should cyber insurance providers invest in software
play

Should Cyber-Insurance Providers Invest in Software Security? Aron - PowerPoint PPT Presentation

Jun 17, 2023 •220 likes •448 views

Should Cyber-Insurance Providers Invest in Software Security? Aron Laszka 1 and Jens Grossklags 2 1 University of California, Berkeley 2 Pennsylvania State University Software Vulnerabilities Most software products suffer from vulnerabilities

  1. Should Cyber-Insurance Providers Invest in Software Security? Aron Laszka 1 and Jens Grossklags 2 1 University of California, Berkeley 2 Pennsylvania State University

  2. Software Vulnerabilities • Most software products suffer from vulnerabilities • Developers have little incentive to invest more into security • developers are usually not held liable for incidents • investing into security increases costs and may impact time-to- market or create backwards compatibility issues • customers rarely reward security immediately • However, vulnerabilities in widely used software pose a severe risk

  3. What can users do? • Major technology companies may invest into key software products • e.g., Google and Samsung vulnerability reward programs • cover only a small set of products, which are critical for their own operations • cannot fully address the security risks related to the diverse landscape of widely used software products • What about companies lacking the resources and/or expertise to effectively invest into security?

  4. 
 Cyber-Insurance • A company may buy cyber-insurance to transfer its risk to an insurance provider • i.e., trading variable losses for a fixed premium • Supply side of cyber-insurance: insurance provider • receives fixed premiums in exchange for variable claims • amount of claims to be paid is variable → provider’s risk • How can an insurance provider account for this risk? 
 Diversification: if the provider’s portfolio is large enough, then the amount of claims to be paid is almost always close to its expected value

  5. Insurance Claim Distributions Independent incidents Cyber incidents Small portfolio Small portfolio 0.3 0.3 0.225 0.225 Probability Probability 0.15 0.15 0.075 0.075 0 0 0 1 2 3 4 5 6 7 8 9 10 0 1 2 3 4 5 6 7 8 9 10 Number of incidents Number of incidents non-diversifiable Large portfolio Large portfolio risk caused by 0.06 0.05 software vulnerabilities 0.045 0.038 Probability Probability 0.03 0.025 0.015 0.013 0 0 0 50 100 150 200 250 0 50 100 150 200 250 Number of incidents Number of incidents

  6. 
 
 Diversifiable and Non-Diversifiable Risks Diversifiable risk Non-diversifiable risk caused by individual caused (in part) by • • vulnerabilities (e.g., vulnerabilities in widely used misconfiguration) software products diminishes as the size of the does not diminish with the • • portfolio increases 
 size of the portfolio 
 both provide an incentive for companies to purchase insurance • results in predictable can cause significant • • insurance claims fluctuations in the arrival of insurance claims

  7. Possible Approaches for Insurance Providers • Incentivizing customers to invest in security • for example, by o ff ering premium reductions for investing in security • currently dominant practice • typical security investments, such as purchasing security products and hiring auditors, decrease diversifiable risks without decreasing non- diversifiable risks • Investing in software security • for example, by financing vulnerability reward programs for popular software products used by their customers • decreases non-diversifiable risks Can investing in software security be a viable approach?

  8. Model • Cyber-insurance model incorporating software vulnerabilities and security investments • Elements: • monopolist insurance provider • companies that purchase insurance from the provider • software products that are used by the companies insurance 
 premiums Insurance Software Companies provider products security 
 risks investments claim returns

  9. Model: Vulnerabilities and Risks • Software products • Vi : vulnerability level of software i • di : insurance provider’s security investment in software i • BVi : base vulnerability • γ i : e ffi ciency of investment • Companies • Rj : incident probability for company j • IRj : individual risk of company j • S j : set of software used by company j

  10. Model: Demand-Side of Insurance • Companies are risk-averse • utility for a given amount of wealth w is given by a Constant Relative Risk Aversion (CRRA) utility function: • Baseline utility (without insurance) of company j : • Wj : initial wealth • Lj : loss in case of an incident from these, we can • Insured utility of company j : compute the insurance premiums for a monopolist provider • pj : premium paid by company j

