logging in or signing up Kataria Heng Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 137 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Models and Measures for Correlation in Cyber-Insurance: Models and Measures for Correlation in Cyber-Insurance Rainer Böhme Technische Universität Dresden rainer.boehme@tu-dresden.de Gaurav Kataria Carnegie Mellon University gauravk@andrew.cmu.edu DIMACS Workshop on Information Security Economics, Jan 19 2007.Cyber-Insurance in a Nutshell: Cyber-Insurance in a Nutshell Risk sharing avoid extreme losses at manageable expenses Security metric premiums differentiate good and bad risks Incentive function to develop and deploy sound security technology Market for cyber-insurance immature losses from cyber incidents in the range of $ 200 bn global cyber-insurance market < $ 2 bn -Majuca et al., 2006 (Danger of) High correlation of cyber-risks due to homogeneous technology -Geer et al., 2003 Decision to Offer Insurance: Decision to Offer Insurance Cost of offering insurance: C = E(L) + A + i · c Where, E(L) is the expected loss amount, L being a random variable A is the sum of all administrative costs, assumed negligible c is the safety capital required to settle all claims if the realization of L turns out to the є-worst case (є is the probability of ruin for the insurer) i is the interest rate to be paid for the safety capital c. The rate should reflect the risk associated with the business in general and the choice of є in particular Shape of the loss distribution function is crucialDecision to Seek Insurance: Decision to Seek Insurance Disutility 0 n Number of nodes simultaneously compromised Decision to Seek Insurance: Decision to Seek Insurance Given the degree of risk aversion σ and a measure of initial wealth I0, we can compute the maximum premium γClasses of Cyber-Risks: Classes of Cyber-Risks Insider attack Degree of event correlation Hardware failure Configuration vulnerability (user settings) Configuration vulnerability (default settings) Viruses and worms Targeted hacker attack Standard software exploit requiring user interaction Remote standard software exploit Systemic errors (Y2K, break of assumed secure cryptography)Cyber-Insurance Scenario: Cyber-Insurance Scenario Insurer’s view k : firms in portfolio n : risks per firm Global Risk Correlation Decisions are made at firm-levelCyber-Insurance Scenario: Cyber-Insurance Scenario Insuree’s view n : risks within firm Internal Risk Correlation Decisions are made at firm-levelTwo-Step Risk Arrival: Two-Step Risk ArrivalModeling Two-Step Risk Arrival: Modeling Two-Step Risk Arrival Monte-Carlo Simulation Computed minimum profitable premium for given correlation structureEquilibrium Conditions: Equilibrium Conditions Results of 20,000 simulation trials per parameter settingHow strong is cyber-risk correlation in reality?: How strong is cyber-risk correlation in reality? Standard Response lack of actuarial data on loss amounts Our Approach if correlation of losses is caused by attack correlation, then we can try to estimate correlation from sensor data measuring attack activityData Source: Data Source Honeypots decoy for hackers and automated attacks useful monitoring tool for malicious activity -http://www.honeynet.org Leurre.com honeynet project (Eurecom, France) 35 sensors emulating 3 TCP/IP stacks each deployed in 25 countries over five continents -Pouget et al., 2004, Pouget/Dancier/Pham, 2005 Observations Location Port Sequence Time (days) HitsGlobal Attack Activity: Global Attack ActivityCorrelation Measure: Correlation Measure Do attacks coincide at different sensor locations? Fit stochastic models for global attack patternAlternative Models of Risk Arrival: Alternative Models of Risk ArrivalEstimation Results: Estimation ResultsConclusion: Conclusion Take home message though our current risk models are suboptimal and not fully empirically validated, it might be a good idea to design future cyber-insurance models with two-step risk arrivalSlide19: We gratefully acknowledge support from the owners of Leurre.com at Eurecom, France, for sharing their fabulous honeynet database with us. The second author was supported by grant no. CNS-0433540 from the National Science Foundation. Q & A