Ruperto de nola libro de guisos, manjares y potajes, facsimil 1529
Cyberinsurance As A Market-Based Solution To the Problem of Cybersecurity Jay Kesan Ruperto Majuca *...
-
Upload
joan-smith -
Category
Documents
-
view
214 -
download
0
Transcript of Cyberinsurance As A Market-Based Solution To the Problem of Cybersecurity Jay Kesan Ruperto Majuca *...
Cyberinsurance As A Market-Based Solution To the Problem of Cybersecurity
Jay Kesan Ruperto Majuca* William Yurcik* College of Law Department of Economics NCSA
University of Illinois at Urbana-Champaign
{kesan,majuca,yurcik}@uiuc.edu
Workshop on the Economics of Information Security ‘05 Harvard University
Outline
Emergence of Cyberinsurance Current Cyberinsurance Practices Economic Theory
Ideal World Real World
Summary
Outline
Emergence of Cyberinsurance Current Cyberinsurance Practices Economic Theory
Ideal World Real World
Summary
The Problem
Pervasive software vulnerabilities & increased availability of hacking tools have resulted in a consistently increasing myriad of attacks: host-based attacks (theft of credit card numbers, invasion
of privacy, etc.) insider attacks that damage information assets network DoS availability attacks
Surveys consistently show ~75% of businesses suffer financial losses due to security breaches
InformationWeek estimates annual losses (in the USA) due to security breaches at billions of dollars
Why Is This Happening?
Why Is This Happening?
Security Market Failure
Why Is This Happening?
1. Imperfect information Consumers do not know security of software
2. Externalities Security is interdependent and damage is not
fully borne by “guilty” parties
3. Security as a Public Good Risks are shared but incentive to free-ride
Security Market Failure
Correcting Market Failure
1. Imperfect Information Perfect information may not be possible
2. Externalities Assign cyber-property rights through laws
enforcement is slow with high transaction costs
3. Security as Public Good International regulation for broad protections
funding, long timeframe, divergent interests
Risk Management Market Solutions
1. Avoid the Risk Disconnect from the Internet
2. Mitigate the Risk Security processes to reduce magnitude of expected loss
3. Retain the Risk Self-insurance or gambling
4. Transfer the Risk via Contract Guarantees/warranties, service agreements, outsourcing
5. Transfer the Risk via an Insurance Product Insurance premiums internalized as cost-of-doing-business
Risk Management Market Solutions
1. Avoid the Risk Disconnect from the Internet
2. Mitigate the Risk Security processes to reduce magnitude of expected loss
3. Retain the Risk Self-insurance or gambling
4. Transfer the Risk via Contract Guarantees/warranties, service agreements, outsourcing
5. Transfer the Risk via an Insurance Product Insurance premiums internalized as cost-of-doing-business
Inadequacy of Traditional Insurance
Traditional insurance policies designed to cover traditional perils cyber-risks are new time dynamics; attacks & software flaws exposed daily
Cyber-properties are without physical form attacks do not leave physical damage insurers dispute what constitutes “physical” damage to
“tangible” property, draft more exclusions, and offer new insurance products to stack case against inclusion
Most cyber-torts are international most 3rd party insurance coverage are not international
Outline
Emergence of Cyberinsurance Current Cyberinsurance Practices Economic Theory
Ideal World Real World
Summary
Insurance Coverage
Net AdvantageSecurity
e-Comprehensive Webnet Protection
FIRST PARTY FIRST PARTY
Destruction, disruption or theft of information assets
Y Y Y
Internet Business Interruption Y Y Y
Cyberextortion Y Y Y
Fraudulent electronic transfers N Y N
Denial of service attack Y Y
Rehabilitation expenses Y Y
THIRD PARTY LIABILITY
Internet Content Y Y Y
Internet Security Y Y Y
Defense Costs Y Y Y
EXCLUSIONS
Inability to use or lack of performance of software programs
Y Y Y
Ordinary wear and tear of insured’s information assets
Y Y Y
Electric and telecommunication failures
Y Y Y
Insurance Coverage
Net AdvantageSecurity
e-Comprehensive Webnet Protection
FIRST PARTY FIRST PARTY
Destruction, disruption or theft Destruction, disruption or theft of information assetsof information assets
YY YY YY
Internet Business InterruptionInternet Business Interruption YY YY YY
CyberextortionCyberextortion YY YY YY