  11. Model: Supply-Side of Insurance • Insurance provider’s income: 
 X p j j • Probability of ruin: • probability that the total amount of losses TL (i.e., total amount of claims to be paid) exceeds the provider’s safety capital S • we assume that the maximal probability of ruin ε is exogenous • Insurance provider’s expenditure: 
 X = E[ TL ] + d i + A + I · S , i • E[ TL ] : expected total amount of losses • di : security investments • A : administrative costs • I : interest rate • S : minimal safety capital to keep the probability of ruin below ε

  12. Analysis • Computational complexity of our model • hidden complexity from computing the claim distributions • Provider strategies for investing in security • Numerical results for evaluating our model and investment strategies

  13. Computational Complexity Theorem 1. Given a safety capital S and a threshold probability of ruin ε , determining whether the probability of the total amount of losses TL exceeding S + E[ TL ] is greater than or equal to ε is NP-hard. • consequently, it is hard to determine the minimal safety capital and, thus, compute the insurer’s profit for a given set of investment values Theorem 2. Let TL 1, TL 2, ..., TLK be K independent random variables having the same distribution as TL , and let be the (1 − ε ) K -th smallest of these random variables. Then, • in other words, we can approximate the minimal safety capital using random sampling

  14. Finding Optimal Security Investments Investment strategy : given aggregate investment amount , 
 • divide this amount among the software products Uniform strategy : divide evenly among the software products • Most-used strategy : invest into the software product used by • the most companies Proportional strategy : invest into each software product • proportionally to the number of companies using it Greedy strategy : distribute amount in multiple steps, in each • step investing into a software product so that the increase in profit is maximal

  15. Numerical Results • We instantiated our model with exemplary values to illustrate the relative effect of the investment strategies • We generated 15 software products with • base vulnerability BVi randomly drawn from [0.09, 0.11] • investment e ffi ciency γ i randomly drawn from [0.9, 1.1] • We generated 1500 companies with • individual risk IRj randomly drawn from [0.4, 0.6] • base wealth Wj randomly drawn from [10, 20] • potential loss Lj randomly drawn from [0.25 Wj , 0.75 Wj ] • For each company, we choose 3 software products using popularity- based preferential-attachment

  16. Insurance Claim Distribution without Investments • blue line : expected value • red line : 99.9% quantile

  17. Claim Distribution with Uniform Investments 0 . 15 Probability 0 . 1 0 . 05 0 0 . 5 1 Total losses TL · 10 4 • di = 7.5 for every software i

  18. Investment Strategies: Uniform and Most-Used Uniform Most-used Income and Expenditure Income and Expenditure 8 , 000 8 , 000 950 800 Profit Profit 7 , 000 900 7 , 500 700 850 6 , 000 7 , 000 800 0 100 200 0 100 200 Aggregate investment D Aggregate investment D • green line : income • red line : expenditure • blue line : profit

  19. Investment Strategies: Proportional and Greedy Proportional Greedy Income and Expenditure Income and Expenditure 8 , 000 8 , 000 950 950 Profit Profit 7 , 000 7 , 000 900 900 850 850 6 , 000 6 , 000 800 800 0 100 200 0 100 200 Aggregate investment D Aggregate investment D • green line : income • red line : expenditure • blue line : profit

  20. Comparison of Investment Strategies 950 • red line: greedy Profit • solid line: proportional 900 • dashed line: uniform • dotted line: most-used 850 800 0 50 100 150 200 Aggregate investment D

  21. Conclusion and Future Work • Companies want to buy affordable insurance for cyber-risks, and insurers want to offer profitable insurance policies • non-diversifiable risks arising from software monocultures may result in prohibitively high safety capitals or insurance premiums • Our results show that insurers may have the incentives to invest in software security and thereby reduce non-diversifiable risks • in contrast to other approaches which have gained limited traction (e.g., software liability, government involvement) • Future work: • numerical evaluations based on real-world datasets • modeling multiple, competitive insurance providers • studying positive spillover e ff ects for uninsured entities

  22. Thank you for your attention! Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

AUGUST 25, 2015 Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks Tyler Gerking, Partner David B. Smith, CPCU, ARM, Insurance & Risk Management Consultant What is Cyber Insurance?

