skip to main content
research-article

On the Assessment of Systematic Risk in Networked Systems

Published:07 August 2018Publication History
Skip Abstract Section

Abstract

In a networked system, the risk of security compromises depends not only on each node’s security but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes we should expect to lose, on average, for a given network topology, after certain types of incidents. Meanwhile, the pricing of insurance contracts for risks related to information technology (better known as cyber-insurance) requires determining additional information, for example, the maximum number of nodes we should expect to lose within a 99.5% confidence interval. Previous modeling research in network security has not addressed these types of questions, while research on cyber-insurance pricing for networked systems has not taken into account the network’s topology. Our goal is to bridge that gap, by providing a mathematical basis for the assessment of systematic risk in networked systems.

We define a loss-number distribution to be a probability distribution on the total number of compromised nodes within a network following the occurrence of a given incident, and we provide a number of modeling results that aim to be useful for cyber-insurers in this context. We prove NP-hardness for the general case of computing the loss-number distribution for an arbitrary network topology but obtain simplified computable formulas for the special cases of star topologies, ER-random topologies, and uniform topologies. We also provide a simulation algorithm that approximates the loss-number distribution for an arbitrary network topology and that appears to converge efficiently for many common classes of topologies.

Scale-free network topologies have a degree distribution that follows a power law and are commonly found in real-world networks. We provide an example of a scale-free network in which a cyber-insurance pricing mechanism that relies naively on incidence reporting data will fail to accurately predict the true risk level of the entire system. We offer an alternative mechanism that yields an accurate forecast by taking into account the network topology, thus highlighting the lack/importance of topological data in security incident reporting. Our results constitute important steps toward the understanding of systematic risk and help to contribute to the emergence of a viable cyber-insurance market.