Fraudulent electronic transfers Fraudulent electronic transfers NN YY NN
Denial of service attackDenial of service attack YY YY
Rehabilitation expenses Rehabilitation expenses YY YY
THIRD PARTY LIABILITY
Internet Content Y Y Y
Internet Security Y Y Y
Defense Costs Y Y Y
EXCLUSIONS
Inability to use or lack of performance of software programs
Y Y Y
Ordinary wear and tear of insured’s information assets
Y Y Y
Electric and telecommunication failures
Y Y Y
Insurance Coverage
Net AdvantageSecurity
e-Comprehensive Webnet Protection
FIRST PARTY FIRST PARTY
Destruction, disruption or theft of information assets
Y Y Y
Internet Business Interruption Y Y Y
Cyberextortion Y Y Y
Fraudulent electronic transfers N Y N
Denial of service attack Y Y
Rehabilitation expenses Y Y
THIRD PARTY LIABILITYTHIRD PARTY LIABILITY
Internet ContentInternet Content Y Y YY YY
Internet SecurityInternet Security YY YY YY
Defense CostsDefense Costs YY YY YY
EXCLUSIONS
Inability to use or lack of performance of software programs
Y Y Y
Ordinary wear and tear of insured’s information assets
Y Y Y
Electric and telecommunication failures
Y Y Y
Insurance Coverage
Net AdvantageSecurity
e-Comprehensive Webnet Protection
FIRST PARTY FIRST PARTY
Destruction, disruption or theft of information assets
Y Y Y
Internet Business Interruption Y Y. Y
Cyberextortion Y Y Y
Fraudulent electronic transfers N Y N
Denial of service attack Y Y
Rehabilitation expenses Y Y
THIRD PARTY LIABILITY
Internet Content Y Y Y
Internet Security Y Y Y
Defense Costs Y Y Y
EXCLUSIONSEXCLUSIONS
Inability to use or lack of Inability to use or lack of performance of software performance of software
YY YY YY
“ “Software Aging” of Software Aging” of insured’s information assetsinsured’s information assets
YY YY YY
Electric and telecommunication Electric and telecommunication failuresfailures
YY YY YY
Outline
Emergence of Cyberinsurance Current Cyberinsurance Practices Economic Theory
Ideal World Real World
Summary
Ideal World (our previous work)
1. Cyberinsurance increases IT Safety because the insured increases self-protection as rational response to the reduction of premium
2. Cyberinsurance facilitates standards of liability
3. Cyberinsurance increases social welfare by solving market failure (Internet risks transfer)
Income in good state
Income in bad stateI0
e
A
B
Certainty line
Measuring Welfare Gains
|Slope| =price of insurance
expenditureon insurance
Amount of insurancecoverage
I*
I*
I1e
45o
Welfare gainsmeasure
E
F
I**
I**
Income in good state
Income in bad state$ 1.94 Bn
$ 3.14 Bn
A
B Certainty line
I**
I**
$ 47.04 million |slope|= .06
45o
Example: 2000 DOS attacks
Calculating the Premiums Following Cochrane (1997), total premiums insured is
willing to pay may be calculated:
Solving for Π:
Calculated welfare gains and premiums for different risk aversion levels and probabilities of cyber-loss results: increasing social welfare and premiums with
probability of attack and risk aversion
.)1(
)1()(
10
1
1
1
0)1(
eem
eem
IpIpIwhere
IpIpI
.)1( 1
11
1
1
0
eem IpIpI
Real World
Adverse Selection insurers cannot distinguish between high and low risk
Moral Hazard firms may slack in their security work after being insured
Others lack of actuarial data, pricey premiums, interrelated risks
Adverse Selection Separate high/low risk using risk assessment
Income in good state
Income in bad stateI0p
A
B
Certainty line
IfL
45o
WelfareLossMeasure E
FL Ap
IfH
P
FH
Adverse Selection
Income in good state
Income in bad stateI0p
A
B
Certainty line
IfL
45o
WelfareLossMeasure E
FL Ap
IfH
P
FH
Adverse Selection
Income in good state
Income in bad stateI0p
A
B
Certainty line
IfL
45o
Welfare LossMeasure E
FL Ap
IfH
P
FH
Adverse Selection
Income in good state
Income in bad stateI0p
A
B
Certainty line
IfL
45o
WelfareLossMeasure E
FL Ap
IfH
P
FH
Adverse Selection
Income in good state
Income in bad stateI0p
A
B
Certainty line
IfL
45o
WelfareLossMeasure E
FL Ap
IfH
P
FH
Adverse Selection
Income in good state
Income in bad stateI0p
A
B
Certainty line
IfL
45o
WelfareWelfareLossLossMeasureMeasure E
FL Ap
IfH
P
FH
Solution to Adverse Selection
Evaluation of applicants’ security through offsite and on-site activities
detailed questionnaire: assesses applicant’s risks exposure, services offered, and network security
baseline risk assessment: physical location’s security, network’s design and activities, physical review of security, incident response, procedures etc.
