Improving Network Security Through Insurance A Tale of Cyber-Insurance Markets

Transcription

1 Improving Network Security Through Insurance A Tale of Cyber-Insurance Markets Ranjan Pal Department of Computer Science University of Southern California PhD Advisors - Leana Golubchik and Konstantinos Psounis Jointly with Electrical Engineering and Computer Science University of Southern California Collaborator - Pan Hui (Hong Kong University of Science and Technology, T-Labs, Berlin) PhD Defense Talk, USC, 27 th May,

2 Research Focus Cyber-Security Network and Mobile Security Web Security Information Security Security Tools crytography formal logic software and hardware techniques measurements and machine learning game theory and mechanism design economics and social sciences 2

3 Can We Achieve Robust Security? Robust Internet security is currently not a reality [AM 09] 9% 13% 25% 39% 78% 36% A few primary reasons Anti-virus adoption A major population of network users are naive and are not aware of using existing security tools to their full potential Technical solutions not fool-proof (band-aid effect) Economics and policy related factors Anti-spam adoption Data courtesy: Symantec and Steganos,

4 Enter Insurance In real-world we have insurance schemes to manage risks related to cars, health, etc., Basic Principle Pay premiums/month and get covered when faced with a risk 4

5 How about Cyber-Insurance? Similar to popular in-practice insurances, we could also have cyber-insurance Use cyber-insurance to (i) mitigate risk (ii) make cyber space more robust [AM 08] 5

6 The Security Players Government Interests: to ensure a secure cyber-space Cyber-Insurer Interests: to make profits and ensure network robustness The Insured Interests: to remain safe and recover losses Security Product Vendors The Networking Infrastructure Interests: to remain robust Interests: to increase demand of products and make profits 6

7 A Cyber-Insurance Market An insurance-driven security eco-system involved parties (stakeholders) have useful exchanges of their interests potentially leading to a situation of market being in equilibrium (optimal exchange of interests) 7

8 Important Economics and Insurance Concepts Equilibrium Existence Market Efficiency Externality Adverse Selection Moral Hazard 8

9 Challenges in the Network Domain when, where, and why? interdependent and correlated risks non-transparency of loss information Can the insurers and the insured be jointly satisfied? i.e., Is there a market for cyber-insurance? 9

10 Related Work Question - Do Efficient Cyber-Insurance Markets Exist? Network and Insurance Settings Ideal Insurance Conditions Non-ideal Insurance Conditions Modeled Network (topology and externality) [LB 09] (restricted markets, no efficiency) [PG 10] (restricted markets, efficiency under cooperation) [PGPH 13, PGPH 14] (efficiency achieved) YL 12 (efficiency on good software quality) 10 Did not Model Network [PGP 10] (non-insurable risks, no efficiency) [SSFW 09]-restricted markets, no efficiency), [P 12] (restricted markets, no efficiency)

11 Talk Outline Existence of cyber-insurance markets Efficiency of cyber-insurance markets Realizing cyber-insurance markets in practice 11

12 Part 1 On the Existence of Cyber-Insurance Markets 12

13 Research Contribution Questions we are interested in Does there exist cyber-insurance markets under our proposed model? Are the markets efficient? Can we make all stakeholders happy? 13 Our Contribution We propose, study, and compare the following market scenarios to answer our questions (i) No insurance markets (ii) perfectly competitive markets selling insurance (iii) oligopolistic markets selling insurance (iv) monopoly markets selling insurance [PGPH 14]

14 Supply-Side Model Risk-averse cyber-insurer/s (single or multiple) could be ISP, security vendor, cloud provider, or any other third party Insurer provides clients (network users) with full coverage, [SV, 07, L 04] User premium - (1 + )E(R), 0 Compulsory insurance - regulator s tool required for the sake of increasing cyber-security [NYT, November, 2012] can be done via bundling of Internet contracts 14

15 Demand-Side Model (1/2) Network (primarily overlay) of risk-averse users A user i is subject to a risk of size r<w 0 Each user possess a concave utility function U(.) function of final wealth of a user strictly increasing, twice continuously differentiable Each user either invests nothing or an amount xi, self-defense (security) investments - anti-virus, firewalls, etc., Each user does not completely avoid possible loss on self-defense 15

