Models and Measures for Correlation in Cyber-Insurance

High correlation in failure of information systems due to worms and viruses has been cited as major impediment to cyber-insurance. However, of the many cyber-risk classes that influence failure of information systems, not all exhibit similar correlation properties. In this paper, we introduce a new classification of correlation properties of cyber-risks based on a twin-tier approach. At the first tier, is the correlation of cyber-risks within a firm i.e. correlated failure of multiple systems on its internal network. At second tier, is the correlation in risk at a global level i.e. correlation across independent firms in an insurer’s portfolio. Various classes of cyber-risks exhibit dierent level of correlation at two tiers, for instance, insider attacks exhibit high internal but low global correlation. While internal risk correlation within a firm influences its decision to seek insurance, the global correlation influences insurers’ decision in setting the premium. Citing real data we study the combined dynamics of the two-step risk arrival process to determine conditions conducive to the existence of cyber-insurance market. We address technical, managerial and policy choices influencing the correlation at both steps and the business implications thereof.

[1]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[2]  Victor F. Nicola,et al.  Modeling of Correlated Failures and Community Error Recovery in Multiversion Software , 1990, IEEE Trans. Software Eng..

[3]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[4]  Ramayya Krishnan,et al.  Software Diversity for Information Security , 2005, WEIS.

[5]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[6]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[7]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[8]  A. McNeil,et al.  The t Copula and Related Copulas , 2005 .

[9]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[10]  Dawn Song,et al.  A security study of the Internet : an analysis of firewall behavior and anonymous DNS , 2004 .

[11]  Van-Hau Pham,et al.  HONEYNETS: FOUNDATIONS FOR THE DEVELOPMENT OF EARLY WARNING INFORMATION SYSTEMS , 2005 .

[12]  Simon S. Y. Shim,et al.  Issues in high-speed Internet security , 2004, Computer.

[13]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[14]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[15]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[16]  Gregory R. Ganger,et al.  On Correlated Failures in Survivable Storage Systems , 2002 .

[17]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[18]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[19]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[20]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[21]  D. Rubin,et al.  Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .

[22]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[23]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[24]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[25]  J. Corcoran Modelling Extremal Events for Insurance and Finance , 2002 .

[26]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[27]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.

[28]  Avi Goldfarb,et al.  Why Do Denial of Service Attacks Reduce Future Visits? Switching Costs vs. Changing Preferences , 2005, WEIS.

[29]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[30]  H. Varian Intermediate Microeconomics: A Modern Approach , 1987 .

[31]  R. Rigby,et al.  Generalized additive models for location, scale and shape , 2005 .

[32]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[33]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[34]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[35]  J. Pratt RISK AVERSION IN THE SMALL AND IN THE LARGE11This research was supported by the National Science Foundation (grant NSF-G24035). Reproduction in whole or in part is permitted for any purpose of the United States Government. , 1964 .

[36]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[37]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[38]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[39]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[40]  Thorsten Holz,et al.  A Pointillist Approach for Comparing Honeypots , 2005, DIMVA.

[41]  Pradeep K. Khosla,et al.  Survivable Information Storage Systems , 2000, Computer.

[42]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[43]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[44]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[45]  Harish Sethu,et al.  On achieving software diversity for improved network security using distributed coloring algorithms , 2004, CCS '04.