Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interdependent Risk Networks and Role of Cyber Insurance

Published byCecily Daniel Modified over 6 years ago

Similar presentations

Presentation on theme: "Interdependent Risk Networks and Role of Cyber Insurance"— Presentation transcript:

1 Interdependent Risk Networks and Role of Cyber Insurance
Chandra Bhatt, Himani Gulati, Sanaz Hosseinzadeh, Panati Sree Sai Lekha, Aman Sharma, Richard Whitehouse

2 Overview Cyber Attacks and Security Mechanisms Role of Cyber Insurance
Our Proposal Richard

3 Cyber insurance helps hedge against residual risks
Introduction Cyber insurance helps hedge against residual risks  Because internet and computer-based systems today communicate more and more with one another, mostly as anonymous partners, they are increasingly vulnerable to attack Security mechanisms such as antivirus software and firewalls can mitigate attacks However, these tools do not fully mitigate losses Network value increases as the number of users increases Actors’ level of risk of becoming a victim of a cyber attack is interdependent Richard

4 Breakdown of the Problem
Some parties invest in protection against cyber attacks at the cost of time or money This action reduces their risk Public benefit: other parties in the network experience reduced risk These actions represent the creation of a positive externality Richard Nash Equilibrium: The point where parties acting in self-interest make no addition gains from deviating in their strategy

5 The Model The general model has three classes of a Interdependent Security (IDS) problem. Cyber attack risk is a first- or second-class IDS problem In a first-class problem, risk cannot be completely eliminated via investment in security Indirect Residual risk remains due to the behavior of others In a second-class problem, risk can be completely eliminated via an in investment in security No risk remains due to the behavior of other actors In third-class of IDS problem, positive interdependencies arise Himani to

6 A Scenario Economic ecosystem: many organizations use the internet, and, therefore exposed to cyber risk In this scenario, all organizations benefit from using the internet (utility u) This is reduced to u < u in the case of a cyber attack Assume that there is some technology that can eliminate the risk of an attack Each firm must decide whether to invest in such a technology

7 Once a firm is infected by malicious software, other organizations may also be impacted because they may get the virus via their connectivity with that organization Let the probability of a cyber attack be q(x), where x denotes the proportion of organizations without protection in the internet community x satisfies 0 ≤ x ≤ 1 Community security: more actors without protection, the greater the risk for all If no firm invests in protection, then the maximum risk of an attack in the community will generally be smaller than one. However, the risk of cyber attack is reduced to zero if every firm invests in protection

8 Interpretation If no investment in protection:
Risk of attach is high Protective measures reduce expected cost due to losses Cost of investment is minimal comparatively If all invest in protection: Risk of attack is zero, Investment in protection is costly Himani

9 Policy Implications Fundamentally, the cost of cyber risks is too great for a single firm Regulation Risk of mandating protection Firms could bear too high of a cost Subsidies Intervene to assist firms manage outsized risks Government reinsurance Current environment Richard

10 Role of Cyber Insurance

11 Risk Management and Cyber Insurance
Evaluate threats and vulnerabilities associated with information systems Understand the risk: probability of the threat and its magnitude Threat management strategies: Accept Avoid Mitigate Transfer No amount of technology will ever completely eradicate risk Solution: Feasibly secure data and infrastructure and invest in cyber insurance to cover the unexpected and intangible items that cannot be insured Himani

12 What is Cyber Insurance?
Cyber insurance transfers the risk associated with the loss of data to a insurance provider in exchange for a premium Cyber insurance covers a number of areas that are often not available in traditional business policies and insurance Traditional policies do not cover: Denial-of-service attacks Damage caused by hackers Malicious insiders Worms and viruses Electronic theft of confidential information Cyber insurance covers losses from these breaches as well as Intellectual property and content infringement cases and electronic errors and omissions Himani