16 Demand-Side Model (2/2) Users face direct as well as indirect losses direct losses - user i gets attacked by a direct threat and not by a propagated threat p i d(x i )=0 p i d(0) = p d indirect losses - user i gets attacked by a propagated threat originating at some other user probability of being affected by threats p i (X i,x)=p i d(x i )+q(l(x)) p i d(x i )q(l(x)) probability of being affected by indirect threat x - cost of investment to a user indifferent between investing and not investing x = f( x,g, a ) 16

17 No Insurance Scenario A user takes his decision to invest based on a utility comparison analysis A user invests in self-defense when utility on prevention greater than that without it E[U ndef (x)] = p d U(w 0 r) + (1 p d )Q Expected utility without prevention Expected utility with prevention Utility on facing direct risk only utility on facing indirect risk only Q = q(x)u(w 0 r) + (1 q(x))u(w 0 ) utility on facing indirect risk utility on facing no risk E[U def (x)] = q(x)u(w 0 x r) + (1 q(x))u(w 0 x) At market equilibrium evaluate x, i.e., the equilibrium cost to invest in self-defense 17

18 Insurance Scenario A user invests only if utility on prevention greater than that without it Full coverage E[U ndef (x)] = p d U(w 0 r + r p(0,x) r)+(1 p d )Q Expected utility without prevention Utility on facing direct risk only Utility on facing indirect risk only coverage not required Q = q(x)u(w 0 r + r p(0,x) r)+(1 q(x))u(w 0 p(0,x) r) utility on facing indirect risk utility on facing no risk At market equilibrium evaluate x E[U def (x)] = p d U(w 0 x q(x) r) Expected utility with prevention 18

19 Social Welfare Maximization Case of No Insurance and Competitive Insurance SW(x) = Z x 0 E[U def (l(x, y)]f(y)dy + E[U ndef (l(x)]l(x) net utility of investing users net utility of non-investing users Case of Monopoly Insurance SW(x) = Z 1 Z x 0 0 E[U def (l(x, y)]f(y)dyd net utility of investing users + E[U ndef (l(x)]l(x) net utility of non-investing users Social welfare maximization at equilibrium implies market efficiency 19

20 Competitive Insurance Scenario perfectly competitive insurance drives insurer profits to zero and results in fair premiums too many buyers (insureds) and sellers (insurers) in the market for any seller to charge unfair premiums to clients - will result in it having zero demand a user invests only if utility on prevention greater than that without it Expected utility without prevention Expected utility with prevention Full coverage E[U ndef (x)] = p d U(w 0 r + r p(0,x) r)+(1 p d )Q at equilibrium (Walrasian) evaluate x Utility on facing direct risk only utility on facing indirect risk E[U def (x)] = p d U(w 0 x q(x) r) 20 Utility on facing indirect risk only Q = q(x)u(w 0 r + r p(0,x) r)+(1 q(x))u(w 0 p(0,x) r) utility on facing no risk coverage not required

21 Oligopolistic Insurance Scenario Consider now that there are enough firms in market for each to be price-setting each seller can control and set the premiums of its customers We have a Bertrand game of premiums between cyber-insurers [MWG] Joseph Bertrand The NE of the game behaves exactly as the competitive equilibrium, i.e., fair premiums are provided to clients; insurers make zero profits [MWG] The well known Bertrand Paradox arises for number of firms equal to two Will cyber-insurers really make zero profits under competition?? No In practice there are some differences between firms w.r.t. factors such as reputation to customers, etc., and that allows some insurers to make positive profits by charging unfair premiums to their clients who go for reputation irrespective of price fairness 21

22 Monopoly Insurance Scenario monopoly insurance gives pricing power to the insurer under regulation a user invests only if utility on prevention greater than that without it Expected utility without prevention Full coverage E[U ndef (x)] = p d U(w 0 r + r (1 + )p(0,x) r)+(1 p d )Q Utility on facing direct risk only Utility on facing indirect risk only coverage not required Q = q(x)u(w 0 r + r (1 + )p(0,x) r)+(1 q(x))u(w 0 (1 + )p(0,x) r) utility on facing indirect risk utility on facing no risk Expected utility with prevention E[U def (x)] = p d U(w 0 x (1 + )q(x) r) at market equilibrium evaluate x 22

