Cyber-Insurance: Copula Prcng Framework and Implcatons for Rsk Management Hemantha S. B. Herath Assocate Professor, Department of Accountng, Faculty of Busness, 40 Taro Hall, 500 Glenrdge Avenue, St. Catharnes, Ontaro, Canada LS 3A, hemantha.herath@brocku.ca Tejaswn C. Herath Ph.D. Canddate, Department of Management Scence and Systems, Jacobs Management Center, Unversty at Buffalo, Amherst, NY 460, tcherath@buffalo.edu ABSTRACT In recent years there has been a growng stream of research focusng on cyber-nsurance. Rsk transference wth nsurance has been suggested by both practtoners and academcs to absorb losses caused by securty breaches as well as to supplement the exstng set of securty tools to manage IT securty resdual rsk after IT securty nvestments are made. In ths paper, we nvestgate prcng of cyber-nsurance products usng the emergng copula methodology for modelng dependent rsks from an actuaral approach whch s dfferent to the process approaches of Bohme and Katara (006 and Mukhopadhyay et. al. (006. We dscuss a framework for assessng the emprcal dollar loss dstrbuton from the emprcal dstrbuton of the number of nfected computers. We develop a cyber-nsurance model and demonstrate the Gumbel copula to prce nsurance premums usng a numercal example wth ICSA data. Key Words: Cyber-Insurance; Copula; Correlated Rsk, Copula Dependency, Informaton Securty Rsk Management. Acknowledgements: Dr. Hemantha Herath acknowledges fnancal support from the Socal Scences and Humantes Research Councl (SSHRC of Canada.. Introducton The survey results of fnancal losses due to nformaton securty breaches gve us an overall glmpse of the severty of the problem of vrus, hacker and denal of servce attacks. Recent ncdents (005; 006 of securty breaches have resulted organzatons mllons of dollars n losses due to lost revenues not wthstandng the ntangble losses such as lost productvty, loss of customer goodwll/reputaton and lost busness opportuntes. The recent CSI/FBI survey report notes that majorty of the organzatons
use or have securty tools n place wth almost 99% usng Antvrus software, 98% havng frewalls, 7% havng proxy servers, and 68% havng ntruson detecton systems. However, n spte of the large use of securty measures the losses due to breaches are stll extremely hgh. Anderson (00 explans ths phenomenon clearly. It s dffcult for securty managers n any organzaton to know about and elmnate all the ponts of vulnerablty n a system (.e. create a fool proof system, when t only takes a hacker to explot just one these ponts of vulnerablty. Smlarly, as Schneer (00 pont out, a new vrus can easly compromse the permeter securty devces before a sgnature s avalable and mplemented for ant-vrus tools to track t down. Recognzng that the elmnaton of securty breach rsk s close to mpossble, NIST recommends several rsk mtgaton technques that are based on techncal as well as other non-techncal controls. These nclude (Stoneburner et al. 00:. Rsk Assumpton: To accept the potental rsk and contnue operatng the IT system or to mplement controls to lower the rsk to an acceptable level. Rsk Avodance: To avod the rsk by elmnatng the rsk cause and/or consequence (e.g., forgo certan functons of the system or shut down the system when rsks are dentfed 3. Rsk Lmtaton: To lmt the rsk by mplementng controls that mnmze the adverse mpact of a threat s exercsng a vulnerablty (e.g., use of supportng, preventve, detectve controls 4. Rsk Plannng: To manage rsk by developng a rsk mtgaton plan that prortzes, mplements, and mantans controls 5. Research and Acknowledgment: To lower the rsk of loss by acknowledgng the vulnerabltes or flaws and researchng controls to correct them 6. Rsk Transference: To transfer the rsk by usng other optons to compensate for the loss, such as purchasng nsurance. In ths paper, we focus on rsk transference as a tool to mnmze some of the fnancal losses to frms. Rsk transference wth nsurance has been suggested by both practtoners and academcs to absorb loss caused by securty breaches as well as to supplement the exstng set of securty tools to manage IT securty resdual rsk after IT securty nvestments are made (see (Böhme 005; Böhme and Katara 006; Gordon et al. 003; Mukhopadhyay et al. 006; Ogut et al. 005 among others. Typcally an ndvdual or organzaton employs a combnaton of these rsk management optons smultaneously retanng some of the rsk, mtgatng some and nsurng the rest(schneer 00. Whle there are some smlartes n cyber-nsurance that are generc to other nsurance products, there are certan characterstcs unque to IT securty. These unque characterstcs, makes the prcng of cyber nsurance challengng. Frst, nternet related rsks are unque, n terms of locaton, degree, vsblty and tradtonal polces do not comprehensvely address the addtonal rsks that frms face as a result of beng part of the dgtal economy (Gordon et al. 003; and second, although ssues related to prcng, adverse selecton and moral hazard are common to all forms of nsurance; an understandng of these ssues related to cyber rsks s warranted n desgnng nsurance products.