368 views • 10 slides
CYBER Overview Training for New Providers in the New Jersey Childrens System of Care October

CYBER Overview Training for New Providers in the New Jersey Childrens System of Care October

CYBER Overview Training for New Providers in the New Jersey Childrens System of Care October 2019 (01416) What is CYBER? A fully functional Electronic Health Record system, that is a tool for providers to make the maintenance of youth

736 views • 59 slides
Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The Evolution of Cyber Insurance Is Cyber Risk Already Insured? Cyber And Data Protection Is Not Just An IT Issue Case Study Cyber Risk Stakeholders The

1.03k views • 8 slides
Cyber Risks, Systemic Risks, and Cyber Insurance James E. Scheuermann* A BSTRACT The literature

Cyber Risks, Systemic Risks, and Cyber Insurance James E. Scheuermann* A BSTRACT The literature

Cyber Risks, Systemic Risks, and Cyber Insurance James E. Scheuermann* A BSTRACT The literature on cyber insurance is replete with statements to the effect that cyber risks are systemic risks. Through an analysis of the concept of

350 views • 32 slides
Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As

Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As

Cyber insurance covers the losses relating to damage to, Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As a business of any size, it is likely you will rely on information technology (IT)

253 views • 6 slides
Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security Security Insurance: Security Insurance: Insurance: Insurance: A Montana Perspective A Montana Perspective Presented by: d b Brett E. Dahl,

197 views • 8 slides
Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management Association Date: August 18, 2016 Agenda An Overview of Cyber Risk Exposures 1. Legal & Regulatory Trends 2. Marshs Cyber Risk Management

649 views • 31 slides
Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of

Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of

CYBER-INSURANCE REVISITED Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of Government Harvard University 03 June 2005 Rainer Bhme rainer.boehme@inf.tu-dresden.de Department of Computer Science

389 views • 22 slides
Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM,

Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM,

Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM, TU Delft E: k.labunets@tudelft.nl 1 Outline Who am I? Definitions Motivation Cyber insurance market: Current practice

828 views • 46 slides
Cyber Insurance Illinois State Innovation Consulting Community Agenda Our Research Method

Cyber Insurance Illinois State Innovation Consulting Community Agenda Our Research Method

Cyber Insurance Illinois State Innovation Consulting Community Agenda Our Research Method Segment Definition Why is cyber different? Major Takeaways How will cyber change the industry? Recommendations Research Approach

1.11k views • 22 slides
Insurance Sponsored By: Giving Numbers a Voice: Making Use of Cyber Data in Insurance Visit

Insurance Sponsored By: Giving Numbers a Voice: Making Use of Cyber Data in Insurance Visit

Giving Numbers a Voice: Making Use of Cyber Data in Insurance Sponsored By: Giving Numbers a Voice: Making Use of Cyber Data in Insurance Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording

456 views • 21 slides
Cyber-Insurance for Cyber-Physical Systems Carlos Barreto, Carlos.BarretoSuarez@utdallas.edu

Cyber-Insurance for Cyber-Physical Systems Carlos Barreto, Carlos.BarretoSuarez@utdallas.edu

Cyber-Insurance for Cyber-Physical Systems Carlos Barreto, Carlos.BarretoSuarez@utdallas.edu Alvaro A. C ardenas, Alvaro.Cardenas@utdallas.edu Galina Schwartz, schwartz@eecs.berkeley.edu University of Texas at Dallas 2018 IEEE Conference on

358 views • 23 slides
a Security ECONomics service platform for smart security investments and cyber insurance pricing

a Security ECONomics service platform for smart security investments and cyber insurance pricing

a Security ECONomics service platform for smart security investments and cyber insurance pricing in the beyonD 2020 era SECONDO: A Platform for Cybersecurity Investments and Cyber Insurance Decisions The 17th International Conference on Trust,

273 views • 13 slides
Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation

Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation

Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation Services in Cyber Insurance Underwriting www.advisenltd.com Paper Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant

671 views • 22 slides
Cyber Liability Insurance and How to Respond to a Breach Financial Managers Society NY/NJ Chapter

Cyber Liability Insurance and How to Respond to a Breach Financial Managers Society NY/NJ Chapter

Cyber Liability Insurance and How to Respond to a Breach Financial Managers Society NY/NJ Chapter February 17, 2016 John Lawrence Director, Financial Institution Services Assistant Vice President M&T Insurance Agency Todays Agenda

371 views • 18 slides
CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
#FORUMCON19 Opportunity Zones, Impact Investing and Loan Guarantees: What is the Role for PSOs?

#FORUMCON19 Opportunity Zones, Impact Investing and Loan Guarantees: What is the Role for PSOs?

#FORUMCON19 Opportunity Zones, Impact Investing and Loan Guarantees: What is the Role for PSOs? Melanie Audette , Senior Vice President and Partner Engagement, Mission Investors Exchange, @melaudette Lyn Hunter , Director, Regional

426 views • 26 slides
Startups and Job Creation SEC Advisory Council on Small and Emerging Companies September 17, 2013

Startups and Job Creation SEC Advisory Council on Small and Emerging Companies September 17, 2013

Angel Investors Critical Initiators of Startups and Job Creation SEC Advisory Council on Small and Emerging Companies September 17, 2013 David Verrill ACA Chairman and Founder/Managing Director, Hub Angels Marianne Hudson ACA

1.01k views • 47 slides
Estimating long-run coefficients and bootstrapping in large panels with cross-sectional dependence

Estimating long-run coefficients and bootstrapping in large panels with cross-sectional dependence

Estimating long-run coefficients and bootstrapping in large panels with cross-sectional dependence using xtdcce2 2019 London Stata User Group Meeting Jan Ditzen Heriot-Watt University, Edinburgh, UK Center for Energy Economics Research and

634 views • 49 slides
Aspect-Oriented Programming with Dependency Injection Mark Seemann @ploeh Cross-Cutting Concerns

Aspect-Oriented Programming with Dependency Injection Mark Seemann @ploeh Cross-Cutting Concerns

Aspect-Oriented Programming with Dependency Injection Mark Seemann @ploeh Cross-Cutting Concerns Security Security Auditing Auditing Logging Logging Caching Caching Metering Metering Stability patterns Stability patterns Transactions

622 views • 26 slides
impact investments www.enterprise-development.org 1 o Overview of key findings from DCED

impact investments www.enterprise-development.org 1 o Overview of key findings from DCED

Assessing the causal attribution of impact investments www.enterprise-development.org 1 o Overview of key findings from DCED Todays study on fund managers and assessing attributable impact session o Audience views on the role of different

511 views • 18 slides
The natural mathematics arising in information theory and investment Thomas Cover Stanford

The natural mathematics arising in information theory and investment Thomas Cover Stanford

The natural mathematics arising in information theory and investment Thomas Cover Stanford University Page 1 of 40 Felicity of mathematics We wish to maximize the growth rate of wealth. There is a satisfactory theory. The strategy achieving

659 views • 40 slides
Recommendation: Invest in Increasing Supply of High Quality ECE Programs to Address Shortage

Recommendation: Invest in Increasing Supply of High Quality ECE Programs to Address Shortage

Recommendation: Invest in Increasing Supply of High Quality ECE Programs to Address Shortage Minnesota: Partnering to boost the supply of high-quality early care and education providers Build Your Own Success to date Customized Approaches to

391 views • 9 slides
Game Theory -- Lecture 2 Patrick Loiseau EURECOM Fall 2016 1 Lecture 1 recap Defined

Game Theory -- Lecture 2 Patrick Loiseau EURECOM Fall 2016 1 Lecture 1 recap Defined

Game Theory -- Lecture 2 Patrick Loiseau EURECOM Fall 2016 1 Lecture 1 recap Defined games in normal form Defined dominance notion Iterative deletion Does not always give a solution Defined best response and Nash

546 views • 41 slides

More recommend