23 Summary of Results Market Type Equilibrium existence Equilibrium uniqueness Social welfare maximization No Insurance yes yes no Perfectly Competitive yes yes no Oligopolistic Insurance (2 insurers) Oligopolistic Insurance (#insurers > 2) Monopoly Insurance (one insurer) yes yes no yes yes no yes yes no PGPH 14 SSFW 09 23

24 Practical Implications Market Type Cyber-Insurer/s User Product Vendor Regulatory Agency Network No Insurance NA no somewhat yes no no Competitive Insurance Oligopolistic Insurance (two firms) Oligopolistic Insurance (#firms >2) Monopoly Insurance Are Stakeholder Interests Satisfied? no (zero expected profits) yes (full coverage) no (decrease in sales) no (decreased robustness) no (non-optimal SW) no yes no no no yes only when loading factor is positive yes yes Main Result Traditional cyber-insurance markets do not incentivize users to invest in self-defense and result in market failure (inefficiency) no no no no no no 24

25 Part 2 Making Cyber-Insurance Markets Efficient 25

26 Research Contribution Question we are interested in How to ensure social welfare maximization by internalizing all network externalities? Our Contribution We propose two techniques to ensure market efficiency based on premium discrimination (i) premium discrimination under regulation (ii) premium discrimination under non-regulation [PGPH 14, A working paper] 26

27 Ensuring Social Welfare Maximization So is all hope lost for successful (efficient) cyber-insurance markets? NO Users need to internalize network externalities caused by investments of other users Goal: to maximize social welfare in a network at user investment equilibrium Method Basis premium discrimination charge marginally fair premiums E[R] + k fair premium 27

28 Charging Fines/Rebates Protocol Steps Step 1 insurer advertises contracts with fine/rebate values Step 2 Step 3 users decide whether to invest in self-defense based on their cost of security investment and their signed insurance contracts when a claim if filed by a client, insurer checks each client on his investment amounts and allocates appropriate fines/rebates on his contract 28 Assumption a cyber-insurer can observe or stochastically learn the investment amounts of users. P 12 no observations mechanism design approach no efficiency

29 Summary of Results (Contract Discrimination Under Monopoly) Scenario Monopoly Insurance (contract discrimination) Equilibrium existence yes Equilibrium uniqueness Intuition Investment externalities are internalized by network users, users take more responsibility in securing their systems yes Social welfare maximization yes Moral hazard problem is resolved Mechanism Cyber-Insurer User Product Vendor Regulatory Agency Network Fines/Rebates not always yes yes yes yes Cooperation [PG, 10] no (always make zero expected profits) Are Stakeholder Interests Satisfied? yes yes yes yes Main Point: Market exists and is efficient but insurer might make zero expected profit 29

30 Part 3 Realizing Cyber-Insurance Markets in Practice 30

31 The Importance of Security Vendors Cyber-insurance companies are profit minded might make zero expected profit sufficient for them being de-incentivized in the future to form a security ecosystem Security vendors (e.g., Symantec, Microsoft) form an integral component in ecosystem - why? they are manufacturers of self-defense mechanisms nearly every user adopts some amount of self-defense mechanisms SV pricing roles might prove strategic in successful cyber-insurance market formation 31

32 The Alliance Diagram Security Maximum Social Welfare Share of Profits ($$) Cyber- Vendor Privileges & User Information 1. product advertising and lock-in 2. logical network centrality information insurer client lock-in increased profits due to lock-in and informed (externality-driven and differentiated) pricing 32 strictly positive expected profits Security vendor may be the cyber-insurer recovering safety capital costs

33 Research Contribution Questions we are interested in How can SVs price products to make extra profits for the insurance business? How does client network topology play a role in SV pricing? Is the pricing mechanism fair? Our Contribution We propose, study, and compare the following pricing policies adopted by a monopoly SV (i) static heterogenous (differentiated) pricing (ii) static homogenous (uniform pricing) (iii) static binary pricing [PH 12, PH 13, PGPH 13] 33