These unque challenges create a plethora of research questons that need to be addressed from the pont of vew of nsurance companes (supply sde as well as the nsured (demand sde. For nstance, prcng nsurance products tradtonally reles on actuaral tables constructed from hstorcal records. The nternet s relatvely new, and as such data about securty breaches and losses does not exst or does so only n small quanttes. Ths s further exacerbated wth the reluctance of organzatons to reveal detals of securty breaches due to loss of market share, reputaton etc.(gordon et al. 006. Although nsurance companes currently provde cyber-nsurance products, the accuracy of the prcng and whether or not nsurance provders are chargng the rght premums s stll an open queston (Gordon et al. 003; Radclff 00. In recent years there has been a growng stream of research focusng on cybernsurance. Gordon and Loeb (003 n ther artcle ncely lay out a framework for usng cyber-nsurance as a rsk management technque. In addton, they dscuss the unque features of cyber-nsurance as well as smlartes n respect of prcng, adverse selecton and moral hazard. Ogut et. al (005, nvestgates the cyber-nsurance problem from the ssue of moral hazard and adverse selecton. They show that the nterdependency of IT securty rsk of dfferent frms mpact a frm s ncentve to nvest n cyber-nsurance products. Böhme (005 provdes an ntutve dscusson of the ssue of correlated rsk n cyber-nsurance and argues whether the structural characterstcs of the nternet tself (.e., the monopoly of a domnant platform(s wll restrct the creaton of a proper market for cyber-nsurance. Hs arguments are through and clearly vald, and have mplcaton for prcng. Usng an ndemnty nsurance model, he evaluates the condtons under whch nsurance can be provded and model dfferent premums for users of domnant and alternate platforms. Extendng Böhme (005 work further, Böhme and Katara (006 nvestgate the correlated cyber-rsks n a two-step rsk arrval process, that s, wthn the frm (ntra-frm rsk correlaton and external to the frm (global rsk correlaton. In order to capture the global rsk correlatons the authors use the t-copula whch s used to model correlaton of extreme events. Mukhopadhyay et. al. (006, use a copula approach wth the Bayesan Belef Networks (BBN technque to quantfy the e-rsk assocated wth onlne transactons that would be affected by securty breaches. They use the mutvarate normal copula to descrbe the jont dstrbuton whch s thereafter used to compute the condtonal dstrbuton at each node on the BBN. Usng the software FULLBNT they are able to dentfy the probabltes assocated wth the specfc causes of the securty breaches. Usng these probabltes for the rsk of a breach and makng a strong smplfyng assumpton that the dollar losses at each node n the network are dstrbuted bnomally wth assumed specfc values, they prce the cyber-nsurance premums as a functon of the expected value of the clam severty and ts standard devaton. The clam severty s the product of the expected dollar loss amount and the probablty of the loss. All of the above papers make a very sgnfcant contrbuton to understandng the ssues of cyberrsk nsurance. In ths paper, we nvestgate cyber-nsurance prcng usng the emergng copula methodology for modelng dependent rsks from an actuaral approach whch s dfferent 3
