Abstract
In a networked system, the risk of security compromises depends not only on each node’s security but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes we should expect to lose, on average, for a given network topology, after certain types of incidents. Meanwhile, the pricing of insurance contracts for risks related to information technology (better known as cyber-insurance) requires determining additional information, for example, the maximum number of nodes we should expect to lose within a 99.5% confidence interval. Previous modeling research in network security has not addressed these types of questions, while research on cyber-insurance pricing for networked systems has not taken into account the network’s topology. Our goal is to bridge that gap, by providing a mathematical basis for the assessment of systematic risk in networked systems.
We define a loss-number distribution to be a probability distribution on the total number of compromised nodes within a network following the occurrence of a given incident, and we provide a number of modeling results that aim to be useful for cyber-insurers in this context. We prove NP-hardness for the general case of computing the loss-number distribution for an arbitrary network topology but obtain simplified computable formulas for the special cases of star topologies, ER-random topologies, and uniform topologies. We also provide a simulation algorithm that approximates the loss-number distribution for an arbitrary network topology and that appears to converge efficiently for many common classes of topologies.
Scale-free network topologies have a degree distribution that follows a power law and are commonly found in real-world networks. We provide an example of a scale-free network in which a cyber-insurance pricing mechanism that relies naively on incidence reporting data will fail to accurately predict the true risk level of the entire system. We offer an alternative mechanism that yields an accurate forecast by taking into account the network topology, thus highlighting the lack/importance of topological data in security incident reporting. Our results constitute important steps toward the understanding of systematic risk and help to contribute to the emergence of a viable cyber-insurance market.
- Ross Anderson. 1994. Liability and computer security: Nine principles. In Proceedings of the 3rd European Symposium on Research in Computer Security (ESORICS’94). 231--245. Google Scholar
Digital Library
- Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The Economics of Information Security and Privacy, Rainer Böhme (Ed.). Springer, Berlin, 265--300.Google Scholar
- James Aspnes, Kevin Chang, and Aleksandr Yampolskiy. 2006. Inoculation strategies for victims of viruses and the sum-of-squares partition problem. J. Comput. Syst. Sci. 72, 6 (Sept. 2006), 1077--1093. Google Scholar
Digital Library
- Albert-László Barabási. 2009. Scale-free networks: A decade and beyond. Science 325, 5939 (July 2009), 412--413.Google Scholar
Cross Ref
- Albert-László Barabási and Réka Albert. 1999. Emergence of scaling in random networks. Science 286, 5439 (Oct. 1999), 509--512.Google Scholar
Cross Ref
- Andrew Betts. 2013. A sobering day. Financial Times Labs, Retrieved from http://labs.ft.com/2013/05/a-sobering-day/.Google Scholar
- Kenneth Birman and Fred Schneider. 2009. The monoculture risk put into context. IEEE Secur. Privacy 7, 1 (Jan. 2009), 14--17. Google Scholar
Digital Library
- Rainer Böhme. 2005. Cyber-insurance revisited. In Proceedings of the Workshop on the Economics of Information Security.Google Scholar
- Rainer Böhme. 2010. Towards insurable network architectures. Info. Technol. 52, 5 (Sept. 2010), 290--293.Google Scholar
- Rainer Böhme and Gaurav Kataria. 2006. Models and measures for correlation in cyber-insurance. In Proceedings of the Workshop on the Economics of Information Security.Google Scholar
- Rainer Böhme and Galina Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Proceedings of the Workshop on the Economics of Information Security.Google Scholar
- Deepayan Chakrabarti, Yang Wang, Chenxi Wang, Jurij Leskovec, and Christos Faloutsos. 2008. Epidemic thresholds in real networks. ACM Trans. Info. Syst. Secur. 10, 4 (2008), 1. Google Scholar
Digital Library