13 Cyber Insurance Challenges
While there are benefits to cyber insurance, insurers face the following challenges when issuing cyber insurance policies: Underwriting: The process by which insurers evaluate a firm’s risk Pricing: The premium set for an insurance policy after underwriting Adverse selection: Those with higher risks tend to buy insurance Moral Hazard: No incentive to act in a manner that mitigates risk For example, a firm adopts lax security standards after purchasing cyber insurance Correlation: Interrelated cyber risks Example: Entire industry relies on the same software that has a zero-day vulnerability [R.] Cyber Insurance: A Risk Management Tool? By Alison Hedrick Richard

14 Proposed Solution

15 We propose an application model that will use an incremental database to detect possible cyber threats on any software network/framework This application model generates a matrix which provides a quantitative measure of vulnerabilities of cyberattacks on the clients’ systems

16 Incremental Database Incremental refers to the database which has the ability to grow with time We propose seeding using a database similar to the Global Risk Database, a proprietary database provided through the SAS Institute’s SAS OpRisk Var product Schema for our database is created by assuming threats to be chunks of code. Hence the schema should have  Name of the threat, The vulnerable components, Severity of the threat,  and the actual code chunk  

17 Database Efficiency Yes, our Database is efficient because
We are going to store data in normalized form to improve data retrieval process efficiency. Since it is incremental, it keeps track of the changes done in the files and runs an update for only those files, hence effective. No loss, full backups of the database will be scheduled at regular intervals.

18 Application Model The application model uses any recursive methodology and simulates each cyber threat from the database one by one on a network or system to gauge how prepared a client may be, and where weaknesses reside It rates the threat to prioritize and address the most significant threat first. These threats present the biggest risk The rating process weighs the probability of the threat against the damage that could result should an attack occur

19 Performance No exploitation of clients’ data - It aims to detect system wide threats and hence eliminates the need for the insurance company to know internal functionality of the system 0% chances of data leak - application would use dummy data for determining vulnerabilities instead of real time data Flexible - The main components of our application model of database, framework and output, are loosely coupled and hence future change adaptable Scalable – Application model is independent of total input or output. Its performance will not be impacted if load increases Cost - Initial installation cost can be a bit high for this application model but it will not add any huge amount to the insurance companies since they already involve third parties to do the testing on their behalf

20 Cyber Threat Matrix Encapsulate behavioral characteristics of a complex client system to cyber threats Characterize the type of threat based on its overall nature against the host system  Divided into levels of magnitude, with each level signifying susceptibility of a client's system to a cyber threat

21 Importance of the Matrix
This threat matrix will serve as a model for insurance provider to help in pricing of insurance policies This will show exactly what are the risks or vulnerabilities in system, and also  their percentage of susceptibility This will help companies seeking insurance to decide what are the risks that company should get coverage for and hence avoid investing for the threats with a low susceptibility percentage

22 Future Enhancements and Business Implications
As the chances of successful cyber-attack on the client increases, the chances of insurance company paying a large claim also increases. Consequently, too high of a risk percentage would translate to the insurance company not wanting to cover for it at any level of premium.  Hence client would need to make the decision to move to some other insurance company which would provide coverage despite the high risk However, should this solution be widely adopted, changing insurance providers would have no material impact on the issuance of the policy Overall, represents an improvement over current underwriting practices More optimal pricing of premiums Collection of data: Cannot prevent correlation but can model it

Download ppt "Interdependent Risk Networks and Role of Cyber Insurance"

Similar presentations

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.
Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.

Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.
Geoffrey Heal Graduate School of Business Columbia University Howard Kunreuther Center for Risk Management.

Geoffrey Heal Graduate School of Business Columbia University Howard Kunreuther Center for Risk Management.
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
Introduction to Derivatives and Risk Management Corporate Finance Dr. A. DeMaskey.

Introduction to Derivatives and Risk Management Corporate Finance Dr. A. DeMaskey.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
1 Estimating the Cost and Benefits of Software Assurance Investments Thomas P. Frazier November 9, 2006.

1 Estimating the Cost and Benefits of Software Assurance Investments Thomas P. Frazier November 9, 2006.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Information Security Rabie A. Ramadan GUC, Cairo Room C7 -310 Lecture 2.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
David N. Wozei Systems Administrator, IT Auditor.

David N. Wozei Systems Administrator, IT Auditor.

Similar presentations

Ads by Google