A Bi-Level Game Approach to Attack-Aware Cyber Insurance of Computer Networks

Cyber insurance is a valuable approach to mitigate further the cyber risk and its loss in addition to the deployment of technological cyber defense solutions, such as intrusion detection systems and firewalls. An effective cyber insurance policy can reduce the number of successful cyber attacks by incentivizing the adoption of preventative measures and the implementation of best practices of the users. To study cyber insurance in a holistic manner, we first establish a bi-level game-theoretic model that nests a zero-sum game in a moral-hazard type of principal-agent game to capture complex interactions between a user, an attacker, and the insurer. The game framework provides an integrative view of the cyber insurance and enables a systematic design of incentive compatible and attack-aware insurance policy. The framework is further extended to study a network of users and their risk interdependencies. We completely characterize the equilibrium solutions of the bi-level game. Our analytical results provide a fundamental limit on insurability, predict the Peltzman effect, and reveal the principles of zero operating profit and the linear insurance policy of the insurer. We provide analytical results and numerical experiments to corroborate the analytical results and demonstrate the network effects as a result of the strategic interactions among the three types of players.

[1]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[2]  Sam Peltzman,et al.  The effects of automobile safety regulation: Reply , 1976 .

[3]  R. Plemmons M-matrix characterizations.I—nonsingular M-matrices , 1977 .

[4]  S. Shavell On Moral Hazard and Insurance , 1979 .

[5]  Bengt Holmstrom,et al.  Moral Hazard and Observability , 1979 .

[6]  Bengt Holmstrom,et al.  Moral Hazard in Teams , 1982 .

[7]  Sid Browne,et al.  Optimal Investment Policies for a Firm With a Random Risk Process: Exponential Utility and Minimizing the Probability of Ruin , 1995, Math. Oper. Res..

[8]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[9]  A. Singh Exponential Distribution: Theory, Methods and Applications , 1996 .

[10]  Frank Kelly,et al.  Rate control for communication networks: shadow prices, proportional fairness and stability , 1998, J. Oper. Res. Soc..

[11]  Carl D. Meyer,et al.  Matrix Analysis and Applied Linear Algebra , 2000 .

[12]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[13]  Peter Christoffersen,et al.  Série Scientifique Scientific Series 2003 s-05 Backtesting Value-at-Risk : A Duration-Based Approach , 2003 .

[14]  Brian W. Cashell The Economic Impact of Cyber-Attacks , 2004 .

[15]  J. Crowcroft,et al.  Honeycomb: creating intrusion detection signatures using honeypots , 2004, Comput. Commun. Rev..

[16]  Sihan Qing,et al.  A survey and trends on Internet worms , 2005, Comput. Secur..

[17]  Jaideep Srivastava,et al.  Managing Cyber Threats: Issues, Approaches, and Challenges (Massive Computing) , 2005 .

[18]  William Yurcik,et al.  Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity , 2005, WEIS.

[19]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[20]  Eitan Altman,et al.  A Jamming Game in Wireless Networks with Transmission Cost , 2007, NET-COOP.

[21]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[22]  Maxim Finkelstein Failure Rate Modelling for Reliability and Risk , 2008 .

[23]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[24]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[25]  R. Poovendran,et al.  Modeling node capture attacks in wireless sensor networks , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.

[26]  Marc Lelarge,et al.  Cyber Insurance as an Incentivefor Internet Security , 2009, Managing Information Risk and the Economics of Security.

[27]  Leda D. Minkova Insurance Risk Theory , 2010 .

[28]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[29]  Quanyan Zhu,et al.  Management of Control System Information SecurityI: Control System Patch Management , 2011 .

[30]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[31]  Quanyan Zhu,et al.  GUIDEX: A Game-Theoretic Incentive-Based Mechanism for Intrusion Detection Networks , 2012, IEEE Journal on Selected Areas in Communications.

[32]  R. H. Jhaveri,et al.  DoS Attacks in Mobile Ad Hoc Networks: A Survey , 2012, 2012 Second International Conference on Advanced Computing & Communication Technologies.

[33]  Quanyan Zhu,et al.  Game-theoretic analysis of node capture and cloning attack with multiple attackers in wireless sensor networks , 2012, 2012 IEEE 51st IEEE Conference on Decision and Control (CDC).

[34]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[35]  Quanyan Zhu,et al.  Game-Theoretic Approach to Feedback-Driven Multi-stage Moving Target Defense , 2013, GameSec.

[36]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[37]  Konstantinos Psounis,et al.  Will cyber-insurance improve network security? A market analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[38]  Jamal Raiyn,et al.  A survey of Cyber Attack Detection Strategies , 2014 .

[39]  Quanyan Zhu,et al.  Attack-Aware Cyber Insurance for Risk Sharing in Computer Networks , 2015, GameSec.

[40]  Rui Zhang,et al.  Secure and resilient distributed machine learning under adversarial environments , 2015, 2015 18th International Conference on Information Fusion (Fusion).

[41]  Quanyan Zhu,et al.  Game-Theoretic Methods for Robustness, Security, and Resilience of Cyberphysical Control Systems: Games-in-Games Principle for Optimal Cross-Layer Resilient Control Systems , 2015, IEEE Control Systems.

[42]  Asuman E. Ozdaglar,et al.  Network Security and Contagion , 2013, PERV.