Models and Measures for Correlation in Cyber-Insurance

1. Models and Measures for Correlation in Cyber-Insurance Gaurav Kataria Carnegie Mellon University gauravk@andrew.cmu.edu Rainer Böhme Technische Universität Dresden rainer.boehme@tu-dresden.de DIMACS Workshop on Information Security Economics, Jan 19 2007.

2. Cyber-Insurance in a Nutshell • Risk sharing • avoid extreme losses at manageable expenses • Security metric • premiums differentiate good and bad risks • Incentive function • to develop and deploy sound security technology • Market for cyber-insurance immature • losses from cyber incidents in the range of $ 200 bn • global cyber-insurance market < $ 2 bn -Majuca et al., 2006 • (Danger of) High correlation of cyber-risks • due to homogeneous technology -Geer et al., 2003

3. Decision to Offer Insurance • Cost of offering insurance: C = E(L) + A + i · c Where, • E(L) is the expected loss amount, L being a random variable • A is the sum of all administrative costs, assumed negligible • c is the safety capital required to settle all claims if the realization of L turns out to the є-worst case (є is the probability of ruin for the insurer) • i is the interest rate to be paid for the safety capital c. The rate should reflect the risk associated with the business in general and the choice of є in particular Shape of the loss distribution function is crucial

4. Decision to Seek Insurance Disutility 0 n Number of nodes simultaneously compromised

5. Decision to Seek Insurance Given the degree of risk aversion σ and a measure of initial wealth I0, we can compute the maximum premium γ

6. Classes of Cyber-Risks Insider attack Hardware failure Configuration vulnerability (user settings) Targeted hacker attack Degree of event correlation Standard software exploit requiring user interaction Remote standard software exploit Configuration vulnerability (default settings) Viruses and worms Systemic errors (Y2K, break of assumed secure cryptography)

7. Cyber-Insurance Scenario Global Risk Correlation Insurer’s view k : firms in portfolio n : risks per firm Decisions are made at firm-level

8. Cyber-Insurance Scenario Internal Risk Correlation Insuree’s view n : risks within firm Decisions are made at firm-level

9. Two-Step Risk Arrival

10. Modeling Two-Step Risk Arrival • Monte-Carlo Simulation • Computed minimum profitable premium for given correlation structure

11. Equilibrium Conditions Results of 20,000 simulation trials per parameter setting

12. How strong is cyber-risk correlation in reality? • Standard Response • lack of actuarial data on loss amounts • Our Approach • if correlation of losses is caused by attack correlation, then we can try to estimate correlation from sensor data measuring attack activity

13. Data Source • Honeypots • decoy for hackers and automated attacks • useful monitoring tool for malicious activity -http://www.honeynet.org • Leurre.com honeynet project (Eurecom, France) • 35 sensors emulating 3 TCP/IP stacks each • deployed in 25 countries over five continents -Pouget et al., 2004, Pouget/Dancier/Pham, 2005 • Observations • Location • Port Sequence • Time (days) • Hits

14. Global Attack Activity

15. Correlation Measure • Do attacks coincide at different sensor locations? • Fit stochastic models for global attack pattern

16. Alternative Models of Risk Arrival

17. Estimation Results

18. Conclusion • Take home message • though our current risk models are suboptimal and not fully empirically validated, it might be a good idea to design future cyber-insurance models with two-step risk arrival

19. Q & A We gratefully acknowledge support from the owners of Leurre.com at Eurecom, France, for sharing their fabulous honeynet database with us. The second author was supported by grant no. CNS-0433540 from the National Science Foundation.