stinfo copy - dtic · the above two strands of prior work, cyber risk quantification and...

A NEW PARADIGM IN RISK-INFORMED CYBER INSURANCE POLICY DESIGN: META-POLICIES AND RISK AGGREGATION

REGENTS OF THE UNIVERSITY OF MICHIGAN

MAY 2019

FINAL TECHNICAL REPORT

APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED

STINFO COPY

AIR FORCE RESEARCH LABORATORY INFORMATION DIRECTORATE

AFRL-RI-RS-TR-2019-100

UNITED STATES AIR FORCE ROME, NY 13441 AIR FORCE MATERIEL COMMAND

NOTICE AND SIGNATURE PAGE

Using Government drawings, specifications, or other data included in this document for any purpose other than Government procurement does not in any way obligate the U.S. Government. The fact that the Government formulated or supplied the drawings, specifications, or other data does not license the holder or any other person or corporation; or convey any rights or permission to manufacture, use, or sell any patented invention that may relate to them.

This report is the result of contracted fundamental research deemed exempt from public affairs security and policy review in accordance with SAF/AQR memorandum dated 10 Dec 08 and AFRL/CA policy clarification memorandum dated 16 Jan 09. This report is available to the general public, including foreign nations. Copies may be obtained from the Defense Technical Information Center (DTIC) (http://www.dtic.mil).

AFRL-RI-RS-TR-2019-100 HAS BEEN REVIEWED AND IS APPROVED FOR PUBLICATION IN ACCORDANCE WITH ASSIGNED DISTRIBUTION STATEMENT.

FOR THE CHIEF ENGINEER:

/ S / / S / FRANCES A. ROSE QING WU Work Unit Manager Technical Advisor, Computing

& Communications Division Information Directorate

This report is published in the interest of scientific and technical information exchange, and its publication does not constitute the Government’s approval or disapproval of its ideas or findings.

REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188

The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. 1. REPORT DATE (DD-MM-YYYY)

MAY 2019 2. REPORT TYPE

FINAL TECHNICAL REPORT 3. DATES COVERED (From - To)

DEC 2017 – DEC 2018 4. TITLE AND SUBTITLE

A NEW PARADIGM IN RISK-INFORMED CYBER INSURANCE POLICY DESIGN: META-POLICIES AND RISK AGGREGATION

5a. CONTRACT NUMBER FA8750-18-2-0011

5b. GRANT NUMBER N/A

5c. PROGRAM ELEMENT NUMBER N/A

6. AUTHOR(S)

Mingyan Liu

5d. PROJECT NUMBER DHS1

5e. TASK NUMBER 7U

5f. WORK UNIT NUMBER MO

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Regents of the University of MichiganOffice of Research and Sponsored Projects503 Thompson St.Ann Arbor, MI 48109-1340

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)

Air Force Research Laboratory/RITE 525 Brooks Road Rome NY 13441-4505

10. SPONSOR/MONITOR'S ACRONYM(S)

AFRL/RI 11. SPONSOR/MONITOR’S REPORT NUMBER

AFRL-RI-RS-TR-2019-10012. DISTRIBUTION AVAILABILITY STATEMENTApproved for Public Release; Distribution Unlimited. This report is the result of contracted fundamental researchdeemed exempt from public affairs security and policy review in accordance with SAF/AQR memorandum dated 10 Dec08 and AFRL/CA policy clarification memorandum dated 16 Jan 0913. SUPPLEMENTARY NOTES

14. ABSTRACT

The proposed research aims to tackle some of the most significant challenges facing the design of risk-informed insurance policies.

15. SUBJECT TERMS

Cyber insurance, contract design, incentive policy, risk dependency, cybersecurity, risk quantification

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT

UU

18. NUMBEROF PAGES

19a. NAME OF RESPONSIBLE PERSON FRANCES A. ROSE

a. REPORTU

b. ABSTRACTU

c. THIS PAGEU

19b. TELEPHONE NUMBER (Include area code) N/A

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std. Z39.18

14

i

Table of Contents

1.0 SUMMARY ............................................................................................................... 1

2.0 INTRODUCTION .................................................................................................... 2

3.0 METHODS, ASSUMPTIONS, AND PROCEDURES .......................................... 3

3.1 A risk-dependent approach to policy underwriting (Task 1.1) .................................... 3

4.0 RESULTS AND DISCUSSION ............................................................................... 5

4.1 Policy design in the presence of risk dependency (Task 1.1) ...................................... 5

4.2 Universal and lightweight embedding for Internet hosts (Task 3.1) ........................... 6

5.0 CONCLUSIONS ....................................................................................................... 7

