Modelling and Economics of IT Risk Management and Insurance

1
Modelling and Economics of IT Risk Management
and Insurance

• Stefanos Gritzalis
• Costas Lambrinoudakis
• Dept. of Information and Communication Systems
  Engineering
• University of the Aegean - GREECE
• sgritz, clam_at_aegean.gr
• Thanassis Yannacopoulos
• Dept. of Statistics Actuarial-Financial
  Mathematics
• University of the Aegean - GREECE
• ayannaco_at_aegean.gr

2
Introduction

• Information systems security has become a top
  priority issue for most organisations worldwide.
• They have started to invest in Security Enhancing
  Technologies, but
• How much should they invest ?
• Can they evaluate the effectiveness of the
  security measures that they invest on ?
• Are they aware of the residual risk ?
• Are they aware of the consequences that they will
  face in the event of a security incident ?

3
Risk Analysis and Management
Measure
Asset
Threat
Vulnerability
Impact
Calculate
Risk
Select
Countermeasures
4
We need better solutions

• An option could be to transfer specific risks to
  an insurance company, in order to
• avoid implementing too expensive technical
  countermeasures, and
• cover the financial losses that the organisation
  may experience in case of a security incident
• Clearly, such an approach will not replace
  technical security measures, but it will act
  complementary

5
Issues that must be addressed

• From the Organization Point of View
• How much money should be invested in technical
  security measures ?
• Which is the financial loss that the organization
  will experience as a result of a security
  incident due to the residual risk ?
• From the Insurance Company Point of View
• How secure well protected against potential
  risks - is the information system ?
• Which is the financial loss that the organization
  will experience as a result of every possible
  security incident ?
• What should the structure of the contract be
  (i.e. premium, compensation) ?

6
Modelling the System (1/3)

• Use of a probabilistic structure, in the form of
  a Markov model, that provides detailed
  information about all possible transitions of the
  system state in the course of time.
• We are dealing with transitions from the fully
  operational system state to some other non-fully
  operational state that may result as the effect
  of a security incident.

7
Modelling the System (2/3)

• Assumption 1 The transitions allowed are from
  the fully operational state to some other
  non-fully operational state.
• Assumption 2 Non-operational states are
  considered absorbing states.

8
Modelling the System (3/3)

• The use of the Markov model allows us to
• Find the probability of the system being in
  different states
• thus find the probability of different financial
  losses (L)
• This approach is useful in cases where
• The transition rates are accurate
• The Loss (impact values) figures are accurate
  (objective)

9
Using the Model An Overview

• OBJECTIVE 1 Calculating the Optimal Security
  Investment
• Max I E U(W L(I) I
• Where I is the maximum amount available for
  security measures
• W is the initial wealth of the company and
• L is the expected loss, that of course depends on
  the amount I
• OBJECTIVE 2 Designing the Optimal Insurance
  Contract
• U(W p) ? U(W L C p)
• Where W is the initial wealth of the company
• p is the premium that the company has to pay to
  the insurer
• L is the expected loss
• C is the compensation that the insurer will pay
  in case of a security incident

10
OBJECTIVE 1 Calculating the Optimal Security
Investment (1/3)

• How much should a company invest in security?
• Given a security budget, how should this be
  allocated with respect to the different risks so
  as to minimize the expected loss of the company?

11
An Illustrative Example (2/3)

• Assume two Threats of equal probability to occur
  and equally harmful
• Assume that we invest zi for security measures
  that address Threat I, i1,2
• It can be noticed that the optimal choice is z1z2

z1
z2
12
An Illustrative Example (3/3)

• Assume two Threats equally harmful
• Assume that the first Threats is more likely to
  occur
• Assume that we invest zi for security measures
  that address Threat I, i1,2
• It can be noticed that the optimal budget
  allocates more expenditure towards the facing of
  the first threat

z1
z2
13
OBJECTIVE 2 Design the Optimal Insurance
Contract (1/7)

• Following the investment of an amount of money
  for security measures, the company still needs to
  deal with the residual risk.
• An option could be to divert the risk into an
  alternative market An Insurance Company
• The model presented may support us in designing
  and pricing insurance contracts

14
A Case Study (2/7)

• Suppose a firm A subcontracts specific IT tasks
  to a firm B
• Unfortunately A cannot be aware of Bs intentions
  (e.g. B may disclose data in an unauthorized way,
  for profit)
• Can A and B enter into an insurance contract
  through an insurer I so that all three parties
  are better off with the contract than without?

15

A Case Study (3/7)

• ? Probability that B plays fair
• d Probability that the fraud passes undiscovered
• p1 Given that B plays fair, probability of no
  security incident at all
• p2 Given that B plays fair, probability of a
  security incident due to unforeseen circumstances
  or due to negligence of A

16
A Case Study (4/7)
17
Premium for A (5/7)

• Premium Maximum Value (1) when
• d 1 and ? 0 (B acts maliciously and the fraud
  will not be discovered)
• Premium Minimum Value when
• ? 1 and d 0 (B is reliable and in case it
  commits a fraud it will be discovered)

18
Premium for B (6/7)

• The introduction of the fine (F) lowers
  considerably the premium for B.
• The fine plays the role of compensation to the
  insurer in case of deliberate fraudulent behavior
  and as such reduces the risk of the insurer

19
Optimal coverage for A and utility difference
(7/7)
20
Future Directions

• We are currently thinking of ways to cope with
• Non-absorbing states
• Approximate transition rates
• Subjective figures for the Loss (An indicative
  example is Privacy Violation)
• More complex models that in order to calculate
  the transition probability of the system to a
  different state take into account the full
  history of transitions
• Use of real data for Model Calibration

21
Thank you for your attention..http//www.aegean.
gr/Info-Sec-Lab/