University of the Aegean, Greece Modelling and Economics of IT Risk Management and Insurance Stefanos Gritzalis Costas Lambrinoudakis Dept. of Information.

University of the Aegean, Greece

Modelling and Economics Modelling and Economics of IT Risk Management and Insuranceof IT Risk Management and Insurance

Stefanos Gritzalis

Costas LambrinoudakisDept. of Information and Communication Systems Engineering

University of the Aegean - GREECE{{sgritzsgritz, , clam}@aegean.gr

Thanassis YannacopoulosDept. of Statistics & Actuarial-Financial Mathematics

University of the Aegean - [email protected]

University of the Aegean, Greece

IntroductionIntroduction Information systems security has become a

top priority issue for most organisations worldwide.

They have started to invest in Security Enhancing Technologies, but: How much should they invest ? Can they evaluate the effectiveness of the

security measures that they invest on ? Are they aware of the residual risk ? Are they aware of the consequences that they

will face in the event of a security incident ?

University of the Aegean, Greece

Asset Threat Vulnerability Impact

Measure

Calculate

Risk

Select

Countermeasures

Risk Analysis and ManagementRisk Analysis and Management

University of the Aegean, Greece

We need better solutionsWe need better solutions

An option could be to transfer specific risks to an insurance company, in order to:– avoid implementing too expensive technical countermeasures, and – cover the financial losses that the organisation may experience in

case of a security incident Clearly, such an approach will not replace technical

security measures, but it will act complementary

University of the Aegean, Greece

Issues that must be addressedIssues that must be addressed From the Organization Point of View

– How much money should be invested in technical security measures ?

– Which is the financial loss that the organization will experience as a result of a security incident due to the residual risk ?

From the Insurance Company Point of View– How secure – well protected against potential risks - is the

information system ?

– Which is the financial loss that the organization will experience as a result of every possible security incident ?

– What should the structure of the contract be (i.e. premium, compensation) ?

University of the Aegean, Greece

Modelling the System (1/3)Modelling the System (1/3) Use of a probabilistic structure, in the form of a

Markov model, that provides detailed information about all possible transitions of the system state in the course of time.

We are dealing with transitions from the fully operational system state to some other non-fully operational state that may result as the effect of a security incident.

University of the Aegean, Greece

Modelling the System (2/3)Modelling the System (2/3)– Assumption 1: The transitions allowed are from the

fully operational state to some other non-fully operational state.

– Assumption 2: Non-operational states are considered absorbing states.

Security Incident

System State

i

Transition Rate from state 0 in state i S(u)=0 S(t)=i

Impact Value

(Loss) Li Comments

N/A State 0 N/A N/A System fully operational. No

Security Incidents have occurred.

………… ………… ………… …………

State 10 μ04(u) L10 Data (asset Ak) disclosed to

Insiders

State 11 μ05(u) L11 Data (asset Ak) disclosed to

Outsiders

State 12 μ06(u) L12 Data (asset Ak) disclosed to

Service Providers

Loss of Confidentiality

………… ………… ………… …………

University of the Aegean, Greece

Modelling the System (3/3)Modelling the System (3/3) The use of the Markov model allows us to :

– Find the probability of the system being in different states

– thus find the probability of different financial losses (L)

This approach is useful in cases where:

– The transition rates are accurate

– The Loss (impact values) figures are accurate (objective)

University of the Aegean, Greece

Using the ModelUsing the Model: An Overview: An Overview OBJECTIVE 1: Calculating the Optimal Security Investment

– Max I E [ U(W – L(I) – I ] Where I is the maximum amount available for security measures W is the initial wealth of the company and L is the expected loss, that of course depends on the amount I

OBJECTIVE 2: Designing the Optimal Insurance Contract– U(W – π) = Ε [ U(W – L + C – π)]

Where W is the initial wealth of the company π is the premium that the company has to pay to the insurer L is the expected loss C is the compensation that the insurer will pay in case of a security incident

University of the Aegean, Greece

OBJECTIVE 1: Calculating the Optimal OBJECTIVE 1: Calculating the Optimal Security Investment (1/3)Security Investment (1/3)

How much should a company invest in security?

Given a security budget, how should this be allocated with respect to the different risks so as to minimize the expected loss of the company?

University of the Aegean, Greece

An Illustrative Example (2/3)An Illustrative Example (2/3)

Assume two Threats of equal probability to occur and equally harmful

Assume that we invest zi for security measures that address Threat I, i=1,2

It can be noticed that the optimal choice is z1=z2

z2

z1

University of the Aegean, Greece

An Illustrative Example (3/3)An Illustrative Example (3/3)

Assume two Threats equally harmful

Assume that the first Threats is more likely to occur

Assume that we invest zi for security measures that address Threat I, i=1,2

It can be noticed that the optimal budget allocates more expenditure towards the facing of the first threat

z1

z2

University of the Aegean, Greece

OBJECTIVE 2: Design the Optimal OBJECTIVE 2: Design the Optimal Insurance Contract (1/7)Insurance Contract (1/7)

Following the investment of an amount of money for security measures, the company still needs to deal with the residual risk.

An option could be to divert the risk into an alternative market: An Insurance Company

The model presented may support us in designing and pricing insurance contracts

University of the Aegean, Greece

A Case Study (2/7)A Case Study (2/7)

Suppose a firm A subcontracts specific IT tasks to a firm B

Unfortunately A cannot be aware of B’s intentions (e.g. B may disclose data in an unauthorized way, for profit)

Can A and B enter into an insurance contract through an insurer I so that all three parties are better off with the contract than without?

University of the Aegean, Greece

A Case Study (3/7)A Case Study (3/7)

ν: Probability that B plays fair d: Probability that the fraud passes undiscovered p1: Given that B plays fair, probability of no

security incident at all p2: Given that B plays fair, probability of a

security incident due to unforeseen circumstances or due to negligence of A

University of the Aegean, Greece

A Case Study (4/7)A Case Study (4/7)

University of the Aegean, Greece

Premium for A Premium for A (5/7)(5/7)

Premium Maximum Value (1) when: d = 1 and ν = 0 (B acts

maliciously and the fraud will not be discovered)

Premium Minimum Value when: ν = 1 and d = 0 (B is

reliable and in case it commits a fraud it will be discovered)

University of the Aegean, Greece

Premium for B Premium for B (6/7)(6/7)

The introduction of the fine (F) lowers considerably the premium for B. The fine plays the role

of compensation to the insurer in case of deliberate fraudulent behavior and as such reduces the risk of the insurer

University of the Aegean, Greece

Optimal coverage for A and utility Optimal coverage for A and utility difference difference (7/7)(7/7)

University of the Aegean, Greece

Future DirectionsFuture Directions

We are currently thinking of ways to cope with:– Non-absorbing states– Approximate transition rates – Subjective figures for the Loss (An indicative

example is Privacy Violation)– More complex models that in order to calculate the

transition probability of the system to a different state take into account the full history of transitions

– Use of real data for Model Calibration

University of the Aegean, Greece

Thank you for your attention..Thank you for your attention..

http://www.aegean.gr/Info-Sec-Lab/http://www.aegean.gr/Info-Sec-Lab/