6.0 REFERENCES ......................................................................................................... 8

LIST OF SYMBOLS, ABBREVIATIONS, AND SYMBOLS .......................................... 10

Approved for Public Release; Distribution Unlimited. 1

1.0 SUMMARY Cyber insurance is both a method for transferring and mitigating cybersecurity risks and a potential incentive mechanism for internalizing the externalities of security investments, through concepts such as premium discrimination. It inherits classic insurance problems of adverse selection (higher risk users seek more protection) and moral hazard (users lower their investment in self-protection after being insured), but faces the additional challenges such as security interdependence, correlated risk and damages in an interconnected system, and a fast-changing cyber threat landscape. This not only makes the design of a standalone policy challenging, but also introduces the additional difficulty of quantifying risk aggregation given a portfolio of policies. One of the key challenges has been the persistent lack of actuarial data combined with the fact that cybersecurity faces a fast-changing ever-evolving threat landscape. This has often led to the use of defensive mechanisms such as excessive exclusions/restrictions and high premiums on one hand, and rather limited due diligence in customer surveys/audits on the other hand. On the demand side the lack of standard risk assessment and management metrics and tools has led to a significant lack of confidence on the amount of protection one ultimately gets from insurance, and confusion on how to balance investing in classical security measures and in cyber insurance. This has in no small degree contributed to the fact that despite rapid growth, cyber insurance remains a nascent market. Our research under this project aims to tackle some of the most significant challenges facing the design of risk-informed insurance policies, focusing on establishing a solid theoretical foundation for a new family of cyber insurance policies and developing practical algorithms that derive usable policies, building upon our prior work on developing quantitative risk assessment tool needed to effectively mitigate moral hazard. Over the 12-month period we successfully completed Tasks 1.1 and 3.1 outlined in the proposal and the corresponding Statement of Work (SOW). What we accomplished has the potential to bring about a paradigm shift in the design of cyber insurance, as our risk assessment technology provides the crucial tool that can enable credible risk monitoring/audit, mitigate moral hazard, and facilitate judicious policy customization, which in turn allows us to design policies aimed at reducing information asymmetry, improving transparency, and ultimately, as an effective way of controlling and reducing cyber risks.


2.0 INTRODUCTION The design of cyber insurance contracts, and their effects on firms’ security behavior, has been extensively studied in the literature [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]. These studies show that the impact of cyber insurance on the firms’ investment, and the resulting state of network security, depends on the assumptions on the insurance market as well as the assumed model of interdependency among the insured. In our prior work [12] we asked the question of whether socially optimal security efforts can be incentivized through non-compulsory insurance, and concluded that current policy structure even including premium discrimination cannot guarantee voluntary participation due to the nonexcludable nature of cybersecurity as a public good. To the best of our knowledge this is the first formal result on the participatory condition in cyber-insurance. We further studied this in [13, 14] using alternate mechanisms and graph analysis to gain a deeper understanding of what structural changes many alleviate this problem, such as re-insurance, bundling insurer with security vendor, and using business relationship as additional incentives. In this project, we are similarly interested in understanding the role of cyber insurance and its efficacy as an incentive mechanism for improved network security but with an emphasis on developing alternative forms of policies specifically aimed at better aligning incentives with cybersecurity realities. Specifically, we focused on the effects of two distinct features of cybersecurity that have not been adequately studied in the context of cyber insurance. The first is the interdependent nature of cybersecurity and cyber risk, whereby one entity’s state of security depends on not only its own investment and effort, but also on the investments and efforts of others in the same eco-system (i.e., externalities), see e.g., [15, 16, 17, 18]. In other words, the risk that an insured transfers to the insurer is not only a function of its own actions, but also of other entities’ actions who may or may not be seeking to transfer risks. The second distinct feature is the fact that recent advances in Internet measurement combined with machine learning techniques now allow us to perform accurate, quantitative security posture assessments at a firm level [19]. This can be used as a tool to perform an initial security audit, or pre-screening, as well as to sustain continued monitoring, of a prospective client to enable effective premium discrimination and the design of active and customized policies. Our predictive framework introduced in [19] and follow-on study [20] is the first we know of that is aimed at providing risk quantification at an organizational level. This is accomplished by tapping into a diverse set of externally observed data that captures different aspects of an organization’s network security posture, ranging from the explicit or behavioral, such as externally observed malicious activities originating from a network (e.g., spam and phishing), to the latent or relational, such as misconfigurations in the network that deviate from known best practices, to the structural, such as the organization’s business sector, size and region of operation. This predictive framework marks concrete progress towards generating the cybersecurity actuarial data that the insurance industry sorely needs. The above two strands of prior work, cyber risk quantification and participatory incentive in cyber insurance markets, constitute the foundation of this project, with the goal of using quantitative risk assessment to design better incentive policies in the form of insurance, and transforming the landscape of cyber insurance policy-making by making it truly cyber riskinformed and risk-reducing.