to the approaches of Böhme and Katara (006 and Mukhopadhyay et. al. (006. Mukhopadhyay et. al. (006 uses a process vew to quantfy the operatonal rsk that s based on modelng the chan of actvtes that consttute an operaton and estmatng the exact rsk of each process. Böhme and Katara (006 work can also be categored as a process approach that focuses on connectvty and system dynamcs. Both these methods are useful for the actuaral approach that we develop n ths paper. The use of copula methodology s unque n each of the three papers, Böhme and Katara (006 uses the t- copula, Mukhopadhyay et. al. (006 uses the mult-varate normal copula and we use two Archmedean copulas - Clayton and Gumbel. Thus our paper makes the followng contrbutons to the lterature. Frst, we use the actuaral approach based on emprcal loss dstrbutons. In partcular, we develop a framework for assessng the emprcal dollar loss dstrbuton from the emprcal dstrbuton of the number of nfected computers. More specfcally, we use the ICSA data of the actual vrus ncdents and the number of computers (modfed at a frm level to assess the emprcal loss dstrbuton. The emprcal loss dstrbuton s dependent on the securty rsk posture of a frm. Second, we provde a detaled survey of copulas (Clayton and Gumbel, dscuss the ft test, how to smulate bvarate data from a known copula and develop a cyber-nsurance model. As noted above, use of copulas s relatvely new to cyber-securty nsurance ndustry. Thrd, we llustrate the model usng a numercal example wth ICSA data. Ths paper s organzed as follows. In Secton, we present a framework for assessng cyber rsk and estmatng the emprcal dstrbuton for dollar losses. Sectons 3 provde a survey of copulas and a cyber-nsurance model. In Secton 4, we llustrate the methodology wth the help of case study. Secton 5 concludes the paper.. Framework for Assessng Cyber Rsk In prcng the premum, t s essental to dentfy the lkelhood of a potental dsaster as well as ts mpact. Rsk s defned as a functon of the lkelhood of a gven threatsource s exercsng a partcular potental vulnerablty, and the resultng mpact of that adverse event on the organzaton (NIST (emphass n orgnal. Lkelhood of threat source s explotng vulnerablty s random and s smlar to stuatons normally faced by nsurance companes such as expectaton of a natural dsaster. Ths lkelhood can be assumed to follow Posson dstrbuton (Conrad 005. Although the occurrence of vrus s random, the possblty of breach may very well depend on the number of vulnerabltes. Number of vulnerabltes can be expected to depend on the securty precautons taken by the frm (securty posture coeffcent - s. For example, daly montorng and update of vrus sgnatures wll be less rsky than f the frm updates the vrus sgnatures weekly. Smlarly, f the frm has resources and can afford hourly montorng and update, the frm s lkely to be safer than daly or weekly montorng. The dollar losses wll depend on the type of computer affected and ts relatve losses. Securty breaches pose varous types of losses: ( lost productvty ( lost revenue, (3 clean up costs and (4 fnancal performance mpact, to name a few (Farahmand et al. 4
004. These costs can be expected to be dependent on the type of computer that s breached. For example, f the vrus has crppled the admnstratve PCs, t wll mpose productvty loss of the persons as well as clean up costs related to the attack. If the computer nvolved s a web-server that s mostly used n e-busness type of actvty, n addton to clean up costs t s lkely to result n lost revenues. In general, total losses due to a partcular rsk (e.g. vrus attack can be expressed as a functon of: type of computer affected; losses related to type of computer and securty posture of the frm. Thus the loss functon based on the number of computers can be we wrtten as. L = s α f + s α f + s 3 α 3 f 3 where α + α + α 3 = α n : fracton of computers of type n f n : dollar mpact for computer type n s n : securty posture coeffcent 3. Copula Methodology Copulas are functons that jon or couple multvarate dstrbuton functons to ther one-dmensonal margnal dstrbuton functons. Alternatvely, copulas are multvarate dstrbutons whose one-dmensonal margns are unform on the nterval [0,] (Nelsen 995, Frees and Valdez 998. Copulas have been studed for over forty years. Sklar (959 coned the term