University of the Aegean, Greece Modelling and Economics of IT Risk Management and Insurance Stefanos Gritzalis Costas Lambrinoudakis Dept. of Information.

Slides:

Advertisements

Similar presentations

Allied Funding Advantage How Alternative Funding Works.

Advertisements

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.

Fall 2008 Version Professor Dan C. Jones FINA 4355 Class Problem.

Learning Goals Calculate, interpret and evaluate the payback period.

Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

Introduction to Derivatives and Risk Management Corporate Finance Dr. A. DeMaskey.

Life as an Actuary Matthew Mikola 14/3/2012 Life as an Actuary

RISK MANAGEMENT FOR ENTERPRISES AND INDIVIDUALS Chapter 6 The Insurance Solution and Institutions.

CHAPTER 18 Derivatives and Risk Management

Uncertainty and Consumer Behavior

Chapter 9 THE ECONOMICS OF INFORMATION Copyright ©2002 by South-Western, a division of Thomson Learning. All rights reserved. MICROECONOMIC THEORY BASIC.

Fair Premiums, Insurability of Risk and Contractual Provisions

Alliances with NGOs ESM210 November 7, Types of Alliances Corporate sponsorship  Firm contributes to the environmental group financially or in.

Visit: What is a Car Insurance Policy and How Does It Work?  A policy is a contract between the insured (car owner.

Chapter Outline 10.1Tax Benefits Defined 10.2Progressivity in Corporate Income Tax Rates Overview Numerical Example and Additional Insights Progressivity.

THE HEALTH CARE MARKET Chapter 9.

HANDLING FAILURES AND SAFETY NETS Edward Forshaw Manager, Insurance International Issues Prudential Standards Division.

FINANCE IN A CANADIAN SETTING Sixth Canadian Edition Lusztig, Cleary, Schwab.

Insurance Fundamentals for Policymakers. Four assignments: Insurance Principles Insurance Coverages: Property and Casualty Insurance Coverages: Life and.

Allied™ Funding Advantage How Alternative Funding Works.

HOW ACTUARIES SEE THE WORLD. 2 WHAT IS AN ACTUARY?

Money and Banking Lecture 02.

Derivatives and Risk Management

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

Chapter 25 Introduction to Risk Management

Fair Value Measurement By: Associate Professor Dr. GholamReza Zandi

Insurance. Standard: Protecting and Insuring People make choices to protect themselves from the financial risk of lost income, assets, health, or identity.

ROSELIZA HAMID/UITM KELANTAN/2010 CHAPTER 5:. ROSELIZA HAMID/UITM KELANTAN/2010 CHAPTER OUTLINE  Definition of insurance/takaful  Objectives of buying.

Chapter McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved. Cost of Capital 11.

精算学与精算考试（ Society of Actuaries ） 2004 级本科生 2006 年 12 月 15 日北京大学.

Tingxuan Liu Risk Management in Software engineering.

INTRODUCTION TO PERSONAL FINANCE WHY DO WE NEED TO MANAGE OUR MONEY?

Derivative securities Fundamentals of risk management Using derivatives to reduce interest rate risk CHAPTER 18 Derivatives and Risk Management.

Decision Making Under Uncertainty and Risk 1 By Isuru Manawadu B.Sc in Accounting Sp. (USJP), ACA, AFM

Course on Professionalism Statement of Principles.

Introductory Microeconomics (ES10001) Topic 3: Risk and Uncertainty.

Insurance and Risk. Meaning of Insurance Requirements of an Insurable Risk Description of Insurable and Uninsurable Risks Insurance Distinguished from.

Intro to Business, 7e © 2009 South-Western, Cengage Learning SLIDE CHAPTER Overview of Risk Management Insurable Risks Uninsurable.

Choice under uncertainty Assistant professor Bojan Georgievski PhD 1.

Insurance TING.pdf.

Introducing Project Management Update December 2011.

