Models and Measures for
Correlation in Cyber-Insurance
Rainer Böhme
Technische Universität Dresden
rainer.boehme@tu-dresden.de
Gaurav Kataria
Carnegie Mellon University
gauravk@andrew.cmu.edu
DIMACS Workshop on Information Security Economics, Jan 19 2007.
Cyber-Insurance in a Nutshell

Risk sharing


Security metric


to develop and deploy sound security technology
Market for cyber-insurance immature



premiums differentiate good and bad risks
Incentive function


avoid extreme losses at manageable expenses
losses from cyber incidents in the range of $ 200 bn
global cyber-insurance market < $ 2 bn -Majuca et al., 2006
(Danger of) High correlation of cyber-risks

due to homogeneous technology
-Geer et al., 2003
2
Decision to Offer Insurance

Cost of offering insurance:
C = E(L) + A + i · c
Where,

E(L) is the expected loss amount, L being a random variable

A is the sum of all administrative costs, assumed negligible


c is the safety capital required to settle all claims if the realization of L turns
out to the є-worst case (є is the probability of ruin for the insurer)
i is the interest rate to be paid for the safety capital c. The rate should
reflect the risk associated with the business in general and the choice of є in
particular
Shape of the loss distribution function is crucial
3
Decision to Seek Insurance
Disutility
0
n
Number of nodes simultaneously compromised
4
Decision to Seek Insurance
Given the degree of risk aversion σ and a measure of initial
wealth I0, we can compute the maximum premium γ
5
Degree of event correlation
Classes of Cyber-Risks
Insider attack
Hardware failure
Configuration vulnerability (user settings)
Targeted hacker attack
Standard software exploit requiring user interaction
Remote standard software exploit
Configuration vulnerability (default settings)
Viruses and worms
Systemic errors (Y2K, break of assumed secure cryptography)
6
Cyber-Insurance Scenario
Global Risk Correlation
Decisions are
made at firm-level
Insurer’s view
k : firms in portfolio
n : risks per firm
7
Cyber-Insurance Scenario
Internal Risk Correlation
Decisions are
made at firm-level
Insuree’s view
n : risks within firm
8
Two-Step Risk Arrival
9
Modeling Two-Step Risk Arrival
Monte-Carlo Simulation
 Computed minimum profitable premium for given correlation structure
10
Equilibrium Conditions
Results of 20,000 simulation trials
per parameter setting
high
low
Insider Attack
Hardware Failure
low
Worms, Viruses
Spyware, Phishing
high
11
How strong is cyber-risk
correlation in reality?

Standard Response
 lack of actuarial data on loss amounts

Our Approach
 if correlation of losses is caused by attack
correlation, then we can try to estimate correlation
from sensor data measuring attack activity
12
Data Source

Honeypots


decoy for hackers and automated attacks
useful monitoring tool for malicious activity
-http://www.honeynet.org

Leurre.com honeynet project (Eurecom, France)


35 sensors emulating 3 TCP/IP stacks each
deployed in 25 countries over five continents
-Pouget et al., 2004, Pouget/Dancier/Pham, 2005

Observations




Location
Port Sequence
Time (days)
Hits
13
Global Attack Activity
14
Correlation Measure
Do attacks coincide at different sensor locations?
Fit stochastic models for global attack pattern
N1 N2…
N1
N2
Nn
1 0 . .
0 1
.
1
.
1
.
.
Binomial Distribution
0
Probability

1
1
Nn
0 .
.
1
N1 N2…
N1
N2
1 ρ21 .
ρ21 1
.
1
.
.
n
Nn
.
BBN, Latent Factor
ρ1n
.
Probability

1
1
1
Nn
ρn1 . .
1
n
15
Alternative Models of Risk Arrival
16
Estimation Results
17
Conclusion
Take home message
 though our current risk models are suboptimal and not fully empirically validated, it
might be a good idea to design future cyber-insurance models with two-step risk arrival
18
Q&A
We gratefully acknowledge support from the owners of Leurre.com at Eurecom, France, for sharing their
fabulous honeynet database with us.
The second author was supported by grant no. CNS-0433540 from the National Science Foundation.
19