copula to descrbe functons whch jon together one-dmensonal dstrbuton functons to form multvarate dstrbuton functons. Copulas are of nterest to statstcans for two man reasons: Frstly, as a way of studyng scale-free measures of dependence; and secondly as a startng pont for constructng famles of bvarate dstrbutons, sometmes wth a vew to smulaton (Fsher 997. Defnton: Sklar (959 Theorem Let X and Y denote contnuous random varables (lower case x, y represent ther values wth bvarate dstrbuton functon H ( x, y and margnal dstrbuton functon F (x and F (y. Let F (. and G (. be the nverse of F and G. Then for any unform random varables U and V wth values u, v [ 0,] (.e. make the probablty transformaton of each varate U = F(X and V = G(Y to get a new par of varates U ~ U (0, and V ~ U (0,, exst a copula C such that for all x, y R = ( H ( x, y C( F( x, G( y = C( u, v If F and G are contnuous then C s unque. An mportant feature of copulas s that any choce of margnal dstrbutons can be used. Hence copulas are constructed based on the assumpton that margnal dstrbuton functons are known. Copulas are mportant because they allow us to study the dependence or assocaton between random varables. There are several ways to measure dependence. The most 5
wdely used measures are the Spearman s Rho and Kendall s Tau. Copulas precsely account for the dependence between random varables. For example between two random varables X and Y the dependence propertes of the jont dstrbuton (the manner n whch X and Y move together s precsely captured by the copula for strctly ncreasng functons of each varable. The two standard non-parametrc dependence measure expressed n copula form are as follows: Kendall s Tau s gven by: τ = 4 C( u, vdc( u, v..( I and Spearman s Rho s gven by: ρ = C( u, vdudv 3..(3 I The expressons for Kendall s Tau and Spearman s Rho for some known famles of copulas are presented n Secton 3.0. Copulas provde a way to study scale free measures of dependence. In emprcal applcatons where data s avalable we can use the dependence measure to specfy the form of copula. Genest and Rvest (993 provdes a procedure for dentfyng a copula when bvarate data s avalable. One the correct copula s dentfed t can be used to smulate random outcomes from dependent varables. 3. Survey of Gumbel and Clayton Copula In ths paper we survey two one parameter bvarate Archmedean copulas adopted from Frees and Valdez (998 and Nelsen (999 (Nelsen, 990, pg 94-97 lsts one parameter famles. Archmedean copulas are easy to apply and have nce propertes. The parameter n each case measures the degree of dependence and controls the assocaton between the two varables. For nstance when 0 there s no dependence and f there s perfect dependence. Schwezer and Wolff (98 show that the dependence parameter whch characterzes each famly of Archmedean copulas can be related to Kendall s Tau. Ths property can be used to emprcally determne the applcable copula form. ( Clayton Copula (978 (a Generator: ϕ ( t = ( t (b Bvarate Copula: C ( u, v = ( u + v (c Laplace Transform: ϕ( t = ( t = ( t ϕ 6
(d Kendall s Tau τ = + ( Gumbel Copula (960 (a Generator: ϕ ( t = ( ln( t (b Bvarate Copula: = [ + ] C ( u, v exp ( ln u ( ln v (c Laplace Transform: ϕ( t = ( t = exp( t (d Kendall s Tau = 3. Identfyng a Copula Form τ The frst step n modelng and smulaton s dentfyng the approprate copula form. Genest and Rvest (993 provde the followng procedure (ft test to dentfy an Archmedean copula. The method assumes that a random sample of bvarate data ( X, Y for =,..., n s avalable. Assume that the jont dstrbuton functon H has an assocated Archmedean copula C, and then the ft allows us to select the approprate generatorϕ. The procedure nvolves verfyng how close dfferent copulas ft the data by comparng the closeness of the copula (parametrc verson wth