Mgmt.101 ~ Introduction to Business Risk Management & Insurance.

1 Chapter 23 Risk Management. 2 Topics in Chapter Risk management and stock value maximization. Fundamentals of risk management.

1 Extra Topics. 2 Economics of Information Thus far we have assumed all economic entities have perfect information when making decisions - this is obviously.

4-H Youth Development Potpourri Insurance

Slide 1 INSURANCE BASICS 1.1Insurance and Risk 1.2Basic Policy Types 1.3Purchasing Considerations 1.

Chapter 11 Contingency. Contingent 1.concept: past transactions or events of a situation, the results by the occurrence of uncertain future events occur.

SESSION 19: INSURING Talking Points Insuring 1. Insurance is a product that allows people to pay a fee (called a premium) now to transfer the costs of.

Adverse Selection. What Is Adverse Selection Adverse selection in health insurance exists when you know more about your likely use of health services.

Personal Financial Planning.  Establishing a plan for how you spend your money can help you make wise purchases. What factors help you decide what to.

"Fun is like life insurance; the older you get, the more it costs." -Frank McKinney (humorist and journalist)

Money and Banking Lecture 11. Review of the Previous Lecture Application of Present Value Concept Internal Rate of Return Bond Pricing Real Vs Nominal.

A Growing Profession in Uncertain Times. Actuarial Preparatory Work for High School Students.

Insuring Your Life Chapter 8. Insurance Concept Protect Assets and Income.

Cyndi Seifried, Program Director, Flood Initiative The Co-operators Apr 7, 2016 Our journey toward addressing flood resiliency in Canada.

Chapter 11 Capital Budgeting Techniques: Certainty and Risk Lawrence J. Gitman Jeff Madura Introduction to Finance.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Appendix I -1 # Copyright © 2015 Pearson Education, Inc. Risk Management Appendix.

4 Legal principles of insurance

CHAPTER 18 Derivatives and Risk Management

Business Essentials Appendix I Risk Management Eleventh Edition

Trust: short-term low default paper proceeds interest remaining funds

Technology Planning.

CHAPTER 18 Derivatives and Risk Management

Lecture 20 Insurance Companies.

Presentation transcript:

University of the Aegean, Greece Modelling and Economics of IT Risk Management and Insurance Stefanos Gritzalis Costas Lambrinoudakis Dept. of Information and Communication Systems Engineering University of the Aegean - GREECE {sgritz, Thanassis Yannacopoulos Dept. of Statistics & Actuarial-Financial Mathematics University of the Aegean - GREECE

University of the Aegean, Greece Introduction l Information systems security has become a top priority issue for most organisations worldwide. l They have started to invest in Security Enhancing Technologies, but: l How much should they invest ? l Can they evaluate the effectiveness of the security measures that they invest on ? l Are they aware of the residual risk ? l Are they aware of the consequences that they will face in the event of a security incident ?

University of the Aegean, Greece AssetThreatVulnerabilityImpact Measure Calculate Risk Select Countermeasures Risk Analysis and Management

University of the Aegean, Greece We need better solutions l An option could be to transfer specific risks to an insurance company, in order to: –avoid implementing too expensive technical countermeasures, and –cover the financial losses that the organisation may experience in case of a security incident l Clearly, such an approach will not replace technical security measures, but it will act complementary

University of the Aegean, Greece Issues that must be addressed l From the Organization Point of View –How much money should be invested in technical security measures ? –Which is the financial loss that the organization will experience as a result of a security incident due to the residual risk ? l From the Insurance Company Point of View –How secure – well protected against potential risks - is the information system ? –Which is the financial loss that the organization will experience as a result of every possible security incident ? –What should the structure of the contract be (i.e. premium, compensation) ?

University of the Aegean, Greece Modelling the System (1/3) l Use of a probabilistic structure, in the form of a Markov model, that provides detailed information about all possible transitions of the system state in the course of time. l We are dealing with transitions from the fully operational system state to some other non- fully operational state that may result as the effect of a security incident.