3.0 METHODS, ASSUMPTIONS, AND PROCEDURES 3.1 A risk-dependent approach to policy underwriting (Task 1.1) Our main technical pursuit in this project lies in our desire to understand how to underwrite insureds with risk dependencies. Previously we have used a contract-theoretic framework, that when there is risk dependency, an insurer can effectively use security pre-screening (enabled by tools such as our measurement and quantitative risk assessment) and premium discrimination to achieve two things simultaneously: (i) to incentivize higher security effort (thus lower risk) by the insureds, and (ii) to make more profit in the process. This is because if the insurer can exert positive control over the insureds, the resulting benefit from one insured is effectively multiplied due to the risk interdependency and externalities, thereby in essence reducing the insurer’s total risk exposure. We further showed that this conclusion holds even when an insurer hopes to recover some of its client’s loss from a third party’s policy when the loss incident can be attributed to the third party; this is a primary reason why an insurer often chooses not to insure both a client and the client’s third parties (e.g., service providers). Our results show that even when this type of loss recovery is present, it is still in the insurer’s interest to jointly insure the client and its third parties, i.e., jointly insure risk dependent entities. Our first main technical objective under the project is to demonstrate how this type of policies can be structured within the standard underwriting practice of using a policy rate schedule. Specifically, we consider a Service Provider (SP) and its customers as the interdependent insurer’s customers: a data breach suffered by the SP can cause business interruption to its customers. Our methodology consists of modeling, analyzing, and comparing three portfolio alternatives available to the insurance carrier, as depicted in Figure 1: insure just the service provider and let someone else insure its customers (Portfolio type A), insure both the service provider and its customers (Portfolio type B), or insure just the service provider’s customers and let someone else insure the SP (Portfolio type C).

Figure 1: Three Portfolio Types: shaded areas indicate entities insured by an underwriter

In each case the question we are interested in understanding to what extent the insurer may be able to induce the parties to reduce their risk while maximizing its own profits. We examine how these policy incentives can be used to reduce the direct and indirect risks to the parties involved. To do so, we developed a model that formally establishes an insurance carrier’s profit, as a function of the insurance policy terms as well as incentives embedded in the policy, as detailed in [21]; an extended version has been accepted to appear in the Journal on Cybersecurity [22].


3.2 Finger printing Internet hosts using deep learning (Task 3.1) Our second technical goal under the project is to continue to develop advanced data analytics tools aimed at quantifying cyber risks, building upon our previous successes with data breach prediction [19]. The overall analysis framework is depicted in Figure 2, where “Host2vec” stands for Host-to-Vector, VAE stands for variational autoencoder, and JASON stands for JavaScript Object otation. As shown in the figure, we process Internet scan data and apply deep learning techniques to obtain numerical representations, or feature vectors, from Internet hosts. The “Application” block highlights the utility of this framework. Dashed arrows/blocks indicate that a supervised or unsupervised model can use binary, latent, or both types of representations.

Figure 2: A deep learning framework

The goal is to build a scalable framework to characterize Internet hosts using deep learning, that takes as input Internet scan data and produces numerical and lightweight (low-dimensional) representations of hosts. To do so we first develop a novel method for extracting binary tags from structured texts, the format of the scan data. We then use a variational autoencoder, a neural network model, to construct low-dimensional embeddings of our high-dimensional binary representations. One thing worth noting about this deep learning methodology is that it is unsupervised, i.e., it does not require labels such as breach reports (which we needed in our previous study of breach prediction); it is fundamentally a data reduction and summarization tool when faced with large volumes of data. The embeddings it obtains can then be used for other supervised and unsupervised learning. In this sense the method we develop is extremely generic and universal. This work has appeared in [23].