the emprcal (nonparametrc verson. The steps are follows: Step : Estmate the Kendall s correlaton usng the non-parametrc or dstrbuton free measure n τ = E < j ϕ Sgn [( X X ( Y Y ] Step : Identfy an ntermedate varable Z = F( X, Y havng a dstrbuton functon K( z = Pr( Z z. Construct an emprcal (non parametrc estmate of ths dstrbuton as follows: number{ ( X, Y such that X < X and Y < Y } j j j Z = n The emprcal verson of the dstrbuton functon K(z s K E (z = proporton of Z z Step 3: The next step s to construct the parametrc estmate of K (z. The relatonshp ϕ( z between ths dstrbuton functon and the generator s gven by K( z = z, where ϕ ( z j 7
ϕ (z s the dervatve of the generator and 0 z. We show below the specfc form of K(z for the three Archmedean copulas surveyed n ths paper. ( Clayton Copula ( Gumbel Copula z( + z K( z =..(4 z( ln z K( z =..(5 Repeat Step 3 for several dfferent famles of copulas,.e., several choces of ϕ (.. By vsually examnng the graph of K (z vs z or usng statstcal measures such as mnmum square error analyss, one can choose the best copula. Ths copula can be used n modelng dependences and smulaton. 3.3 Prcng Cyber-Insurance Copula methodology can be effectvely used for forecastng the dollar value of losses from cyber attacks and prcng cyber-nsurance. In ths secton, we dscuss an applcaton example that uses copula dependency. A key component of nsurance prcng s understandng and modelng multvarate relatonshps. Whle lnear regresson may provde a bass to explan the relatonshp among two (or more varables, the model s based on normalty assumptons and lnear dependence. Lnear regresson would work f the margnal dstrbuton are normal. However, as ICSA data ndcate the margnal dstrbuton for the number of computers affected ( X and the dollar value of losses (Y are not normal. In the case of the varable, number of computers affected ( X the margnal dstrbuton s lkely to be of the type Pareto or Exponental or Webull, snce a fewer number of computer vrus (5%-5% account for (85% - 75% of the number of computes affected. Snce the margnal dstrbutons are non-normal the wdely used classcal Pearson s product moment correlaton ( ρ cannot be used to model the dependency among the two varables. Correlaton ( ρ measures the straght lne assocaton and thus the dependency s lnear. Thus n forecastng the dollar value of losses and prcng cyber-nsurance, the copula dependency s more approprate. In the copula approach for prcng cyber nsurance, the frst step s the use the procedures lad out n Secton 3 above to dentfy the approprate copula for modelng the nonlnear dependence that explan the relatonshp between the two varables of nterest, the number of computers affected ( X and the dollar value of losses (Y. That s, we dentfy the jont dstrbuton of ( X, Y gven by the specfc copula functon say g ( X, Y. Notce that now we can examne the dstrbuton of any known functon of X and Y. Consder, the expected nsurance polcy premum for a frm that has N computers (standalone PCs and servers. Let L and M be the lower and hgher lmts of the number of lkely computers affected to determne the premum. Assumng the dollar value of the lkely losses can be prorated based on the number of computers affected (or exposed, we can wrte the followng functon for prcng the cyber-nsurance: 8