recommendations for upgrades and fixes
Policy ProvisionsPolicy Provisions Net AdvantageNet AdvantageSecuritySecurity
e-Comprehensivee-Comprehensive Webnet Webnet ProtectionProtection
EXCLUSIONS
Failure to back-up Y Y Y
Failure to take reasonable steps to maintain and upgrade security
Y Y Y
OTHER RELEVANT PROVISIONS
Retentions Y Y Y
Liability Limits Y Y Y
Criminal Reward Fund/ Investigative Expenses Covered
Y Y
Services by Information Risk Group to
mitigate the impact of 1st party loss, covered
Y
Representations Relied Upon Y Y Y
Regular/Annual Surveys of Insured’s Facilities
Y Y Y
Solutions to Moral Hazard
Policy ProvisionsPolicy Provisions Net AdvantageNet AdvantageSecuritySecurity
e-Comprehensivee-Comprehensive Webnet Webnet ProtectionProtection
EXCLUSIONSEXCLUSIONS
Failure to back-upFailure to back-up YY YY YY
Failure to take reasonable steps Failure to take reasonable steps to maintain and upgrade security to maintain and upgrade security
YY YY YY
OTHER RELEVANT PROVISIONS
Retentions Y Y Y
Liability Limits Y Y Y
Criminal Reward Fund/ Investigative Expenses Covered
Y Y
Services by Information Risk Group to mitigate the impact of 1st party loss, covered
Y
Representations Relied Upon Y Y Y
Regular/Annual Surveys of Insured’s Facilities
Y Y Y
Solutions to Moral Hazard
Policy ProvisionsPolicy Provisions Net AdvantageNet AdvantageSecuritySecurity
e-Comprehensivee-Comprehensive Webnet Webnet ProtectionProtection
EXCLUSIONS
Failure to back-up Y Y Y
Failure to take reasonable steps to maintain and upgrade security
Y Y Y
OTHER RELEVANT PROVISIONSOTHER RELEVANT PROVISIONS
RetentionsRetentions YY YY YY
Liability LimitsLiability Limits YY YY YY
Criminal Reward Fund/Criminal Reward Fund/ Investigative Expenses CoveredInvestigative Expenses Covered
YY YY
Services by Information Risk Services by Information Risk Group to mitigate the impact of Group to mitigate the impact of 11stst party loss, covered party loss, covered
YY
Representations Relied Upon Y Y Y
Regular/Annual Surveys of Insured’s Facilities
Y Y Y
Solutions to Moral Hazard
Policy ProvisionsPolicy Provisions Net AdvantageNet AdvantageSecuritySecurity
e-Comprehensivee-Comprehensive Webnet Webnet ProtectionProtection
EXCLUSIONS
Failure to back-up Y Y Y
Failure to take reasonable steps to maintain and upgrade security
Y Y Y
OTHER RELEVANT PROVISIONSOTHER RELEVANT PROVISIONS
Retentions Y Y Y
Liability Limits Y Y Y
Criminal Reward Fund/ Investigative Expenses Covered
Y Y
Services by Information Risk Group to mitigate the impact of 1st party loss, covered
Y
Representations Relied Upon Representations Relied Upon YY YY YY
Regular/Annual Surveys of Regular/Annual Surveys of Insured’s Facilities Insured’s Facilities
YY YY YY
Solutions to Moral Hazard
Policy ProvisionsPolicy Provisions Net AdvantageNet AdvantageSecuritySecurity
e-Comprehensivee-Comprehensive Webnet Webnet ProtectionProtection
EXCLUSIONS
Failure to back-up Y Y Y
Failure to take reasonable steps to maintain and upgrade security
Y Y Y
OTHER RELEVANT PROVISIONSOTHER RELEVANT PROVISIONS
RetentionsRetentions YY YY YY
