Download Aegis A Novel Cyber

Aegis
A Novel Cyber-Insurance Model
Ranjan Pal
Department of Computer Science
University of Southern California
Joint Work with
Leana Golubchik and Kostas Psounis
University of Southern California
Presentation at IEEE/ACM GameSec 2011, Maryland, USA
Introduction(1/2)
• Traditional Internet was designed under ideal security assumptions
• only trustworthy users
• no propagation of malicious elements
• Today the Internet faces lot of threats
• denial of service attacks
• worms, viruses, spams, etc.
• Traditional security mechanisms to mitigate risks
• antivirus and anti-spam softwares by Symantec, Kaspersky, etc.
• firewalls
Introduction(2/2)
• Traditional security mechanisms do not guarantee 100% risk removal
•
new threats evolve rapidly
•
technical solutions are not fool-proof - there may be false positives/negatives [Jung et.al ’04]
•
formal solutions find it difficult to account for human intentions
[Vojnovic & Ganesh, ’05]
•
Network externalities due to lock-in and first mover effects [Anderson, ’01, Katz & Shapiro, ’85]
• Technical + Economic + Policy + Psychological factors will play a role in
ensuring perfect or near perfect security [Anderson & Moore, 08]
• Cyber-insurance is a technique proposed by researchers to eliminate risks
completely
• An agency (ISP or a regulatory organization) charges premiums in return
for risk coverage
• Amount of coverage and individual user responsibility drive premiums
Motivation (1/2)
• Cyber-insurance researchers have only considered risks due to security
related failures
• have shown the existence of markets in ideal conditions [Lelarge & Bolot, 09]
• have shown the non-existence of markets in non-ideal conditions [Shetty et.al, 09]
• if a market exists cyber-insurance drives user security investments [L&B, 09]
•
eliminates the free-riding problem amongst users
•
increases overall network security
• Risks also arise due to non-security related failures, ex., reliability losses
[Honeyman and Schwarz, 07]
• security and non-security related failures indistinguishable to naive users BUT
might be distinguishable by experts
• insurance company would only want to insure for security lapses
Motivation(2/2)
• Naive users at disadvantage w.r.t buying insurance contracts
• user may not be in favor of buying cyber-insurance
• may not be willing to transfer complete liability to insurer
• Interesting questions to consider
• could we have a different type of cyber-insurance contract ?
• how will it perform in a market along with traditional cyber-insurance ?
• how would demand for this type of cyber-insurance scale with premiums ?
• would markets for cyber-insurance exist under the new type of insurance ?
• can we comment on the deployability of insurance in relation to market
existence ?
Contributions
• We propose a novel model of cyber-insurance - Aegis
• based on the concept of co-insurance in traditional insurance theory
• user is responsible for a strictly positive amount loss recovery liability
• Aegis suited to the combined presence of insurable and non-insurable risks
• Risk-averse users always prefer Aegis to traditional cyber-insurance
• Any type of insurance is purchased only if purchase is made mandatory
• Premium-demand trends in Aegis
• increase in premium may not lead to decrease in demand
• decrease in premium may not lead to increase in demand
Aegis Model(1/4)
• Risks arise due to security or non-security related issues
• security related - worms, viruses, spams, etc.,
• non-security related - hardware faults, operational/programming errors
• effects same in case of security or non-security related failure, (ex., case of
buffer overflow)
• Users rest a strictly positive loss recovery coverage on themselves
• θ - cyber-insurer liability
• 1 − θ - user liability
• Value of loss incurred by Internet user - L ; Coverage - L − d, d ≥ 0
Aegis Model(2/4)
• Final wealth (W) of an Internet user is represented as follows
W = w0 + v − LS − LN S + θ(I(LS ) − P )
• W - random variable
• w0 + v - constant initial wealth, v - constant total value of loss object
• LS - r.v. denoting loss due to security attack
• LN S - r.v. denoting loss due to non-security related failure
• P = (1 + λ)E(I(Ls )) - premium
• λ - loading factor - 0 for fair premiums, positive for unfair premiums
• I(LS ) - insurance coverage function, 0 ≤ I(LS ) ≤ LS
Aegis Model(3/4)
• Expected Utility of Final wealth of a user is represented as follows
E(W ) = A + B + C + D
A=
! !
u(w0 + v − LS − LN S + θ(I(LS ) − P )) · g(LS , LN S )dL1 · dLN S
! !
u(w0 + v − LS − LN S + θ(I(LS ) − P )) · g(LS , LN S )dLS · dLN S
0<LS ≤v,LN S =0
B=
0<LN S ≤V,LS =0
C=
! !
0<LS ,0<LN S
u(w0 + v − LS − LN S + θ(I(LS ) − P )) · g(LS , LN S )dLS · dLN S
D = β · u(w0 + v − θ · P )
Aegis Model(4/4)
• Joint probability density function g() is given as follows