References

  1. Ross Anderson. 1994. Liability and computer security: Nine principles. In Proceedings of the 3rd European Symposium on Research in Computer Security (ESORICS’94). 231--245. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The Economics of Information Security and Privacy, Rainer Böhme (Ed.). Springer, Berlin, 265--300.Google ScholarGoogle Scholar
  3. James Aspnes, Kevin Chang, and Aleksandr Yampolskiy. 2006. Inoculation strategies for victims of viruses and the sum-of-squares partition problem. J. Comput. Syst. Sci. 72, 6 (Sept. 2006), 1077--1093. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Albert-László Barabási. 2009. Scale-free networks: A decade and beyond. Science 325, 5939 (July 2009), 412--413.Google ScholarGoogle ScholarCross RefCross Ref
  5. Albert-László Barabási and Réka Albert. 1999. Emergence of scaling in random networks. Science 286, 5439 (Oct. 1999), 509--512.Google ScholarGoogle ScholarCross RefCross Ref
  6. Andrew Betts. 2013. A sobering day. Financial Times Labs, Retrieved from http://labs.ft.com/2013/05/a-sobering-day/.Google ScholarGoogle Scholar
  7. Kenneth Birman and Fred Schneider. 2009. The monoculture risk put into context. IEEE Secur. Privacy 7, 1 (Jan. 2009), 14--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Rainer Böhme. 2005. Cyber-insurance revisited. In Proceedings of the Workshop on the Economics of Information Security.Google ScholarGoogle Scholar
  9. Rainer Böhme. 2010. Towards insurable network architectures. Info. Technol. 52, 5 (Sept. 2010), 290--293.Google ScholarGoogle Scholar
  10. Rainer Böhme and Gaurav Kataria. 2006. Models and measures for correlation in cyber-insurance. In Proceedings of the Workshop on the Economics of Information Security.Google ScholarGoogle Scholar
  11. Rainer Böhme and Galina Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Proceedings of the Workshop on the Economics of Information Security.Google ScholarGoogle Scholar
  12. Deepayan Chakrabarti, Yang Wang, Chenxi Wang, Jurij Leskovec, and Christos Faloutsos. 2008. Epidemic thresholds in real networks. ACM Trans. Info. Syst. Secur. 10, 4 (2008), 1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Hau Chan, Michael Ceyko, and Luis Ortiz. 2012. Interdependent defense games: Modeling interdependent security under deliberate attacks. In Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI’12). 152--162. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Pei-Yu Chen, Gaurav Kataria, and Ramayya Krishnan. 2011. Correlated failures, diversification, and information security risk management. MIS Quarterly 35, 2 (June 2011), 397--422. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Fred Chong, Ruby Lee, Claire Vishik, Alessandro Acquisti, William Horne, Charles Palmer, Anup Ghosh, Dimitrios Pendarakis, William Sanders, Eric Fleischman, Hugo Teufel, Gene Tsudik, Dipankar Dasgupta, Steven Hofmeyr, and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-Chairs’ Report. Retrieved from https://www.qinetiq-na.com/wp-content/uploads/2011/12/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf.Google ScholarGoogle Scholar
  16. Sudarshan Dhall, Sivaramakrishnan Lakshmivarahan, and Pramode Verma. 2009. On the number and the distribution of the nash equilibria in supermodular games and their impact on the tipping set. In Proceedings of the International Conference on Game Theory for Networks (GameNets’09). 691--696. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Christopher Drew. 2011. Stolen data is tracked to hacking at Lockheed. New York Times. Retrieved from http://www.nytimes.com/2011/06/04/technology/04security.html.Google ScholarGoogle Scholar
  18. Victor Eguiluz and Konstantin Klemm. 2002. Epidemic threshold in structured scale-free networks. Phys. Rev. Lett. 89, 10 (Aug. 2002), 108701.Google ScholarGoogle ScholarCross RefCross Ref
  19. Paul Erdős and Alfréd Rényi. 1959. On random graphs. Publicationes Mathematicae (Debrecen) 6 (1959), 290--297.Google ScholarGoogle Scholar
  20. Paul Erdős and Alfréd Rényi. 1960. On the evolution of random graphs. Publicat. Math. Inst. Hungarian Acad. Sci. 5 (1960), 17--61.Google ScholarGoogle Scholar
  21. Ayalvadi Ganesh, Laurent Massoulié, and Don Towsley. 2005. The effect of network topology on the spread of epidemics. In Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’05). 1455--1466.Google ScholarGoogle ScholarCross RefCross Ref
  22. Daniel Geer, Charles Pfleeger, Bruce Schneier, John Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann. 2003. CyberInsecurity: The cost of monopoly. How the dominance of Microsoft’s products poses a risk to society. Technical Report, Computer and Communications Industry Association, September 24, 2003.Google ScholarGoogle Scholar
  23. Jens Grossklags, Nicolas Christin, and John Chuang. 2008. Secure or insure?: A game-theoretic analysis of information security games. In Proceedings of the 17th International World Wide Web Conference (WWW’08). 209--218. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Geoffrey Heal and Howard Kunreuther. 2004. Interdependent Security: A General Model. NBER Working Paper No. 10706.Google ScholarGoogle ScholarCross RefCross Ref
