Enterprise IT service downtime cost and risk transfer in a supply chain

In this paper we present an economic model for analyzing enterprise IT service downtime cost, first on a standalone basis and then in a supply chain setting. With a baseline probability model of Poisson arrival frequency with random downtime duration, we analyze optimal production of a firm’s investments in reducing frequency and duration of downtime, and corresponding premiums for insuring against downtime cost. We also present a model for the spillover effect of downtime for interconnected firms in a supply chain, and discuss how third-party insurance coverage can help enterprises to internalize the externalities of spillover effects on the supply chain.

[1]  Kanta Matsuura,et al.  Sectoral and Regional Interdependency of Japanese Firms under the Influence of Information Security Risks , 2012, WEIS.

[2]  M. Bourlakis,et al.  Can a CEO's YouTube apology following a service failure win customers' hearts? , 2015 .

[3]  Tim Watson,et al.  An Initial Investigation into Attribution in SCADA Systems , 2013, ICS-CSR.

[4]  Thomas Olsson,et al.  Risks and assets: a qualitative study of a software ecosystem in the mining industry , 2019, ESEC/SIGSOFT FSE.

[5]  Arun Venkataramani,et al.  Disaster Recovery as a Cloud Service: Economic Benefits & Deployment Challenges , 2010, HotCloud.

[6]  Shaun Wang Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain , 2017 .

[7]  Howard Kunreuther,et al.  Self-protection and insurance with interdependencies , 2007 .

[8]  B. Buchanan,et al.  Attributing Cyber Attacks , 2015 .

[9]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[10]  Martin Haenggi,et al.  Stochastic Geometry for Wireless Networks , 2012 .

[11]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[12]  Ulrik Franke,et al.  Optimal IT Service Availability: Shorter Outages, or Fewer? , 2012, IEEE Transactions on Network and Service Management.

[13]  Russell C. Thomas,et al.  How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches , 2013 .

[14]  P. Douglas,et al.  A theory of production , 1928 .

[15]  Ulrik Franke,et al.  Enterprise Architecture Analysis with Production Functions , 2014, 2014 IEEE 18th International Enterprise Distributed Object Computing Conference.

[16]  G. Stefansson Business-to-business data sharing: A source for integration of supply chains , 2002 .

[17]  Ulrik Franke,et al.  The Distribution of Time to Recovery of Enterprise IT Services , 2014, IEEE Transactions on Reliability.

[18]  Ulrik Franke Cyber Insurance Against Electronic Payment Service Outages - A Document Study of Terms and Conditions from Electronic Payment Service Providers and Insurance Companies , 2018, STM.

[19]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[20]  Markus Buschle,et al.  Experimental Evidence on Decision-Making in Availability Service Level Agreements , 2016, IEEE Transactions on Network and Service Management.

[21]  Bianca Schroeder,et al.  A Large-Scale Study of Failures in High-Performance Computing Systems , 2010, IEEE Trans. Dependable Secur. Comput..

[22]  Mark Keil,et al.  Effects of information technology failures on the market value of firms , 2009, J. Strateg. Inf. Syst..

[23]  Nagesh N. Murthy,et al.  Achieving supply chain agility through IT integration and flexibility , 2008 .

[24]  Xuemei Zhang,et al.  Adjusting software failure rates that are estimated from test data , 2005, IEEE Transactions on Reliability.

[25]  Monjur Ahmed,et al.  Cloud Computing and Security Issues in the Cloud , 2014, Trinity Journal of Management, IT & Media.

[26]  Martin Höst,et al.  Sharing of Vulnerability Information Among Companies – A Survey of Swedish Companies , 2019, 2019 45th Euromicro Conference on Software Engineering and Advanced Applications (SEAA).

[27]  Jan Hendrik Wirfs,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[28]  Kanta Matsuura Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model , 2008, WEIS.

[29]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[30]  Martin Eling,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[31]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[32]  Inger Anne Tøndel,et al.  Facing Uncertainty in Cyber Insurance Policies , 2017, STM.

[33]  Ulrik Franke,et al.  The cyber insurance market in Sweden , 2017, Comput. Secur..

[34]  Markus Buschle,et al.  Enterprise architecture availability analysis using fault trees and stakeholder interviews , 2014, Enterp. Inf. Syst..

[35]  Athanasios V. Vasilakos,et al.  Security in cloud computing: Opportunities and challenges , 2015, Inf. Sci..

[36]  Gary McGraw Silver Bullet Talks with Greg Morrisett , 2010, IEEE Secur. Priv..

[37]  Julia Ross,et al.  Exploring Mediation , 1996 .

[38]  M. Eric Johnson,et al.  Economic costs of firm‐level information infrastructure failures: Estimates from field studies in manufacturing supply chains , 2007 .

[39]  David Wentzlaff,et al.  Availability Knob: Flexible User-Defined Availability in the Cloud , 2016, SoCC.

[40]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[41]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[42]  M. Eric Johnson,et al.  Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm , 2005, WEIS.

[43]  Antonio Pescapè,et al.  A comprehensive survey on internet outages , 2018, J. Netw. Comput. Appl..

[44]  Tyler Moore,et al.  Does Insurance Have a Future in Governing Cybersecurity? , 2020, IEEE Security & Privacy.

[45]  Shigeru Yamada,et al.  Software reliability modeling , 2014 .

[46]  Harry H. Panjer,et al.  Recursive Evaluation of a Family of Compound Distributions , 1981, ASTIN Bulletin.

[47]  Sheldon M. Ross,et al.  Stochastic Processes , 2018, Gauge Integral Structures for Stochastic Calculus and Quantum Electrodynamics.

[48]  Andrew B. Whinston,et al.  Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements , 2013, J. Manag. Inf. Syst..

[49]  Ulrik Franke,et al.  Two simple models of business interruption accumulation risk in cyber insurance , 2019, 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[50]  Magnos Martinello,et al.  Web service availability - impact of error recovery and traffic model , 2005, Reliab. Eng. Syst. Saf..

[51]  Doug McPhie,et al.  Reporting on Systems Reliability , 1999 .

[52]  Shaun S. Wang,et al.  Integrated Framework for Information Security Investment and Cyber Insurance , 2017, Pacific-Basin Finance Journal.

[53]  V VasilakosAthanasios,et al.  Security in cloud computing , 2015 .

[54]  David A. Patterson,et al.  A Simple Way to Estimate the Cost of Downtime , 2002, LISA.

[55]  Sadie Creese,et al.  Mapping the coverage of security controls in cyber insurance proposal forms , 2017, Journal of Internet Services and Applications.

[56]  Zachary Taylor,et al.  Designing High Availability Systems: Design for Six Sigma and Classical Reliability Techniques with Practical Real-Life Examples , 2013 .

[57]  Archana Ganapathi,et al.  Why Do Internet Services Fail, and What Can Be Done About It? , 2002, USENIX Symposium on Internet Technologies and Systems.

[58]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[59]  Shigeru Yamada Software Reliability Modeling: Fundamentals and Applications , 2013 .