- Hau Chan, Michael Ceyko, and Luis Ortiz. 2012. Interdependent defense games: Modeling interdependent security under deliberate attacks. In Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI’12). 152--162. Google Scholar
Digital Library
- Pei-Yu Chen, Gaurav Kataria, and Ramayya Krishnan. 2011. Correlated failures, diversification, and information security risk management. MIS Quarterly 35, 2 (June 2011), 397--422. Google Scholar
Digital Library
- Fred Chong, Ruby Lee, Claire Vishik, Alessandro Acquisti, William Horne, Charles Palmer, Anup Ghosh, Dimitrios Pendarakis, William Sanders, Eric Fleischman, Hugo Teufel, Gene Tsudik, Dipankar Dasgupta, Steven Hofmeyr, and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-Chairs’ Report. Retrieved from https://www.qinetiq-na.com/wp-content/uploads/2011/12/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf.Google Scholar
- Sudarshan Dhall, Sivaramakrishnan Lakshmivarahan, and Pramode Verma. 2009. On the number and the distribution of the nash equilibria in supermodular games and their impact on the tipping set. In Proceedings of the International Conference on Game Theory for Networks (GameNets’09). 691--696. Google Scholar
Digital Library
- Christopher Drew. 2011. Stolen data is tracked to hacking at Lockheed. New York Times. Retrieved from http://www.nytimes.com/2011/06/04/technology/04security.html.Google Scholar
- Victor Eguiluz and Konstantin Klemm. 2002. Epidemic threshold in structured scale-free networks. Phys. Rev. Lett. 89, 10 (Aug. 2002), 108701.Google Scholar
Cross Ref
- Paul Erdős and Alfréd Rényi. 1959. On random graphs. Publicationes Mathematicae (Debrecen) 6 (1959), 290--297.Google Scholar
- Paul Erdős and Alfréd Rényi. 1960. On the evolution of random graphs. Publicat. Math. Inst. Hungarian Acad. Sci. 5 (1960), 17--61.Google Scholar
- Ayalvadi Ganesh, Laurent Massoulié, and Don Towsley. 2005. The effect of network topology on the spread of epidemics. In Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’05). 1455--1466.Google Scholar
Cross Ref
- Daniel Geer, Charles Pfleeger, Bruce Schneier, John Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann. 2003. CyberInsecurity: The cost of monopoly. How the dominance of Microsoft’s products poses a risk to society. Technical Report, Computer and Communications Industry Association, September 24, 2003.Google Scholar
- Jens Grossklags, Nicolas Christin, and John Chuang. 2008. Secure or insure?: A game-theoretic analysis of information security games. In Proceedings of the 17th International World Wide Web Conference (WWW’08). 209--218. Google Scholar
Digital Library
- Geoffrey Heal and Howard Kunreuther. 2004. Interdependent Security: A General Model. NBER Working Paper No. 10706.Google Scholar
Cross Ref
- Benjamin Johnson, Rainer Böhme, and Jens Grossklags. 2011. Security games with market insurance. In Proceedings of the 2nd Conference on Decision and Game Theory for Security (GameSec’11). 117--130. Google Scholar
Digital Library
- Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang. 2010. Uncertainty in interdependent security games. In Proceedings of the 1st Conference on Decision and Game Theory for Security (GameSec’10). 234--244. Google Scholar
Digital Library
- Benjamin Johnson, Aron Laszka, and Jens Grossklags. 2014a. The complexity of estimating systematic risk in networks. In Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF’14). 325--336. Google Scholar
Digital Library
- Benjamin Johnson, Aron Laszka, and Jens Grossklags. 2014b. How many down? Toward understanding systematic risk in networks. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS’14). 495--500. Google Scholar
Digital Library
- Michael Kearns and Luis Ortiz. 2004. Algorithms for interdependent security games. In Advances in Neural Information Processing Systems, vol. 16, S. Thrun, L. Saul, and B. Schölkopf (Eds.). MIT Press, 561--568. Google Scholar
Digital Library
- Jeffrey Kephart and Steve White. 1991. Directed-graph epidemiological models of computer viruses. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. 343--359.Google Scholar
Cross Ref
- Jeffrey Kephart and Steve White. 1993. Measuring and modeling computer virus prevalence. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. 2--15. Google Scholar
Digital Library
- Howard Kunreuther and Geoffrey Heal. 2003. Interdependent security. J. Risk Uncert. 26, 2 (March 2003), 231--249.Google Scholar
