Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Aegis A Novel Cyber-Insurance Model Ranjan Pal Department of Computer Science University of Southern California Joint Work with Leana Golubchik and Kostas Psounis University of Southern California Presentation at IEEE/ACM GameSec 2011, Maryland, USA Introduction(1/2) • Traditional Internet was designed under ideal security assumptions • only trustworthy users • no propagation of malicious elements • Today the Internet faces lot of threats • denial of service attacks • worms, viruses, spams, etc. • Traditional security mechanisms to mitigate risks • antivirus and anti-spam softwares by Symantec, Kaspersky, etc. • firewalls Introduction(2/2) • Traditional security mechanisms do not guarantee 100% risk removal • new threats evolve rapidly • technical solutions are not fool-proof - there may be false positives/negatives [Jung et.al ’04] • formal solutions find it difficult to account for human intentions [Vojnovic & Ganesh, ’05] • Network externalities due to lock-in and first mover effects [Anderson, ’01, Katz & Shapiro, ’85] • Technical + Economic + Policy + Psychological factors will play a role in ensuring perfect or near perfect security [Anderson & Moore, 08] • Cyber-insurance is a technique proposed by researchers to eliminate risks completely • An agency (ISP or a regulatory organization) charges premiums in return for risk coverage • Amount of coverage and individual user responsibility drive premiums Motivation (1/2) • Cyber-insurance researchers have only considered risks due to security related failures • have shown the existence of markets in ideal conditions [Lelarge & Bolot, 09] • have shown the non-existence of markets in non-ideal conditions [Shetty et.al, 09] • if a market exists cyber-insurance drives user security investments [L&B, 09] • eliminates the free-riding problem amongst users • increases overall network security • Risks also arise due to non-security related failures, ex., reliability losses [Honeyman and Schwarz, 07] • security and non-security related failures indistinguishable to naive users BUT might be distinguishable by experts • insurance company would only want to insure for security lapses Motivation(2/2) • Naive users at disadvantage w.r.t buying insurance contracts • user may not be in favor of buying cyber-insurance • may not be willing to transfer complete liability to insurer • Interesting questions to consider • could we have a different type of cyber-insurance contract ? • how will it perform in a market along with traditional cyber-insurance ? • how would demand for this type of cyber-insurance scale with premiums ? • would markets for cyber-insurance exist under the new type of insurance ? • can we comment on the deployability of insurance in relation to market existence ? Contributions • We propose a novel model of cyber-insurance - Aegis • based on the concept of co-insurance in traditional insurance theory • user is responsible for a strictly positive amount loss recovery liability • Aegis suited to the combined presence of insurable and non-insurable risks • Risk-averse users always prefer Aegis to traditional cyber-insurance • Any type of insurance is purchased only if purchase is made mandatory • Premium-demand trends in Aegis • increase in premium may not lead to decrease in demand • decrease in premium may not lead to increase in demand Aegis Model(1/4) • Risks arise due to security or non-security related issues • security related - worms, viruses, spams, etc., • non-security related - hardware faults, operational/programming errors • effects same in case of security or non-security related failure, (ex., case of buffer overflow) • Users rest a strictly positive loss recovery coverage on themselves • θ - cyber-insurer liability • 1 − θ - user liability • Value of loss incurred by Internet user - L ; Coverage - L − d, d ≥ 0 Aegis Model(2/4) • Final wealth (W) of an Internet user is represented as follows W = w0 + v − LS − LN S + θ(I(LS ) − P ) • W - random variable • w0 + v - constant initial wealth, v - constant total value of loss object • LS - r.v. denoting loss due to security attack • LN S - r.v. denoting loss due to non-security related failure • P = (1 + λ)E(I(Ls )) - premium • λ - loading factor - 0 for fair premiums, positive for unfair premiums • I(LS ) - insurance coverage function, 0 ≤ I(LS ) ≤ LS Aegis Model(3/4) • Expected Utility of Final wealth of a user is represented as follows E(W ) = A + B + C + D A= ! ! u(w0 + v − LS − LN S + θ(I(LS ) − P )) · g(LS , LN S )dL1 · dLN S ! ! u(w0 + v − LS − LN S + θ(I(LS ) − P )) · g(LS , LN S )dLS · dLN S 0<LS ≤v,LN S =0 B= 0<LN S ≤V,LS =0 C= ! ! 