University of the Aegean, Greece Modelling the System (2/3) –Assumption 1: The transitions allowed are from the fully operational state to some other non-fully operational state. –Assumption 2: Non-operational states are considered absorbing states.

University of the Aegean, Greece Modelling the System (3/3) l The use of the Markov model allows us to : –Find the probability of the system being in different states –thus find the probability of different financial losses (L) l This approach is useful in cases where: –The transition rates are accurate –The Loss (impact values) figures are accurate (objective)

University of the Aegean, Greece Using the Model: An Overview l OBJECTIVE 1: Calculating the Optimal Security Investment –Max I E [ U(W – L(I) – I ] l Where I is the maximum amount available for security measures l W is the initial wealth of the company and l L is the expected loss, that of course depends on the amount I l OBJECTIVE 2: Designing the Optimal Insurance Contract –U(W – π) = Ε [ U(W – L + C – π)] l Where W is the initial wealth of the company l π is the premium that the company has to pay to the insurer l L is the expected loss l C is the compensation that the insurer will pay in case of a security incident

University of the Aegean, Greece OBJECTIVE 1: Calculating the Optimal Security Investment (1/3) l How much should a company invest in security? l Given a security budget, how should this be allocated with respect to the different risks so as to minimize the expected loss of the company?

University of the Aegean, Greece An Illustrative Example (2/3) l Assume two Threats of equal probability to occur and equally harmful l Assume that we invest z i for security measures that address Threat I, i=1,2 l It can be noticed that the optimal choice is z 1 =z 2 z2z2 z1z1

University of the Aegean, Greece An Illustrative Example (3/3) l Assume two Threats equally harmful l Assume that the first Threats is more likely to occur l Assume that we invest z i for security measures that address Threat I, i=1,2 l It can be noticed that the optimal budget allocates more expenditure towards the facing of the first threat z1z1 z2z2

University of the Aegean, Greece OBJECTIVE 2: Design the Optimal Insurance Contract (1/7) l Following the investment of an amount of money for security measures, the company still needs to deal with the residual risk. l An option could be to divert the risk into an alternative market: An Insurance Company l The model presented may support us in designing and pricing insurance contracts

University of the Aegean, Greece A Case Study (2/7) l Suppose a firm A subcontracts specific IT tasks to a firm B l Unfortunately A cannot be aware of Bs intentions (e.g. B may disclose data in an unauthorized way, for profit) l Can A and B enter into an insurance contract through an insurer I so that all three parties are better off with the contract than without?

University of the Aegean, Greece A Case Study (3/7) l ν: Probability that B plays fair l d: Probability that the fraud passes undiscovered l p1: Given that B plays fair, probability of no security incident at all l p2: Given that B plays fair, probability of a security incident due to unforeseen circumstances or due to negligence of A

University of the Aegean, Greece A Case Study (4/7)

University of the Aegean, Greece Premium for A (5/7) l Premium Maximum Value (1) when: l d = 1 and ν = 0 (B acts maliciously and the fraud will not be discovered) l Premium Minimum Value when: l ν = 1 and d = 0 (B is reliable and in case it commits a fraud it will be discovered)

University of the Aegean, Greece Premium for B (6/7) l The introduction of the fine (F) lowers considerably the premium for B. l The fine plays the role of compensation to the insurer in case of deliberate fraudulent behavior and as such reduces the risk of the insurer

University of the Aegean, Greece Optimal coverage for A and utility difference (7/7)

University of the Aegean, Greece Future Directions We are currently thinking of ways to cope with: –Non-absorbing states –Approximate transition rates –Subjective figures for the Loss (An indicative example is Privacy Violation) –More complex models that in order to calculate the transition probability of the system to a different state take into account the full history of transitions –Use of real data for Model Calibration

University of the Aegean, Greece Thank you for your attention..