a X L Y g( X, Y = a + X 0 X M Y a3 + X 0 f f X < L L X < M f X M (6 where, a, =,, 3 are constants. The expected nsurance premum could be computed usng Monte Carlo smulaton. The steps are as follows: Step : Generate a sequence of b-varate data ( X, Y usng the ftted copula (e, Clayton or Gumbel or any other copula. The procedures for generatng data from Clayton and Gumbel are well summarzed n Frees and Valdez (998, Nelson (999 among others. Step : For a gven ( L, M compute the expected value of the cyber-nsurance premum and the standard devaton as S E[ g( X, Y ] = g( X, Y (7 S S g( X, Y [ E( g( X, Y ] S σ [ g( X, Y ] = (8 S where S s the number of smulaton runs. 4. Case Illustraton In ths secton, we llustrate the copula approach for prcng cyber-nsurance usng data from the ICSA. Consder Frm A that has the followng data pertanng to the number of computers affected ( X for each major computer vruses n 003. Usng the methodologcal framework dscussed n Secton, we estmate the dollar value of losses (Y as gven n Table. Notce, that both the number of computers affected as well as the dollar value of losses are random events. That s, the number of computers affected wll depend on the severty of the vrus, the company s securty posture, and securty polces n place. Smlarly, the dollar value of losses wll be random n the sense, that n rare nstance of the same number of computers affected for two dstnct vruses, the degree of the losses wll not be dentcal because t wll depend on each vruses ablty to penetrate and harm the computers. Also, t wll depend on the computer type affected (.e., the proporton of stand alone computers, servers, network computers etc.. The data for Frm A s gven n Table. = We use the ICSA data for 003, on actual compute vrus ncdences and the actual number of computers affected, scaled down one hundred tmes to frm level. 9
Table : Computer Vrus Data for Frm A. Vrus X # of Computers Y $ Losses W3/Blaster 9 $ 355,648.7 W3/Slammer 849 $ 339,83.66 3 W3/Sobg 38 $ 5,79.5 4 W3/Klez 40 $ 65,090.38 5 W3/Yaha 8 $ 45,40.5 6 W3/Swen 08 $ 66,053.73 7 W3/Dumaru 87 $ 39,8.88 8 W3/Mmal 70 $ 9,556.8 9 W3/Nach 63 $ 0,087.3 0 W3/Fzzer 58 $ 0,465.35 W3/BugBear 50 $ 0,80.3 W3/Lrva 47 $,769.9 3 W3/Sober $ 6,944.48 4 W3/SrCam $ 5,339.08 5 W3/Ganda 9 $ 7,547.77 Mean Standard Devaton $ 75,55 363 $ 4,70 In order to prce the cyber-nsurance premum for Frm A, based on the number of computers affected and the dollar value of losses pertanng to each vrus ncdence, we have to smulate b-varate data ( X, Y wth non lnear dependence usng the best ft copula. For the smulaton, we need to dentfy the margnal dstrbutons for the number of computers affected ( X and the dollar value of losses (Y above n Table. We use ARENA software for dentfyng the margnal dstrbutons. The margnal dstrbuton for number of computers affected ( X and the dollar value of losses (Y above both are Webull dstrbuton of the followng form. The ftted margnal dstrbutons are X ~ 8 + Webull(8,0.586 and Y ~ 5340 + Webull(38900,0.586. Notce that both the dstrbutons are shfted Webull dstrbutons. There are several propertes, whch pave way for usng copula dependences to smulate the par of values ( X, Y. Frst, snce the margnal dstrbutons are non-normal ( Webull, one cannot use lnear regresson for smulatng; second, fndng the jont dstrbutons of the two varables s not easy snce they are shfted Webull dstrbutons; and fnally Pearson s product moment or lnear correlaton cannot be use snce the margnals are non-normal. However, the approach as demonstrated below enables us to dentfy the approprate copula to determne a jont dstrbuton that can be used wth any margnal dstrbuton. Furthermore, copula allows modelng nonlnear dependency whch s more approprate for estmatng premums. 0
0.9 0.8 0.7 0.6 0.5 0.4 0.3 Clayton Emprcal Gumbel 0. 0. 0 0.0 0. 0. 