0<LS ,0<LN S u(w0 + v − LS − LN S + θ(I(LS ) − P )) · g(LS , LN S )dLS · dLN S D = β · u(w0 + v − θ · P ) Aegis Model(4/4) • Joint probability density function g() is given as follows α · fS (LS ) 0 < LS ≤ v, LN S = 0 (1 − α − β) · fN S (LN S ) 0 < LN S ≤ v, LS = 0, g(LS , LN S ) = 0 0 < LS ≤ v, 0 < LN S ≤ v • α - probability of loss due to security attack (function of topology) • β - probability of no attack • fS (LS ) - univariate density function of losses due to security attack • fN S (LN S ) - univariate density function of losses due to non-security failure Aegis Efficacy (1/3) • Result 1 - Risk-averse Internet users always prefer Aegis contracts to traditional cyber-insurance contracts irrespective of the fairness of insurance premiums • the option of traditional insurance and Aegis must exist • non-insurable losses co-exist with insurable losses • Intuitions • A risk-averse Internet user would be conservative in his investments • He could pay premiums and still not get covered • As a result, would assume some coverage liability on himself • Advantage - incentive to invest in self-defense mechanisms Aegis Efficacy (2/3) • Result 2 - when risks due to non-insurable losses increase in a first-order stochastic dominant sense (FOSD), the demand for traditional cyber-insurance amongst all riskaverse Internet users decreases • non-insurable losses co-exist with insurable losses • Intuitions • greater chances user incurs a loss and not get covered • increase in risks due to non-insurable losses decreases demand for Aegis contracts as well • However, Aegis preferred to traditional insurance for same amount of risk Aegis Efficacy (3/3) • Result 3 - when risks due to non-insurable losses increase in a first-order stochastic dominant sense (FOSD), the expected utility of final wealth for any non-insurable contract falls with respect when compared to the alternative of no insurance • non-insurable losses co-exist with insurable losses • Implication • risk-averse Internet users may not buy any form of insurance if purchasing insurance not made mandatory • Thus markets for cyber-insurance may not exist even if information asymmetry problems do not arise, i.e., under ideal conditions • Learning - ISPs or policy agencies like the government should make insurance purchase mandatory Sensitivity Analysis (1/4) • We study the increase/decrease in user insurance demands with changes in the premiums, and accounting for risk-averseness • Analysis Assumptions • User utility function U twice continuously differentiable • U is thrice piecewise continuously differentiable • U’ > 0 and U’’ < 0 • Coefficient of risk aversion, A, bounded by above • We adopt the standard Arrow-Pratt risk aversion measure - absolute & relative U !! (W ) W U !! (W ) A(W ) = − ! R(W ) = − U (W ) U ! (W ) Sensitivity Analysis (2/4) • Given that Internet users are risk-averse∗ in an absolute sense, we need to investigate the sign of the quantity dθ " ,where λ! = (1 + λ) and θ∗ is dλ the optimal coverage liability on user. dθ∗ ≥0 " dλ • ! w L [A(W (x))θ∗ (x − λ" E(L)) − 1]dF (x) ≥ ρ dθ∗ ≤0 " dλ • ! w L if there exists ρ " R such that ! w L θ∗ (x − λ" E(L))dF (x) if there exists ρ " R such that [A(W (x))θ∗ (x − λ" E(L)) − 1]dF (x) < ρ ! w L θ∗ (x − λ" E(L))dF (x) Sensitivity Analysis (3/4) • Under what conditions would a ρ exist ?? when (1 − θ∗ )A" (i) ≤ θ∗ A A and • (ii) ! 0 w " 1 A(W (L)) L − λ E(L) − ∗ θ A(W (L)) ! # dF (L) > 0 Sensitivity Analysis (4/4) • Given that Internet users are risk-averse in an relative sense, we need to investigate the sign of the quantity dθ∗ ,where λ! = (1 + λ) and θ∗ is the optimal coverage liability on user. dλ" • dθ∗ ≥0 " dλ if and only if R(W ) > 1 • dθ∗ ≤0 " dλ if and only if R(W ) ≤ 1 • Implications - a user prefers Aegis contracts above a certain degree of relative risk-averseness even if there is an increase in premiums • Intuitions • relative risk aversion measured w.r.t. wealth of a user, more his wealth, lesser are his concerns on losing money paying for premiums and not getting insured, and vice-versa Conclusion • We proposed Aegis, a novel cyber-insurance model to account for noninsurable losses in addition to insurable losses • We showed Aegis is always preferable to traditional cyber-insurance • We showed that Aegis incentivizes users to invest more in self-defense and thereby increase overall network security • We showed cyber-insurance markets exist ONLY if buying insurance is made mandatory • Regarding demands for Aegis, we showed that an increase in the premiums may not lead to a decrease in user demand, and similarly a decrease in the premiums may not lead to an increase in the insurance premiums Thank You !!!