34 Pricing Model We consider a single regulated security vendor (SV) acting as the cyber-insurer N customers (users) for the SV connected via a logical (overlay) network social engineering attacks spread through logical networks Each user i has his concave utility function u i (monotonically non-decreasing) u i (x i, x i,p i )= i x i utility of user investments i x 2 i + x i X h ij x j h ij - positive externality effect of user j s per unit investment on user i j utility due to externalities p i x i 2 i > X j negative utility due to cost h ij 34

35 Pricing Game SV accounts for strategic user behavior - price set via a two stage game Stage 1 - SV sets price based on user optimal behavior in order to optimize profits max p X i p i x i cx i Stage 2 - a user optimizes his utility by investing amount x in self-defense, based on the price set by the SV. Here each user plays a game with other network users SV accounts for Stage 2 in deriving prices in Stage 1 (Stackelberg) 35

36 Closed Form Results on Equilibrium Prices Theorem 2. The optimal price vector p charged by the SV is given Theorem 2. The optimal price vector p charged by the SV is given Heterogenous Pricing markup discounted by ing by g e of + c T of + c 1 p = +GQ 1 B(G0, Q 1, w0 ) G T Q 1B(G 0, Q 1, w ), 0 ific +GQ B(G, Q, w ) G Q B(G, Q, w ), 2 cour p = 2 (5) 0 urave T (5) 0 G+G c 1 topological where G = and w = T price vector dependent on Bonacich centrality, i.e., user location 0 0 G+G 2 c 1. 2 e G = and w does = not. dix. where 2 2 price discriminate its consumers, In the case when the SV x. In case price when the SVfor does notconsumer) price discriminate its consumers, the the optimal (same every charged per Homogenous Pricing nted the optimal price (same for every consumer) charged per consumer consumer is given by d T 1 is given by + c 1) 11T (Q G) 1 ( p =1 1 (Q. (6) G) ( + c 1 ) T (Q G) p= 2. (6) (2) T (Q G) 2) pricetheorem independentintuition of Bonacichand centrality Implications: The optimal price vector in Theorem Intuition and Implications: The optimal price vector the no price discrimination case is independent of individual nodein her thecentralities, Unique Nash equilibrium duethe to supermodularity of our pricing games - Topkis (1998) whereas in price case the optimal price no price discrimination casediscrimination is independent of individual node ernot centralities, vector depends on the Bonacich centrality of individual users. price The whereas in the price discrimination case the optimal user ot vector intuition behind is thecentrality fact that of users tend to users. invest The in depends onthe theresult Bonacich individual 36

37 Model Setting: Social Engineering Attacks social networks (formed by a preferential attachment (PA) mechanism) random trees (formed by a Poisson mechanism) how to measure influence of a node in a network? centrality metric : Bonacich centrality is similar to PageRank 37

38 Price charged by SV Results: Different Pricing Scenarios Network User # (in increasing order of centrality) ode Plots Result instance for a random PA graph of 100 nodes for (a) Per-Unit SV Prices (left) and (b) Total User Investment when Price Charged by SV Heterogenous Pricing Uniform Pricing Binary Pricing Price Type Topology Profit Increase Fairness DP Random Yes Heterogenous Pricing Yes DP Tree Binary Pricing Uniform Pricing Yes Yes BP Random Yes No BP Tree Yes No UP Random Yes No UP Tree Yes No 38 Total User Investment Total User Investment Heterogenous Pricing Uniform Pricing Binary Pricing Network User # (in increasing order of centrality) =3(right) (PA Grap context of network neutrality DP - Differentiated Pricing BP - Binary Pricing UP - Uniform Pricing Heterogenous Pricing Binary Pricing Uniform Pricing