Global snapshot

JSON vectorizer

Binary features

Labels

Network scanner(s)

Deep VAE Machine learning model

Forecasts

Host2vec Latent features Application


4.0 RESULTS AND DISCUSSION 4.1 Policy design in the presence of risk dependency (Task 1.1) The findings suggested by the analysis shown in this section are summarized as follows, with reference to the model shown in Figure 1. Given the choice between insuring just the SP (Portfolio A), or the SP and all its customers (Portfolio B), an insurance carrier should choose Portfolio B. The reason is that the insurer can incentivize the SP to improve its security posture in exchange for discounted premium. While this reduces the insurer’s revenue from the SP, it improves the security posture of the SP and its customers, leading to fewer claims from business interruptions. Collectively this leads to lower overall risk, higher profits for the insurer. Given the choice between insuring both the SP and its customers (Portfolio B), or just the SP’s customers (Portfolio C) and attributing losses to the SP, an insurance carrier should choose Portfolio B. This is because with Portfolio C the insurer is unable to effectively induce the SP to improve its security posture, which negatively affects all of the provider’s customers. If an insurer chooses to underwrite only the SP’s customers (Portfolio C), it should incorporate the risk condition of the SP into the service provider’s customers’ premiums. By contrast, current practice often ignores the security posture of the SP (or any third parties) when pricing the customer’s policy. Underwriting both the SP and its customers and giving SP more discount on premium improves the insurer profit and decreases the probability of a data breach. A consequence of the latter is that the utility of the insureds improves; thus underwriting both SP and its customers improves the social welfare (total utility) in general. To summarize, we demonstrated how cyber risk dependency can be factored into policy underwriting within standard practice frameworks. We showed how quantitative risk assessment and risk dependencies can be readily embedded into such an underwriting framework to make the resulting policy more targeted for the amount of risk underwritten, how it can reduce the overall risk levels for both the primary client and its third parties.


4.2 Universal and lightweight embedding for Internet hosts (Task 3.1) We showed that the lightweight embeddings obtained following the VAE framework outlined in Figure 2 retain most of the information in our binary representations of hosts, while drastically reducing memory and computational requirements for large-scale analysis. These embeddings are also universal, in that the process used to generate them is unsupervised and does not rely on specific applications. This universality makes the embeddings broadly applicable to a variety of unsupervised and supervised learning tasks whereby they can be used as input features. We demonstrated this ability via two examples, (1) detecting and predicting malicious hosts, and (2) unmasking hidden host attributes, and compare the trained models in their performance, speed, robustness, and interpretability. We show that our embeddings can achieve high accuracy (> 95%) for these learning tasks, while being fast enough to enable host-level analysis at scale. Specifically, in the case of the first example, to put the above results in context, we note that Soska et al. [24] have shown that traffic and content information can be used to forecast malicious websites, achieving an Area Under the Curve (AUC) between 70% and 80% over a one-year horizon on the dataset PhishTank [25]. The large difference in performance suggests that our feature sets, which are not extracted from website content, are potentially more suitable (compared to content-based techniques) for predicting this type of risks, by capturing the configuration of a host rather than inspecting content. The software we developed for the deep learning framework, including the “Host2vec” and some of the classifiers we built as applications have already been publicly released, and we continue to monitor the volume of downloads and requests for more data from the research community. The software is on GitHub1: https://github.com/arsarabi/jsonvectorizer and https://github.com/arsarabi/vae. The datasets and code are hosted at https://arsarabi.github.io/permalinks/characterizing-imc18-aux. 1https://en.wikipedia.org/wiki/GitHub


5.0 CONCLUSIONS Over the 12-month period we successfully completed Tasks 1.1 and 3.1 outlined in the proposal and the corresponding SOW. What we accomplished has the potential to bring about a paradigm shift in the design of cyber insurance, as our risk assessment technology provides the crucial tool that can enable credible risk monitoring/audit, mitigate moral hazard, and facilitate judicious policy customization, which in turn allows us to design policies aimed at reducing information asymmetry, improving transparency, and ultimately, as an effective way of controlling and reducing cyber risks.


6.0 REFERENCES 1. Shetty, N., Schwartz, G., and Walrand, J., Can Competitive Insurers Improve Network Security?,

Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 308–322. 2. Shetty, N., Schwartz, G., Felegyhazi, M., and Walrand, J., Competitive Cyber-Insurance and

Internet Security, Springer US, Boston, MA, 2010, pp. 229–247. 3. Schwartz, G., Shetty, N., and Walrand, J., “Cyber-insurance: Missing market driven by user

heterogeneity,” 2010. 4. Schwartz, G. and Sastry, S., “Cyber-insurance framework for large scale interdependent

networks,” in Proceedings of the 3rd International Conference on High Confidence Networked Systems (HiCoNS), New York, NY, 2014, pp. 145–154.

5. Ogut, H., Menon, N., and Raghunathan, S., “Cyber insurance and it security investment: Impact of interdependence risk,” in The Annual Workshop on the Economics of Information Security (WEIS), 2005.

