Aegis A Novel Cyber-Insurance Model

Size: px

Start display at page:

Download "Aegis A Novel Cyber-Insurance Model"

Drusilla Murphy
8 years ago
Views:

1 Aegis A Novel Cyber-Insurance Model Ranjan Pal Department of Computer Science University of Southern California Joint Work with Leana Golubchik and Kostas Psounis University of Southern California Presentation at IEEE/ACM GameSec 2011, Maryland, USA

2 Introduction(1/2) Traditional Internet was designed under ideal security assumptions only trustworthy users no propagation of malicious elements Today the Internet faces lot of threats denial of service attacks worms, viruses, spams, etc. Traditional security mechanisms to mitigate risks antivirus and anti-spam softwares by Symantec, Kaspersky, etc. firewalls

3 Introduction(2/2) Traditional security mechanisms do not guarantee 100% risk removal new threats evolve rapidly technical solutions are not fool-proof - there may be false positives/negatives [Jung et.al 04] formal solutions find it difficult to account for human intentions [Vojnovic & Ganesh, 05] Network externalities due to lock-in and first mover effects [Anderson, 01, Katz & Shapiro, 85] Technical + Economic + Policy + Psychological factors will play a role in ensuring perfect or near perfect security [Anderson & Moore, 08] Cyber-insurance is a technique proposed by researchers to eliminate risks completely An agency (ISP or a regulatory organization) charges premiums in return for risk coverage Amount of coverage and individual user responsibility drive premiums

4 Motivation (1/2) Cyber-insurance researchers have only considered risks due to security related failures have shown the existence of markets in ideal conditions [Lelarge & Bolot, 09] have shown the non-existence of markets in non-ideal conditions [Shetty et.al, 09] if a market exists cyber-insurance drives user security investments [L&B, 09] eliminates the free-riding problem amongst users increases overall network security Risks also arise due to non-security related failures, ex., reliability losses [Honeyman and Schwarz, 07] security and non-security related failures indistinguishable to naive users BUT might be distinguishable by experts insurance company would only want to insure for security lapses

5 Motivation(2/2) Naive users at disadvantage w.r.t buying insurance contracts user may not be in favor of buying cyber-insurance may not be willing to transfer complete liability to insurer Interesting questions to consider could we have a different type of cyber-insurance contract? how will it perform in a market along with traditional cyber-insurance? how would demand for this type of cyber-insurance scale with premiums? would markets for cyber-insurance exist under the new type of insurance? can we comment on the deployability of insurance in relation to market existence?

6 Contributions We propose a novel model of cyber-insurance - Aegis based on the concept of co-insurance in traditional insurance theory user is responsible for a strictly positive amount loss recovery liability Aegis suited to the combined presence of insurable and non-insurable risks Risk-averse users always prefer Aegis to traditional cyber-insurance Any type of insurance is purchased only if purchase is made mandatory Premium-demand trends in Aegis increase in premium may not lead to decrease in demand decrease in premium may not lead to increase in demand

7 Aegis Model(1/4) Risks arise due to security or non-security related issues security related - worms, viruses, spams, etc., non-security related - hardware faults, operational/programming errors effects same in case of security or non-security related failure, (ex., case of buffer overflow) Users rest a strictly positive loss recovery coverage on themselves θ - cyber-insurer liability 1 θ - user liability Value of loss incurred by Internet user - L ; Coverage - L d, d 0

8 Aegis Model(2/4) Final wealth (W) of an Internet user is represented as follows W = w 0 + v L S L NS + θ(i(l S ) P ) W - random variable w 0 + v - constant initial wealth, v - constant total value of loss object L S - r.v. denoting loss due to security attack L NS - r.v. denoting loss due to non-security related failure P = (1 + λ)e(i(l s )) - premium λ - loading factor - 0 for fair premiums, positive for unfair premiums I(L S ) - insurance coverage function, 0 I(L S ) L S

9 Aegis Model(3/4) Expected Utility of Final wealth of a user is represented as follows E(W )=A + B + C + D A = B = 0<L S v,l NS =0 0<L NS V,L S =0 u(w 0 + v L S L NS + θ(i(l S ) P )) g(l S,L NS )dl 1 dl NS u(w 0 + v L S L NS + θ(i(l S ) P )) g(l S,L NS )dl S dl NS C = 0<L S,0<L NS u(w 0 + v L S L NS + θ(i(l S ) P )) g(l S,L NS )dl S dl NS D = β u(w 0 + v θ P )