α · fS (LS ) 0 < LS ≤ v, LN S = 0
(1 − α − β) · fN S (LN S ) 0 < LN S ≤ v, LS = 0,
g(LS , LN S ) =

0 0 < LS ≤ v, 0 < LN S ≤ v
• α - probability of loss due to security attack (function of topology)
• β - probability of no attack
• fS (LS ) - univariate density function of losses due to security attack
• fN S (LN S ) - univariate density function of losses due to non-security
failure
Aegis Efficacy (1/3)
• Result 1 - Risk-averse Internet users always prefer Aegis contracts to traditional
cyber-insurance contracts irrespective of the fairness of insurance premiums
• the option of traditional insurance and Aegis must exist
• non-insurable losses co-exist with insurable losses
• Intuitions
• A risk-averse Internet user would be conservative in his investments
• He could pay premiums and still not get covered
• As a result, would assume some coverage liability on himself
• Advantage - incentive to invest in self-defense mechanisms
Aegis Efficacy (2/3)
• Result 2 - when risks due to non-insurable losses increase in a first-order stochastic
dominant sense (FOSD), the demand for traditional cyber-insurance amongst all riskaverse Internet users decreases
• non-insurable losses co-exist with insurable losses
• Intuitions
• greater chances user incurs a loss and not get covered
• increase in risks due to non-insurable losses decreases demand for
Aegis contracts as well
• However, Aegis preferred to traditional insurance for same amount
of risk
Aegis Efficacy (3/3)
• Result 3 - when risks due to non-insurable losses increase in a first-order stochastic
dominant sense (FOSD), the expected utility of final wealth for any non-insurable
contract falls with respect when compared to the alternative of no insurance
• non-insurable losses co-exist with insurable losses
• Implication
• risk-averse Internet users may not buy any form of insurance if
purchasing insurance not made mandatory
• Thus markets for cyber-insurance may not exist even if information
asymmetry problems do not arise, i.e., under ideal conditions
• Learning - ISPs or policy agencies like the government should make
insurance purchase mandatory
Sensitivity Analysis (1/4)
• We study the increase/decrease in user insurance demands with changes
in the premiums, and accounting for risk-averseness
• Analysis Assumptions
• User utility function U twice continuously differentiable
• U is thrice piecewise continuously differentiable
• U’ > 0 and U’’ < 0
• Coefficient of risk aversion, A, bounded by above
• We adopt the standard Arrow-Pratt risk aversion measure - absolute &
relative
U !! (W )
W U !! (W )
A(W ) = − !
R(W ) = −
U (W )
U ! (W )
Sensitivity Analysis (2/4)
• Given that Internet users are risk-averse∗ in an absolute sense, we need
to investigate the sign of the quantity dθ " ,where λ! = (1 + λ) and θ∗ is
dλ
the optimal coverage liability on user.
dθ∗
≥0
"
dλ
•
!
w
L
[A(W (x))θ∗ (x − λ" E(L)) − 1]dF (x) ≥ ρ
dθ∗
≤0
"
dλ
•
!
w
L
if there exists ρ " R such that
!
w
L
θ∗ (x − λ" E(L))dF (x)
if there exists ρ " R such that
[A(W (x))θ∗ (x − λ" E(L)) − 1]dF (x) < ρ
!
w
L
θ∗ (x − λ" E(L))dF (x)
Sensitivity Analysis (3/4)
• Under what conditions would a ρ exist ??
when
(1 − θ∗ )A"
(i)
≤ θ∗ A
A
and
•
(ii)
!
0
w
"
1
A(W (L)) L − λ E(L) − ∗
θ A(W (L))
!
#
dF (L) > 0
Sensitivity Analysis (4/4)
• Given that Internet users are risk-averse in an relative sense, we need to
investigate the sign of the quantity dθ∗ ,where λ! = (1 + λ) and θ∗ is the
optimal coverage liability on user. dλ"
•
dθ∗
≥0
"
dλ
if and only if R(W ) > 1
•
dθ∗
≤0
"
dλ
if and only if R(W ) ≤ 1
• Implications - a user prefers Aegis contracts above a certain degree of
relative risk-averseness even if there is an increase in premiums
• Intuitions
• relative risk aversion measured w.r.t. wealth of a user, more his wealth, lesser
are his concerns on losing money paying for premiums and not getting insured,
and vice-versa
Conclusion
• We proposed Aegis, a novel cyber-insurance model to account for noninsurable losses in addition to insurable losses
• We showed Aegis is always preferable to traditional cyber-insurance
• We showed that Aegis incentivizes users to invest more in self-defense and
thereby increase overall network security
• We showed cyber-insurance markets exist ONLY if buying insurance is
made mandatory
• Regarding demands for Aegis, we showed that an increase in the
premiums may not lead to a decrease in user demand, and similarly a
decrease in the premiums may not lead to an increase in the insurance
premiums
Thank You !!!