Liability LimitsLiability Limits YY YY YY
Criminal Reward Fund/ Investigative Expenses Covered
Y Y
Services by Information Risk Group to mitigate the impact of 1st party loss, covered
Y
Representations Relied Upon Y Y Y
Regular/Annual Surveys of Insured’s Facilities
Y Y Y
Solutions to Moral Hazard
Outline
Emergence of Cyberinsurance Current Cyberinsurance Practices Economic Theory
Ideal World Real World
Summary
Summary
In Theory - cyberinsurance can correct Internet risk transfer market failure (economic modeling)
In Practice - cyberinsurers are slowly resolving real-world problems but some issues are still remain (case study results)
Cyberinsurance is still the direction but it will take time, patient perseverance rather than giving up on this market solution.
Questions?
<http://www.ncassr.org/projects/econsec/>
backup slides
Insurance and Interdependent Risks
IT security is interdependent, e.g., an infected machine can cause infection of others
Ortzag and Stiglitz 2002: Two distortions: interdependent risks results in care
below the social optimum & insurance coverage also reduces the precaution level.
But if level of precaution can be observed and insurance premium tied to precaution level, moral hazard disappears & full insurance ensue
Suggestions (regulation, taxes and fees)
Developing Cyberliability Law
Higher standards for certain firms/activities: Financial firms: prevent data in databases from being leaked
out or used for identity theft (GLB Act & security regulations) Health care providers: ensure integrity/security of protected
health information (HIPAA & security regulations) Firms that gather data relating to children to safeguard it Those covered by consent decrees; others Those not covered by specific regulations and
consent decrees have general common law duty to safeguard data under their control.
Cyberinsurance, Self-Insurance and Self-protection
Cyberinsurance
Self-insurance Self-protection
“Complements” if premiums tied to self-protection level. (Cyberinsurance increasesself-protection, i.e.no moral hazard)
“Substitutes”(Availability of one woulddiscourage the other.Self-insurance likely to create a “moral hazard”)
“Substitutes”: (High demand for one lowers the other’s)
Socially-Optimal Precaution Level
Efficiency requires minimizing total costs; occurs if
w = - p’(x*)L
(marginal social cost) (marginal social benefit)
$
Precaution
wx
p(x)L
E(SC)=p(x)L+wx
X*0
expected losses
precaution costs
total social costs
Cyberinsurance Premiumsand Welfare Gains (in Millions)
Risk Aversion1 1.5 2 2.5 3
Premium p= γ = 0.005
0.010.020.030.04
0.05 0.06
$1.55$3.08$6.09$9.03
$11.90$14.69$17.42
$2.54$5.02$9.90
$14.64$19.25$23.72$28.07
$3.67$7.29
$14.34$21.17$27.76$34.14$40.30
$5.03$9.96
$19.54$28.75$37.60$46.10$54.26
$6.62$13.10$25.60$37.54$48.93$59.79$70.15
Welfare Gains
p= γ = 0.005 0.01
0.020.030.04
0.05 0.06
$1.59$3.23$6.69
$10.37$14.28
$18.41 $22.76
$2.57$5.19
$10.58$16.17$21.95
$27.92 $34.08
$3.73$7.49
$15.12$22.89$30.80
$38.85 $47.04
$5.09$10.18$20.41$30.70$41.03
$51.41 $61.84
$6.69$13.35$26.60$39.75$52.81
$65.79 $78.69