10 Aegis Model(4/4) Joint probability density function g() is given as follows g(l S,L NS )= α f S (L S ) 0 <L S v, L NS =0 (1 α β) f NS (L NS ) 0 <L NS v, L S =0, 0 0 <L S v, 0 <L NS v α - probability of loss due to security attack (function of topology) - probability of no attack β f S (L S )- univariate density function of losses due to security attack f NS (L NS )- univariate density function of losses due to non-security failure

11 Aegis Efficacy (1/3) Result 1 - Risk-averse Internet users always prefer Aegis contracts to traditional cyber-insurance contracts irrespective of the fairness of insurance premiums the option of traditional insurance and Aegis must exist non-insurable losses co-exist with insurable losses Intuitions A risk-averse Internet user would be conservative in his investments He could pay premiums and still not get covered As a result, would assume some coverage liability on himself Advantage - incentive to invest in self-defense mechanisms

12 Aegis Efficacy (2/3) Result 2 - when risks due to non-insurable losses increase in a first-order stochastic dominant sense (FOSD), the demand for traditional cyber-insurance amongst all riskaverse Internet users decreases non-insurable losses co-exist with insurable losses Intuitions greater chances user incurs a loss and not get covered increase in risks due to non-insurable losses decreases demand for Aegis contracts as well However, Aegis preferred to traditional insurance for same amount of risk

13 Aegis Efficacy (3/3) Result 3 - when risks due to non-insurable losses increase in a first-order stochastic dominant sense (FOSD), the expected utility of final wealth for any non-insurable contract falls with respect when compared to the alternative of no insurance non-insurable losses co-exist with insurable losses Implication risk-averse Internet users may not buy any form of insurance if purchasing insurance not made mandatory Thus markets for cyber-insurance may not exist even if information asymmetry problems do not arise, i.e., under ideal conditions Learning - ISPs or policy agencies like the government should make insurance purchase mandatory

14 Sensitivity Analysis (1/4) We study the increase/decrease in user insurance demands with changes in the premiums, and accounting for risk-averseness Analysis Assumptions User utility function U twice continuously differentiable U is thrice piecewise continuously differentiable U > 0 and U < 0 Coefficient of risk aversion, A, bounded by above We adopt the standard Arrow-Pratt risk aversion measure - absolute & relative A(W )= U (W ) U (W ) R(W )= WU (W ) U (W )

15 Sensitivity Analysis (2/4) Given that Internet users are risk-averse in an absolute sense, we need dθ to investigate the sign of the quantity,where λ = (1 + λ) and θ is dλ the optimal coverage liability on user. dθ dλ 0 if there exists ρɛr such that w L [A(W (x))θ (x λ E(L)) 1]dF (x) ρ w L θ (x λ E(L))dF (x) dθ dλ 0 if there exists ρɛr such that w L [A(W (x))θ (x λ E(L)) 1]dF (x) < ρ w L θ (x λ E(L))dF (x)

16 Sensitivity Analysis (3/4) Under what conditions would a ρ exist?? when (i) (1 θ )A A θ A (ii) w 0 A(W (L)) and { L λ E(L) } 1 θ A(W (L)) df (L) > 0

17 Sensitivity Analysis (4/4) Given that Internet users are risk-averse in an relative sense, we need to investigate the sign of the quantity dθ,where λ = (1 + λ) and θ is the optimal coverage liability on user. dλ dθ dλ 0 if and only if dθ if and only if R(W ) 1 dλ 0 R(W ) > 1 Implications - a user prefers Aegis contracts above a certain degree of relative risk-averseness even if there is an increase in premiums Intuitions relative risk aversion measured w.r.t. wealth of a user, more his wealth, lesser are his concerns on losing money paying for premiums and not getting insured, and vice-versa

18 Conclusion We proposed Aegis, a novel cyber-insurance model to account for noninsurable losses in addition to insurable losses We showed Aegis is always preferable to traditional cyber-insurance We showed that Aegis incentivizes users to invest more in self-defense and thereby increase overall network security We showed cyber-insurance markets exist ONLY if buying insurance is made mandatory Regarding demands for Aegis, we showed that an increase in the premiums may not lead to a decrease in user demand, and similarly a decrease in the premiums may not lead to an increase in the insurance premiums

19 Thank You!!!

Aegis A Novel Cyber-Insurance Model

Aegis A Novel Cyber-Insurance Model Ranjan Pal, eana Golubchik, Konstantinos Psounis University of Southern California, USA {rpal, leana, kpsounis}@usc.edu Abstract. Recent works on Internet risk management