0.3 0.4 0.5 0.6 0.7 0.8 0.9.0 Fgure: Best Ft Copula We use Kendall s Tau to measure the dependence between number of computers affected ( X and the dollar value of losses (Y for the data n Table, whch usng the statstcal software SPSS s computed as 0.848. Next, we obtan values of.5789 and 6.578947 respectvely usng equatons n secton 3. (-(d, and (-(d for Clayton and Gumbel copulas. In order to dentfy the approprate copula we follow the procedure outlned n Secton 3.. The emprcal dstrbuton K E (z and the K(z values for Clayton and Gumbel copulas based on equatons n secton 3. ( and ( and ( are shown n Fgure. Usng a vsual ft t s evdent from Fgure that Gumbel copula provdes the best ft (both are relatvely close. However, mnmzng the mean square error would be a more robust method to select the approprate copula. In order to smulate b-varate outcomes ( X, Y usng the Gumbel copula we use the algorthm suggested by Marshall and Olkn (988. The algorthm s as follows: For the Gumbel copula the generator and Laplace transform are gven n Secton 3. (. The nverse generator s equal to the Laplace transform of a postve Stable varate γ ~ St Θ ( α,,,0 where Θ = cos and > 0 Step : Smulate a postve Stable varate γ ~ St( ˆ,, α Θ,0 Step : Smulate two ndependent unform [0,] random numbers u and u Step 3: Set * * X = F ( u and Y G ( u = where * u = lnu γ ϕ and = ϕ( t exp t for [,] Nolan (005 and Cherubn et. al (004 suggest the followng procedure to smulate a postve random varable γ ~ St( ˆ,, α Θ, δ
Step (a: Smulate a unform random varable υ = U, Step (b: Independently draw an exponental random varable (ε wth mean = α Step (c: = arctan tan α and compute 0 Step (d γ = Θz + δ z = cos 0 0 α ε 0 snα( + υ ( cosα cosυ ( ( ( α α α υ + α In order to determne the cyber-nsurance premum for a frm, we smulate a large number of bvarate data ( X, Y by repeatng the algorthm S = 0, 000 tmes. The annual nsurance premum for dfferent levels of L and M wth the followng values for a = 400, 5 a = and a3 = 300are gven n Table. 5. Dscusson Table : Computed Premums L=5 Mean Standard Devaton M=50 $9 $608 M=00 $007 $70 M=50 $67 $83 In ths paper, we use a copula based model for prcng cyber-nsurance. The cyber nsurance prcng model explctly consders the rsk posture of the frms snce both the valuaton parameters - the number of computers affected and the dollar losses depend on the rsk posture of the frm. The framework, proposed for assessng the rsk posture and estmatng the dollar losses consders computer product dversty, lost productvty, lost revenue, and clean up costs among others. Furthermore, as prevously dscussed, the model consders nonlnear dependences for correlated rsks and allows smulatng from a copula model wthout explctly havng to determne the jont dstrbuton for the two gven margnals. Hence, the model s versatle n the sense that any type of margnal dstrbutons can be used. Thus, our paper makes a sgnfcant contrbuton to the lterature n cyber-nsurance rsk modelng and prcng snce we address the problem from an actuaral approach. One of the prmary constrants n prcng cyber-nsurance as dentfed by Gordon and Loeb (003 s the unavalablty of large amounts of hstorc data on e-crmes and related losses. As Gordon and Loeb (003 pont out, t s further exacerbated due to the fact that frms do not reveal detals concernng securty breaches. That s, snce cybernsurance products are new, ts s not known whether the rght premums are beng
charged. One of the prmary lmtatons of the proposed model s that t uses hstorc data to determne the approprate copula for prcng the premums. Thus one can argue, that t suffers from the same lack of data problem as current nsurance prcng models. However, the proposed copula based cyber-nsurance model makes a methodologcal contrbuton snce t provdes a dfferent modelng perspectve usng the actuaral approach. Fnally, the framework provdes awareness to managers, that t s mportant to collect data on e-crmes and securty breaches for negotatng for lower premums on cyber-nsurance products. For future research, we hope to develop n more detal the premums based on product dversty, and more specfc securty postures. In ths paper we consder one aspect of rsk (type of loss to elaborate the methodology whle drawng upon what s sparsely avalable data on vrus losses (ICSA labs. Fnally, as future research we hope to