39 by a SV from its cyber-insurance business for pricing scenarios 1 Profit Ratio Influence Values Influence Values e and 3. The proof of the theorem is in the Appendix. s Theorem Fig. 2: The Node profits, Profit Results: PRatio 0 and Plots P Profit 1, made for (a) by Ratios an= SV3(left), from its (b) cyberinsurance business when the latter does not (does) account for user = 2.5 (middle), and e e investment externalities respectively are given by e e 0.95 < 0.95 T c 1 9 = 0.9 n P = (Q G) 1 c If : ; (7) e d and Ratio Lower 0.75 Ratio Bound Lower Bound Ratio Lower Bound 0 8 Ratio Lower Bound Ratio Obtained Ratio Obtained h Ratio Obtained Ratio Obtained < T Ratio Upper Bound Ratio Upper Bound Ratio Upper Bound Ratio Upper Bound 0.7 a c 1 9 = P = (Q G 0 ) 1 c e : ;, (8) Influence Values Influence 0.7 Values Influence Values Influence Values st Averaged result for 50 random PA graphs of 100 nodes Averaged result for 50 random trees of 100 nodes ots e for. Assuming Fig. (a) 3: 100 = Q3(left), G to Node Profit (b) be positive profit Ratio = increase 2.5 definite, Plots (middle), the bounds for ~25% (a) and (model =1(left), (c) of the based) = (b) 2(right) ratio of =3(middle), [PA Graphs] and (c) profits in these two cases is given by t b. 0 apple we generate 50 PA graphs 2 + min(k) apple P 0 apple 1 for each different P h 1 value 2 + max(k) apple 1,, K = f(g) (9) of µ ranging from special case of tree topolog 0 to 1 in 0.95 steps of 0.1. Each point in a sub-plot in Figure 0.95 y where 1 is of size 100 and 500 nodes P0 - profit R = when Q average of the 50 P 0 network G andexternalities min( ), max( ) are not accounted denote thefor minimum 0.9 P 1 obtained per value of µ (the 0.9 x-axis). k and maximum same manner as we genera Each sub-plot is eigenvalues the average of 50 of their arguments respectively, and graphs for a particular value of, i.e., based on influence va e P the scale-free Kequals - profit when RR T network +R T R 1 externalities exponent parameter for. are accounted for 4 PA graphs, (in many papers average of 50 instances for also s denoted as ) is known to generally lie between [2, 3], and for to lie in the set {1, 3, 5}. F our l plots Before we choose we explain three values the theorem of Ratio : Lower 2, 2.5, intuitions Boundand 3. For and the its purposes implications, we for all i that Ratio Lower Bound i = G an Profit Ratio Profit Ratio P Profit Ratio Profit Ratio Profit Ratio Profit Ratio 0.6

40 Binary Pricing Heterogenous pricing may not be practical to implement in a large network Given exogenous prices, what subset of clients get the discounted price that maximizes insurer profits? NP-Hard problem (we reduce it from weighted MAX-CUT problem) two node classes (denoting two price classes) nodes - network users edges - f(g) We design a approximation algorithm to find optimal price set that generates maximum profits for the cyber-insurer. model a relaxed version of the problem as a semi-definite programming problem used a randomized approach used by Goemans and Williamson [1995] to bound OPT ratio 40

41 Dissertation Contributions Summary In a non-insurance setting, network security is sub-optimal Cyber-insurance markets are efficient under monopoly with contract discrimination, with insurer making zero profits in expectation Cyber-insurance markets are efficient under monopoly and competition under user cooperation, with insurer making zero profits in expectation Designed heterogenous, homogenous, and binary pricing mechanisms to allow a SV cyber-insurer to make additional profits for its cyber-insurance business The binary pricing problem to be NP-Hard and we designed a randomized approximation algorithm to maximize SV profits Valdiated our proposed pricing mechanisms via extensive simulations on practical networking topologies pricing is fair for a differentiated scheme unto 25% improvements in profits possible if externalities accounted for 41

42 Important Open Questions Ensuring efficient markets in non-monopolistic environments under noncompulsory insurance Optimal pricing/incentive mechanisms in non-monopolistic environments Modeling strategic attackers - resorting to dynamic game models Insurers might need insurance as well - how will a regulator manage risk for the insurer? - adapt models from re-insurance, exploit derivatives, etc. Quantifying success of markets when explicitly accounting for noisy information regarding market stakeholders 42