You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Kataria Heng Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 137 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Models and Measures for Correlation in Cyber-Insurance: Models and Measures for Correlation in Cyber-Insurance Rainer Böhme Technische Universität Dresden rainer.boehme@tu-dresden.de Gaurav Kataria Carnegie Mellon University gauravk@andrew.cmu.edu DIMACS Workshop on Information Security Economics, Jan 19 2007.Cyber-Insurance in a Nutshell: Cyber-Insurance in a Nutshell Risk sharing avoid extreme losses at manageable expenses Security metric premiums differentiate good and bad risks Incentive function to develop and deploy sound security technology Market for cyber-insurance immature losses from cyber incidents in the range of $ 200 bn global cyber-insurance market < $ 2 bn -Majuca et al., 2006 (Danger of) High correlation of cyber-risks due to homogeneous technology -Geer et al., 2003 Decision to Offer Insurance: Decision to Offer Insurance Cost of offering insurance: C = E(L) + A + i · c Where, E(L) is the expected loss amount, L being a random variable A is the sum of all administrative costs, assumed negligible c is the safety capital required to settle all claims if the realization of L turns out to the є-worst case (є is the probability of ruin for the insurer) i is the interest rate to be paid for the safety capital c. The rate should reflect the risk associated with the business in general and the choice of є in particular Shape of the loss distribution function is crucialDecision to Seek Insurance: Decision to Seek Insurance Disutility 0 n Number of nodes simultaneously compromised Decision to Seek Insurance: Decision to Seek Insurance Given the degree of risk aversion σ and a measure of initial wealth I0, we can compute the maximum premium γClasses of Cyber-Risks: Classes of Cyber-Risks Insider attack Degree of event correlation Hardware failure Configuration vulnerability (user settings) Configuration vulnerability (default settings) Viruses and worms Targeted hacker attack Standard software exploit requiring user interaction Remote standard software exploit Systemic errors (Y2K, break of assumed secure cryptography)Cyber-Insurance Scenario: Cyber-Insurance Scenario Insurer’s view k : firms in portfolio n : risks per firm Global Risk Correlation Decisions are made at firm-levelCyber-Insurance Scenario: Cyber-Insurance Scenario Insuree’s view n : risks within firm Internal Risk Correlation Decisions are made at firm-levelTwo-Step Risk Arrival: Two-Step Risk ArrivalModeling Two-Step Risk Arrival: Modeling Two-Step Risk Arrival Monte-Carlo Simulation Computed minimum profitable premium for given correlation structureEquilibrium Conditions: Equilibrium Conditions Results of 20,000 simulation trials per parameter settingHow strong is cyber-risk correlation in reality?: How strong is cyber-risk correlation in reality? Standard Response lack of actuarial data on loss amounts Our Approach if correlation of losses is caused by attack correlation, then we can try to estimate correlation from sensor data measuring attack activityData Source: Data Source Honeypots decoy for hackers and automated attacks useful monitoring tool for malicious activity -http://www.honeynet.org Leurre.com honeynet project (Eurecom, France) 35 sensors emulating 3 TCP/IP stacks each deployed in 25 countries over five continents -Pouget et al., 2004, Pouget/Dancier/Pham, 2005 Observations Location Port Sequence Time (days) HitsGlobal Attack Activity: Global Attack ActivityCorrelation Measure: Correlation Measure Do attacks coincide at different sensor locations? Fit stochastic models for global attack patternAlternative Models of Risk Arrival: Alternative Models of Risk ArrivalEstimation Results: Estimation ResultsConclusion: Conclusion Take home message though our current risk models are suboptimal and not fully empirically validated, it might be a good idea to design future cyber-insurance models with two-step risk arrivalSlide19: We gratefully acknowledge support from the owners of Leurre.com at Eurecom, France, for sharing their fabulous honeynet database with us. The second author was supported by grant no. CNS-0433540 from the National Science Foundation. Q & A