conflict between lower entry barrier for being an attacker and higher cyber-security awareness
• No seasonal component – Making cyber-risk unlike natural catastrophes such as floods and earthquakes that appear to be seasonal – No easy way to predict the incident number
©2016CIRI/AHomelandSecurityCenterofExcellence 31
![Page 32: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/32.jpg)
Risk Profile • Attack clustering
– Discussed in A Closer Look at Attack Clustering (Bohme et al., 2006)
– Clustered attacks arise after a vulnerability is exploited due to the interaction between attacker and defender strategies
©2016CIRI/AHomelandSecurityCenterofExcellence 32
![Page 33: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/33.jpg)
Risk Profile • Attack clustering
– Similar phenomenon appears on a macro level
©2016CIRI/AHomelandSecurityCenterofExcellence 33
Outburst of attacks in a short period - Vulnerabilities discovered - New attacking technique - Etc.
Slowly dies out - Slow adoption of patches - Workaround attacks are used until completely
blocked - Etc.
![Page 34: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/34.jpg)
Risk Profile • Clustering indicates interdependency in attacks
– Different attacks may have the same cause: • Vulnerability • Tool/method • Actor • Target
• From a cyber-insurance aspect, correlation among policies may
amplify the losses – Several policyholders can be affected in a single incident. e.g.
• XSS attack affects site visitors on a large scale • Vulnerabilities in popular backend platforms can expose the sites using these
platforms in danger
©2016CIRI/AHomelandSecurityCenterofExcellence 34
![Page 35: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/35.jpg)
Methodology for Analyzing Portfolio Risk
• Assumptions: – Every incident results in a claim – Claims are all covered. – Portfolios are static(not changing in different years) – It’s far from being realistic, but simple and good enough for a start
• Generate a list of publicly traded companies in US – Exchanges we considered include Nasdaq, NYSE and AMEX – 5700+ companies in total after removing duplications
• different classes of stock or different divisions from the same company are seen as duplications.
• 6600+ companies before removal – Data source: NASDAQ(
http://www.nasdaq.com/screening/companies-by-name.aspx)
©2016CIRI/AHomelandSecurityCenterofExcellence 35
![Page 36: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/36.jpg)
Methodology for Analyzing Portfolio Risk
• We randomly sample 100 companies from the list to form a portfolio of policyholders
– Assuming each company has the same likelihood of purchasing cyber-insurance – Repeat the process for 1000 time to create 1000 portfolios.
• Using name matching algorithm, we look up the companies from each portfolios in the incident database(VCDB) to see how many of them have incidents in a given year
– we use data points from 2011 to 2014, since they have the best quality
• Log the incident number of each portfolio. Since we have 1000 portfolios in each year, we get a pretty good distribution of portfolio risk in terms of claim counts.
©2016CIRI/AHomelandSecurityCenterofExcellence 36
![Page 37: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/37.jpg)
©2016CIRI/AHomelandSecurityCenterofExcellence 37
• The claim count from a portfolio generally follows Poisson distribution (mean ≈ 3.5 out of 100 in 2011)
• Empirical distribution has a larger tail than the fitted one, indicating a higher probability of large claim numbers
Portfolio Risk
![Page 38: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/38.jpg)
Incident Number Distribution of Portfolios of Size 100 in Different Years
38©2016CIRI/AHomelandSecurityCenterofExcellence
![Page 39: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/39.jpg)
Portfolio Risk in Different Years
• Distribution parameter does not hold constant
• The expected value of claim counts can be very different in different years – i.e. in the first three years, the mean number keeps growing,
but in the fourth year it declines
• Tail is getting bigger over time, which means large claim count is becoming more likely to occur
©2016CIRI/AHomelandSecurityCenterofExcellence 39
![Page 40: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/40.jpg)
Portfolio Risk – Typical methods to model the correlation in portfolios
• Common shock model • Copulas • Bayesian Belief Network (BBN)
– Common shock model gets messy when the number of dimensions increases(e.g. a large group of policies that are interdependent)
– Copulas are simple and popular in credit risk analysis • Credit risk and cyber-risk are similar in many ways
– Both bond portfolio and cyber-insurance portfolio have some diversity but correlated risk arises from changes in the big environment
– We can see a cyber-incident as the consequence of defense level going below some threshold, which is similar to a ‘default’
• For this reason, many researchers have proposed using copulas to measure the risk in cyber-insurance portfolios
• Downside: many implementations of these methods need large amount of historical data
©2016CIRI/AHomelandSecurityCenterofExcellence 40
![Page 41: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/41.jpg)
Portfolio Risk • Bayesian belief network
– It updates our belief based on evidence, so we can easily incorporate new data in analysis
– Fairly new in portfolio management
– Few literatures discuss the application of such method in details
– A possible structure of the network
©2016CIRI/AHomelandSecurityCenterofExcellence 41
B
A
Vulnerability
Discovered/notDiscovered
Industry
Targeted/notTargeted
c
Otherfactors
x
![Page 42: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/42.jpg)
Portfolio Risk • Probabilities in the network are
updated according to the new information, e.g.
– Assuming we know A is attacked – From this piece of information we
induct that possibly there is a vulnerability in the system that A uses being exploited
– Because B used the same system, the possibility of B being attacked goes up
• Application – Update portfolio risk profile in real-time – Insurers can change premium rates
and reserves accordingly
©2016CIRI/AHomelandSecurityCenterofExcellence 42
B
A
Vulnerability
Discovered/notDiscovered
Industry
Targeted/notTargeted
c
Otherfactors
x
![Page 43: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/43.jpg)
Future Portfolio Risk Work • Switch incident database from VCDB to Advisen’s cyber-dataset
– Avoid issues in community-maintained database; • Biased data sources • Incomplete information
– Collect information on financial losses in each incident • For better understanding of the nature of cyber-risk • Assessing the severity of incidents and measuring the portfolio exposure
• Add more realistic assumptions to the portfolio simulation process – Take coverage specifications into consideration – Dynamic portfolio(surrender or non-renew rate, new policies)
• Test Bayesian Belief Network model with Advisen’s data, and see if it:
– provides a good estimate of portfolio risk – makes better decisions about premium rate
©2016CIRI/AHomelandSecurityCenterofExcellence 43
![Page 44: Improving Assessment of Technological and …...Improving Assessment of Technological and Portfolio Risks Sachin Shetty Old Dominion University Linfeng Zhang, Jay Kesan and David Nicol](https://reader033.vdocuments.site/reader033/viewer/2022042913/5f4a9ea2321f1958842256ea/html5/thumbnails/44.jpg)
Thank you