Cross Ref
- Carl Landwehr, Dan Boneh, John Mitchell, Steven Bellovin, Susan Landau, and Michael Lesk. 2012. Privacy and cybersecurity: The next 100 years. Proc. IEEE 100 (May 2012), 1659--1673.Google Scholar
Cross Ref
- Aron Laszka, Mark Felegyhazi, and Levente Buttyan. 2014a. A survey of interdependent information security games. Comput. Surveys 47, 2 (August 2014), 23:1--23:38. Google Scholar
Digital Library
- Aron Laszka, Benjamin Johnson, Jens Grossklags, and Mark Felegyhazi. 2014b. Estimating systematic risk in real-world networks. In Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC’14). 417--435.Google Scholar
Cross Ref
- Marc Lelarge. 2009. Economics of malware: Epidemic risks model, network externalities and incentives. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing. IEEE, 1353--1360. Google Scholar
Digital Library
- Marc Lelarge and Jean Bolot. 2008a. A local mean field analysis of security investments in networks. In Proceedings of the 3rd International Workshop on Economics of Networked Systems. ACM, 25--30. Google Scholar
Digital Library
- Marc Lelarge and Jean Bolot. 2008b. Network externalities and the deployment of security features and protocols in the internet. ACM SIGMETRICS Perform. Eval. Rev. 36, 1 (June 2008), 37--48. Google Scholar
Digital Library
- Marc Lelarge and Jean Bolot. 2009. Economic incentives to increase security in the internet: The case for insurance. In Proceedings of the 33rd IEEE International Conference on Computer Communications (INFOCOM’09). 1494--1502.Google Scholar
Cross Ref
- Lun Li, David Alderson, John Doyle, and Walter Willinger. 2005. Towards a theory of scale-free graphs: Definition, properties, and implications. Internet Math. 2, 4 (2005), 431--523.Google Scholar
Cross Ref
- Thomas Moscibroda, Stefan Schmid, and Roger Wattenhofer. 2006. When selfish meets evil: Byzantine players in a virus inoculation game. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC’06). 35--44. Google Scholar
Digital Library
- Hulisi Ogut, Nirup Menon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependent risk. In Proceedings of the Workshop on the Economics of Information Security.Google Scholar
- Romualdo Pastor-Satorras and Alessandro Vespignani. 2001. Epidemic spreading in scale-free networks. Phys. Rev. Lett. 86, 14 (April 2001), 3200--3203.Google Scholar
Cross Ref
- Romualdo Pastor-Satorras and Alessandro Vespignani. 2002. Epidemic dynamics in finite size scale-free networks. Phys. Rev. E 65, 3 (March 2002), 035108.Google Scholar
Cross Ref
- Michael Stumpf, Carsten Wiuf, and Robert May. 2005. Subnets of scale-free networks are not scale-free: Sampling properties of networks. Proc. Natl. Acad. Sci. U.S.A. 102, 12 (March 2005), 4221--4224.Google Scholar
Cross Ref
- Symantec. 2014. Emerging Threat: Dragonfly/Energetic Bear--APT Group. Symantec Connect, Retrieved from http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group.Google Scholar
- Hal Varian. 2004. System reliability and free riding. In Economics of Information Security, J. Camp and S. Lewis (Eds.). Kluwer Academic Publishers, Dordrecht, The Netherlands, 1--15.Google Scholar
- Yang Wang, Deepayan Chakrabarti, Chenxi Wang, and Christos Faloutsos. 2003. Epidemic spreading in real networks: An eigenvalue viewpoint. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (SRDS’03). 25--34.Google Scholar
Cross Ref
Index Terms
On the Assessment of Systematic Risk in Networked Systems
Recommendations
How many down?: toward understanding systematic risk in networks
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications securityThe systematic risk of a networked system depends to a large extent on its topology. In this paper, we explore this dependency using a model of risk propagation from the literature on interdependent security games. Our main area of focus is on the ...
Risk assessment and mitigation for electric power sectors: A developing country's perspective
Highlights- A novel MCDM based risk identification and mitigation framework has been proposed.
AbstractThe electric power sector is the driving force behind a country's economy and disruptions in its services have dire consequences. The purpose of this study is to identify the risk mitigation measures that should be incorporated by the ...
Graphical abstractDisplay Omitted






Comments