On the Assessment of Systematic Risk in Networked Systems

In a networked system, the risk of security compromises depends not only on each node’s security but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes we should expect to lose, on average, for a given network topology, after certain types of incidents. Meanwhile, the pricing of insurance contracts for risks related to information technology (better known as cyber-insurance) requires determining additional information, for example, the maximum number of nodes we should expect to lose within a 99.5% confidence interval. Previous modeling research in network security has not addressed these types of questions, while research on cyber-insurance pricing for networked systems has not taken into account the network’s topology. Our goal is to bridge that gap, by providing a mathematical basis for the assessment of systematic risk in networked systems. We define a loss-number distribution to be a probability distribution on the total number of compromised nodes within a network following the occurrence of a given incident, and we provide a number of modeling results that aim to be useful for cyber-insurers in this context. We prove NP-hardness for the general case of computing the loss-number distribution for an arbitrary network topology but obtain simplified computable formulas for the special cases of star topologies, ER-random topologies, and uniform topologies. We also provide a simulation algorithm that approximates the loss-number distribution for an arbitrary network topology and that appears to converge efficiently for many common classes of topologies. Scale-free network topologies have a degree distribution that follows a power law and are commonly found in real-world networks. We provide an example of a scale-free network in which a cyber-insurance pricing mechanism that relies naively on incidence reporting data will fail to accurately predict the true risk level of the entire system. We offer an alternative mechanism that yields an accurate forecast by taking into account the network topology, thus highlighting the lack/importance of topological data in security incident reporting. Our results constitute important steps toward the understanding of systematic risk and help to contribute to the emergence of a viable cyber-insurance market.

[1]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[2]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[3]  Alessandro Vespignani,et al.  Epidemic dynamics in finite size scale-free networks. , 2002, Physical review. E, Statistical, nonlinear, and soft matter physics.

[4]  Aron Laszka,et al.  The Complexity of Estimating Systematic Risk in Networks , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[5]  Víctor M Eguíluz,et al.  Epidemic threshold in structured scale-free networks. , 2002, Physical review letters.

[6]  Christos Faloutsos,et al.  Epidemic spreading in real networks: an eigenvalue viewpoint , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[7]  Carsten Wiuf,et al.  Subnets of scale-free networks are not scale-free: sampling properties of networks. , 2005, Proceedings of the National Academy of Sciences of the United States of America.

[8]  Christos Faloutsos,et al.  Epidemic thresholds in real networks , 2008, TSEC.

[9]  B. Bollobás The evolution of random graphs , 1984 .

[10]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[11]  Ruby B. Lee,et al.  National Cyber Leap Year Summit 2009 Co-Chairs ’ Report , 2009 .

[12]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[13]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[14]  Jeffrey O. Kephart,et al.  Measuring and modeling computer virus prevalence , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[16]  Alessandro Vespignani,et al.  Epidemic spreading in scale-free networks. , 2000, Physical review letters.

[17]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[18]  Rainer Böhme Towards Insurable Network Architectures , 2010, it Inf. Technol..

[19]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[20]  P. Erdos,et al.  On the evolution of random graphs , 1984 .

[21]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[22]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[23]  Nicolas Christin,et al.  Uncertainty in Interdependent Security Games , 2010, GameSec.

[24]  Donald F. Towsley,et al.  The effect of network topology on the spread of epidemics , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[25]  Aron Laszka,et al.  How many down?: toward understanding systematic risk in networks , 2014, AsiaCCS.

[26]  Aron Laszka,et al.  Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[27]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[28]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[29]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[30]  Luis E. Ortiz,et al.  Algorithms for Interdependent Security Games , 2003, NIPS.

[31]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[32]  James Aspnes,et al.  Inoculation strategies for victims of viruses and the sum-of-squares partition problem , 2005, SODA '05.

[33]  Walter Willinger,et al.  Towards a Theory of Scale-Free Graphs: Definition, Properties, and Implications , 2005, Internet Math..

[34]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[35]  Stefan Schmid,et al.  When selfish meets evil: byzantine players in a virus inoculation game , 2006, PODC '06.

[36]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  S. Lakshmivarahan,et al.  On the number and the distribution of the nash equilibria in supermodular games and their impact on the tipping set , 2009, 2009 International Conference on Game Theory for Networks.

[38]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[39]  Michael E. Lesk,et al.  Privacy and Cybersecurity: The Next 100 Years , 2012, Proceedings of the IEEE.

[40]  Albert-László Barabási,et al.  Scale-Free Networks: A Decade and Beyond , 2009, Science.

[41]  Luis E. Ortiz,et al.  Interdependent Defense Games: Modeling Interdependent Security under Deliberate Attacks , 2012, UAI.

[42]  Kenneth P. Birman,et al.  The Monoculture Risk Put into Context , 2009, IEEE Security & Privacy Magazine.

[43]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[44]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[45]  Quanyan Zhu,et al.  Decision and Game Theory for Security , 2016, Lecture Notes in Computer Science.