  25. Benjamin Johnson, Rainer Böhme, and Jens Grossklags. 2011. Security games with market insurance. In Proceedings of the 2nd Conference on Decision and Game Theory for Security (GameSec’11). 117--130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang. 2010. Uncertainty in interdependent security games. In Proceedings of the 1st Conference on Decision and Game Theory for Security (GameSec’10). 234--244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Benjamin Johnson, Aron Laszka, and Jens Grossklags. 2014a. The complexity of estimating systematic risk in networks. In Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF’14). 325--336. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Benjamin Johnson, Aron Laszka, and Jens Grossklags. 2014b. How many down? Toward understanding systematic risk in networks. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS’14). 495--500. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Michael Kearns and Luis Ortiz. 2004. Algorithms for interdependent security games. In Advances in Neural Information Processing Systems, vol. 16, S. Thrun, L. Saul, and B. Schölkopf (Eds.). MIT Press, 561--568. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Jeffrey Kephart and Steve White. 1991. Directed-graph epidemiological models of computer viruses. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. 343--359.Google ScholarGoogle ScholarCross RefCross Ref
  31. Jeffrey Kephart and Steve White. 1993. Measuring and modeling computer virus prevalence. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. 2--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Howard Kunreuther and Geoffrey Heal. 2003. Interdependent security. J. Risk Uncert. 26, 2 (March 2003), 231--249.Google ScholarGoogle ScholarCross RefCross Ref
  33. Carl Landwehr, Dan Boneh, John Mitchell, Steven Bellovin, Susan Landau, and Michael Lesk. 2012. Privacy and cybersecurity: The next 100 years. Proc. IEEE 100 (May 2012), 1659--1673.Google ScholarGoogle ScholarCross RefCross Ref
  34. Aron Laszka, Mark Felegyhazi, and Levente Buttyan. 2014a. A survey of interdependent information security games. Comput. Surveys 47, 2 (August 2014), 23:1--23:38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Aron Laszka, Benjamin Johnson, Jens Grossklags, and Mark Felegyhazi. 2014b. Estimating systematic risk in real-world networks. In Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC’14). 417--435.Google ScholarGoogle ScholarCross RefCross Ref
  36. Marc Lelarge. 2009. Economics of malware: Epidemic risks model, network externalities and incentives. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing. IEEE, 1353--1360. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Marc Lelarge and Jean Bolot. 2008a. A local mean field analysis of security investments in networks. In Proceedings of the 3rd International Workshop on Economics of Networked Systems. ACM, 25--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Marc Lelarge and Jean Bolot. 2008b. Network externalities and the deployment of security features and protocols in the internet. ACM SIGMETRICS Perform. Eval. Rev. 36, 1 (June 2008), 37--48. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Marc Lelarge and Jean Bolot. 2009. Economic incentives to increase security in the internet: The case for insurance. In Proceedings of the 33rd IEEE International Conference on Computer Communications (INFOCOM’09). 1494--1502.Google ScholarGoogle ScholarCross RefCross Ref
  40. Lun Li, David Alderson, John Doyle, and Walter Willinger. 2005. Towards a theory of scale-free graphs: Definition, properties, and implications. Internet Math. 2, 4 (2005), 431--523.Google ScholarGoogle ScholarCross RefCross Ref
  41. Thomas Moscibroda, Stefan Schmid, and Roger Wattenhofer. 2006. When selfish meets evil: Byzantine players in a virus inoculation game. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC’06). 35--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Hulisi Ogut, Nirup Menon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependent risk. In Proceedings of the Workshop on the Economics of Information Security.Google ScholarGoogle Scholar
  43. Romualdo Pastor-Satorras and Alessandro Vespignani. 2001. Epidemic spreading in scale-free networks. Phys. Rev. Lett. 86, 14 (April 2001), 3200--3203.Google ScholarGoogle ScholarCross RefCross Ref
  44. Romualdo Pastor-Satorras and Alessandro Vespignani. 2002. Epidemic dynamics in finite size scale-free networks. Phys. Rev. E 65, 3 (March 2002), 035108.Google ScholarGoogle ScholarCross RefCross Ref
  45. Michael Stumpf, Carsten Wiuf, and Robert May. 2005. Subnets of scale-free networks are not scale-free: Sampling properties of networks. Proc. Natl. Acad. Sci. U.S.A. 102, 12 (March 2005), 4221--4224.Google ScholarGoogle ScholarCross RefCross Ref
  46. Symantec. 2014. Emerging Threat: Dragonfly/Energetic Bear--APT Group. Symantec Connect, Retrieved from http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group.Google ScholarGoogle Scholar
  47. Hal Varian. 2004. System reliability and free riding. In Economics of Information Security, J. Camp and S. Lewis (Eds.). Kluwer Academic Publishers, Dordrecht, The Netherlands, 1--15.Google ScholarGoogle Scholar
  48. Yang Wang, Deepayan Chakrabarti, Chenxi Wang, and Christos Faloutsos. 2003. Epidemic spreading in real networks: An eigenvalue viewpoint. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (SRDS’03). 25--34.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. On the Assessment of Systematic Risk in Networked Systems

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Internet Technology
      ACM Transactions on Internet Technology  Volume 18, Issue 4
      Special Issue on Computational Ethics and Accountability, Special Issue on Economics of Security and Privacy and Regular Papers
      November 2018
      348 pages
      ISSN:1533-5399
      EISSN:1557-6051
      DOI:10.1145/3210373
      • Editor:
      • Munindar P. Singh
      Issue’s Table of Contents

      Copyright © 2018 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 7 August 2018
      • Accepted: 1 November 2017
      • Revised: 1 October 2017
      • Received: 1 November 2016
      Published in toit Volume 18, Issue 4

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!