attempt to ntegrate other correlated rsks usng the process approaches wth the actuaral approach for a comprehensve model. References "A Chronology of Data Breaches," 005, avalable at: http://www.prvacyrghts.org/ar/chrondatabreaches.htm. "006 Dsclosures of U.S. Data Incdents," 006, avalable at: www.prvacyrghts.org/ar/chrondatabreaches. Anderson, R. "Why nformaton securty s hard: An economc perspectve,," 7th Annual Computer Securty Applcatons Conference (ACSAC,, New Orleans, LA, 00. Böhme, R. "Cybernsurance Revsted," Workshop on the Economcs of Informaton Securty (WEIS, Harvard Unversty, 005. Böhme, R., and Katara, G. "Models and Measures for Correlaton n Cyber-Insurance," Workshop on the Economcs of Informaton Securty (WEIS, Cambrdge Unversty, UK, 006. Cherubn U., E. Lucano and W. Vecchato 004, Copula Methods n Fnance, John Wley and Sons, West Sussex. Clayton, D. G., 978, "A Model for Assocaton n Bvarate Lfe Tables and ts Applcatons n Epdemologcal Studes of Famlal Tendency n Chronc Dsease Incdence, Bometrka, Vol. 65, pp. 4-5. Conrad, J.R. "Analyzng the Rsks of Informaton Securty Investments wth Monte-Carlo Smulatons," Workshop on the Economcs of Informaton Securty (WEIS, Harvard Unversty, 005. Farahmand, F., Navathe, S., Sharp, G., and Enslow, P. "Evaluatng Damages Caused by Informaton Systems Securty Incdents," n: The Economcs of Informaton Securty, J. Camp and R. Lews (eds., Kluwer, 004, pp. 85-94. Fsher, N. I., 997, "Copulas, n Encyclopeda of Statstcal Scences, Updated Vol., S. Kotz, C. B. Read, abd D. L. Banks, Edtors, John Wley and Sons, New York, pp. 59-63. Frank M. J., 979, "On the Smultaneous Assocatvty of F(x,y and x + y F(x,y, Aequatones Math., Vol. 9, pp.94-6. Frees E. W., and E. Valdez, 998, "Understandng Relatonshps Usng Copulas, North Amercan Actuaral Journal, Vol., no., pp. -5. 3
Genest C., 987, "Frank s Famly of Bvarate Dstrbutons, Bometrka, Vol. 74, pp. 549-555. Genest C., and L. Rvest, 993, "Statstcal Inference Procedures for Bvarate Archmedean Copulas, Journal of the Amercan Statstcal Assocaton, Vol. 88, pp. 034-043. Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Rchardson, R. "006 CSI/FBI Computer Crme and Securty Survey ", Computer Securty Insttute, avalable at: http://www.gocs.com/forms/fb/cs_fb_survey.jhtml. Gordon, L.A., Loeb, M.P., and Sohal, T. "A Framework for Usng Insurance for Cyber- Rsk Management," COMMUNICATIONS OF THE ACM (46:3 003. Gumbel E. J., 960, "Dstrbutons des valeurs extremes en plusers dmensons, Publ. Inst. Statst. Unv. Pars, Vol. 9, pp.7-73. Marshall A. W., and I. Olkn, 988, "Famles of Multvarate Dstrbutons, Journal of the Amercan Statstcal Assocaton, Vol. 83, pp. 834-84. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahant, A., and Sadhukhan, S.K. "e-rsk Management wth Insurance : A framework usng Copula aded Bayesan Belef Networks," 39th Hawa Internatonal Conference on System Scences, Hawa, 006. Nelsen R. B., 999, An Introducton to Copulas, Sprnger-Verlag New York, Inc. Nelsen R. B. 995, Copulas, Characterzaton, Correlaton and Counterexamples, Mathematcs Magazne, Vol. 68, no. 3 (June, pp.93-98. Nolan J. P., 005, Stable Dstrbutons: Models for Heavy Taled Data, Forthcomng Ogut, H., Menon, N., and Raghunathan, S. "Cyber Insurance and IT Securty Investment: Impact of Interdependent Rsk," Workshop on the Economcs of Informaton Securty (WEIS, Harvard Unversty, 005. Radclff, D. "Calculatng e-rsk," ComputerWorld (35:7, Feb 00, p 34. Schneer, B. "Computer Securty: It s the Economcs, Stupd," Workshop on Economcs of Informaton Securty (WEIS, 00. Sklar, A. 959, functons de repartton a n dmensons et leurs merges, Publ. Inst. Statst. Unv. Pars, Vol. 8, pp.9-3 Stoneburner, G., Goguen, A., and Fernga, A. "Rsk Management Gude for Informaton Technology Systems," Natonal Insttute of Standards and Technology (NIST, 00. 4