43 Publications on My Thesis Work 1. R. Pal, L. Golubchik, K. Psounis, and P. Hui - Will Cyber-Insurance Improve Network Security - A Market Analysis, In proceedings of IEEE INFOCOM 2014, Toronto, Canada (Disseration) 2. R. Pal, L. Golubchik, K. Psounis, and P. Hui - On A Way to Improve Cyber-Insurer Profits: When a Security Vendor Becomes the Cyber-Insurer, In proceedings of IFIP Networking, 2013, New York City, USA (Dissertation) 3. R. Pal and P. Hui - On Differentiating Cyber-Insurance Contracts: A Topological Perspective, In proceedings of IEEE/IFIP Internet Management Conference, Ghent, Belgium, 2013 (Dissertation) 4. R. Pal and P. Hui - Cyber-Insurance for Cyber-Security: A Topological Take on Modulating Insurance Premiums, In proceedings of ACM SIGMETRICS MAMA 2012, London, UK. Also to appear in SIGMETRICS Performance Evaluation Review, 2012 (Dissertation) 5. R. Pal - Cyber-Insurance for Cyber-Security: A Solution to the Information Asymmetry Problem, Appeared in SIAM Annual Meeting, 2012, Minnesota, USA 6. R. Pal, L. Golubchik, and K. Psounis - Aegis: A Novel Cyber-Insurance Model, In proceedings of GameSec, 2011, Maryland, USA 7. R. Pal and P. Hui - Modeling Investments in Internet Security: Tackling Topological Information Uncertainty, In proceedings of GameSec, 2011, Maryland, USA 8. R. Pal and L. Golubchik - On Economic Perspectives of Internet Security: The Problem of Designing Optimal Cyber-Insurance Contracts, In proceedings of ACM SIGMETRICS MAMA 2010, London, UK. Also appeared in SIGMETRICS Performance Evaluation Review, R. Pal and L. Golubchik - Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage, In proceedings of IEEE ICDCS, 2010, Genoa, Italy

44 Acknowledgements Professor Leana Golubchik, USC Professor Konstantinos Psounis, USC My PhD qualifying committee at USC Prof. Pan Hui, HKUST, and T-Labs, Berlin, Germany Professor Ross Anderson, Cambridge University Dr. Tyler Moore, Harvard University Princeton EDGE Laboratory, Princeton University, ( Headed by Professor Mung Chiang) Professor Golubchik s research group at USC Professor Jean-Yves LeBoudec, EPFL, Lausanne Audiences at GameSec, SIGMETRICS MAMA, ICDCS, SIAM Annual Meeting, IEEE/IFIP IM, IFIP Networking, IEEE INFOCOM, TU Lisbon, Nokia-Siemens Networks, Lisbon Provost Fellowship programme at USC 44

45 Other Publications in PhD 1. R.Pal et.al. A Real-Time Pricing Model for Electricity Consumption, accepted in SIAM Conference on Financial Mathematics and Engineering, 2012, Minnesota, USA 2. R.Pal et.al. On Social Community Networks: The Cost Sharing Problem, accepted in ACM SIMPLEX 2012 Workshop, in conjunction with WWW conference, Lyon, France 3. R.Pal et.al. Economic Models for Cloud Service Markets: Pricing and Capacity Planning, published in Elsevier Theoretical Computer Science, 2013, Vol R.Pal et.al. Economic Models for Cloud Service Markets accepted in ICDCN 2012, Hong Kong. (Also invited by INFORMS Annual Meeting 2011, Charlotte, North Carolina, USA). 5. R.Pal et.al. Settling For Less : A QoS Compromise Mechanism for Mobile Opportunistic Networks accepted in ACM SIGMETRICS Workshop (MAMA 2011), San Jose, USA. A slightly modified version of this paper appeared in ACM SIGMETRICS Performance Evaluation Review, 2011, Vol. 39(3) 6. R.Pal et.al. Sharing-Mart: Online Auctions for Digital Content Trading and Content Incentivization, accepted in GameNets, 2011, Shanghai, China. (A flagship conference on game theory applications in communication networks) 7. R.Pal et.al. On Wireless Social Community Network Routers: The Design and Cost Sharing Problem for Better Deployment, accepted in IEEE GLOBECOM 2010, Florida, USA. 8. R.Pal et.al. Sharing Costs in Social Community Networks, accepted in IEEE ICNC Workshop on Computing Networking and Communications, 2012, Maui, Hawaii, USA. 9. R.Pal et.al. Playing Games with Human Health: A Game-Theoretic Approach to Optimizing Reliability in Wireless Health Networks, accepted in IEEE ISABEL 2010, Rome, Italy.

46 Thank You Questions? rpal@usc.edu 46