6. Bohme, R., “Cyber-insurance revisited,” in The Annual Workshop on the Economics of Information Security (WEIS), 2005.

7. Yang, Z. and Lui, J. C. S., “Security adoption and influence of cyber-insurance markets in heterogeneous networks,” Performance Evaluation, vol. 74, April 2014, pp. 1–17.

8. Kesan, J., Majuca, R., and Yurcik, W., “The economic case for cyberinsurance,” University of Illinois Legal Working Paper Series, uiuclwps-1001, University of Illinois College of Law.

9. Kesan, J., Majuca, R., and Yurcik, W., “Cyber-insurance as a market-based solution to the problem of cybersecurity,” in The Annual Workshop on the Economics of Information Security (WEIS), 2005.

10. Hofmann, A. “Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks,” The Geneva Risk and Insurance Review, vol. 32, no. 1, 2007, pp. 91–111.

11. Lelarge, M. and Bolot, J. “Economic incentives to increase security in the internet: The case for insurance,” in IEEE INFOCOM, April 2009, pp. 1494–1502.

12. Naghizadeh, P. and Liu, M., “Voluntary Participation in Cyber-Insurance Markets,” in The Annual Workshop on the Economics of Information Security (WEIS), Pennsylvania State University, PA, June 2014.

13. Naghizadeh, P. and Liu, M., “Budget Balance or Voluntary Participation? Incentivizing Investments in Interdependent Security Games,” in Annual Allerton Conference on Control, Communication, and Computing (Allerton), Allerton, IL, October 2014.

14. Naghizadeh, P. and Liu, M., “Provision of Non-Excludable Public Goods on Networks: From Equilibrium to Centrality Measures,” in Annual Allerton Conference on Control, Communication, and Computing (Allerton), Allerton, IL, September 2015.

15. Miura-Ko, M.-A., Yolken, B., Bambos, N., and Mitchell, J., “Security investment games of interdependent organizations,” in Annual Allerton Conference on Control, Communication, and Computing (Allerton), Sept 2008, pp. 252–260.

16. Johnson, B., Grossklags, J., Christin, N., and Chuang, J., Are Security Experts Useful? Bayesian


Nash Equilibria for Network Security Games with Limited Information, Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 588–606.

17. Johnson, B., Grossklags, J., Christin, N., and Chuang, J., Uncertainty in Interdependent SecurityGames, Springer Berlin Heidelberg, Berlin, Heidelberg, 2010, pp. 234–244.

18. Lelarge, M., “Coordination in network security games: A monotone comparative staticsapproach.,” IEEE Journal on Selected Areas in Communications, vol. 30, no. 11, 2012, pp.2210–2219.

19. Liu, Y. Sarabi, A., Zhang, J., Naghizadeh, P., Karir, M. Bailey, M., Liu, M., “Cloudy with achance of breach: Forecasting cyber security incidents,” in USENIX Security Symposium,Washington, D. C., August 2015.

20. Sarabi, A., Naghizadeh, P., Liu, Y., and Liu, M., “Prioritizing security spending: A quantitativeanalysis of risk distributions for different business profiles,” in Annual Workshop on theEconomics of Information Security (WEIS), Delft, The Netherlands, June 2015.

21. Khalili, M., Liu, M., and Romanosky, S., “Embracing and Controlling Risk Dependency inCyber Insurance Policy Underwriting”, The Annual Workshop on the Economics of InformationSecurity (WEIS), Innsbruck, Austria, June 2018.

22. Khalili, M., Liu, M., and Romanosky, S., “Embracing and Controlling Risk Dependency inCyber-insurance Policy Underwriting,” Journal on Cybersecurity, accepted for publication.

23. Sarabi, A., and Liu, M., “Characterizing the Internet Host Population Using Deep Learning: AUniversal and Lightweight Numerical Embedding”, International Measurement Conference(IMC), Boston, MA, October 2018.

24. Soska, K. and Christin, N., “Automatically detecting vulnerable websites before they turnmalicious”, USENIX Security Symposium, 2014, pp. 625–640.

25. PhishTank, https://www.phishtank.com.

http://www.phishtank.com/

http://www.phishtank.com/


LIST OF SYMBOLS, ABBREVIATIONS, AND SYMBOLS

AUC Area Under the Curve Host2Vec Host two Vectors JASON JavaScript Object Notation SOW Statement of Work SP Service Provider VAE Variational Autoencde

stinfo copy - dtic · the above two strands of prior work, cyber risk quantification and...

Documents