A formal model for pricing information systems insurance contracts

Abstract

Information systems security has become a top priority issue for most organisations worldwide, mainly because of the rapidly increasing number of threats and the highly sophisticated methods utilised for realising the attacks. The typical reaction of IT officials is to protect their systems through a series of technical security measures. However, in the absence of a scientifically sound methodology for evaluating the cost-effectiveness of the security measures employed, the problem is that they are unable to quantify the security level of their system and thus to determine the appropriate amount that they should invest for its protection. Another option that organisations can explore is to insure their information systems against potential security incidents, aiming to balance the consequences that they will experience, in terms of financial losses, through the compensation that they will get from the insurance company. Even in that case, though, the difficulty for the insurance company is the calculation of the appropriate premium. In this paper we present a probabilistic structure, in the form of a Markov model, used to provide detailed information about all possible transitions of the system state in the course of time. Specifically, we are interested on transitions from the fully operational system state to other non-fully operational states that may result as the effect of a security incident. The aforementioned probabilistic structure enables both the estimation of the insurance premium and the valuation of the security investment.

Introduction

Over the last decade the evolution of Information and Communication Technologies (ICT) has raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. Active participation in this “information society era” is nowadays an absolute prerequisite for organisations and public bodies wishing to remain competitive in the global electronic marketplace. However, together with the advantages, some serious concerns have been raised. Progressively the operation, but also the investment protection, of most organisations worldwide has turned out to largely depend on the effectiveness and robustness of their information systems. Therefore, information systems security has become an issue of paramount importance, attracting the attention of the scientific community but also that of commercial companies.

One of the top priorities for almost any organisation today is to protect its information system against potential risks. These risks can seriously disturb the operation of the system, causing a Security Incident in the form of unavailability of an end-user service or loss of data confidentiality or/and integrity. Following a security incident, the impact for the organisation, in terms of the consequences caused, may vary from very little to very large, most of the times expressed in terms of financial losses. According to CERT, the number of security incidents follows an exponential increase: the number of reported security incidents back in 1996 was 2,573 while in 2003 the number was 137,529 [2]. Furthermore, Cavusoglu et al. [3] have calculated that, on average, compromised organisations lost approximately 2.1% of their market value within 2 days from the day of the incident.

Consequently, in an attempt to minimize the probability of a security incident to occur, organisations have started investing in security enhancing technologies. Moitra and Konda [10] have demonstrated that as organisations start investing in information systems security their protection increases rapidly, while it increases at a much slower rate as the investments reach a much higher level. It is therefore apparent that a series of questions is raised:

• How far should organisations go into investing for the security of their information systems?

• Are they aware of the residual risk for their information systems and the consequences that they will face in the event of a security incident?

• How can they evaluate the effectiveness of the security measures that they invest on?

Recently, there is considerable interest from the economics community in addressing the above issues. Indicatively, Anderson in Ref. [1] applies economic analysis and employs the language of microeconomics (network externalities, asymmetric information, moral hazard, adverse selection, liability dumping etc.) for explaining a number of phenomena that security researchers had previously found to be pervasive but perplexing. Also in Ref. [6] Gordon and Loeb present an economic model for determining the optimal amount to invest for protecting a given set of information. Finally in Ref. [12] Varian constructs a model based on economic agents decision making on effort spent, to study systems reliability.

Another approach that organisations could consider for enhancing the security of their information systems is to transfer specific technological risks to a financial (insurance) market, covering the financial losses that they may experience in case of a security incident. It should be emphasized that such an approach cannot and will not “replace” the technical security measures; it will act complementary. Similar ideas have been expressed, at a conceptual level, by Gordon et al. in Ref. [7]. The formal probabilistic model proposed in this paper, aims to support the transition of the above ideas from a conceptual to a practical level, assisting insurance companies to calculate in a consistent and accurate way the appropriate premium. Let us consider an example. An insurance company in order to calculate a premium that covers a car against theft or fire must, at least, have an accurate estimate of the current car's value. If the client provides additional information, like, for instance, that a car alarm is installed, this is being evaluated by the insurance company and may result in a reduced premium. In analogy, an insurance company in order to calculate the premium for an information system will seek the following information:

• What is the financial loss that the organisation will experience as a result of every possible security incident?

• How secure—well protected against potential risks—is the information system?

However, none of the above questions can be answered in a straightforward and accurate way, mainly because of the following facts:

• Every day new threats are appearing. How can someone quantify the consequences of a potential security incident if one doesn't even know which are the major threats that the information system is facing?

• The effectiveness of a security measure cannot be presented in quantitative terms. It can only be evaluated during real attacks against the system, after it has been installed and integrated into the system's operation. However, even in this case the evaluation cannot be accurate since there is no way to know if a specific security measure has really prevented a security incident or not. This is in analogy to a home alarm system. If there is no record of a theft attempt, we don't really know if this is because the home alarm has prevented it or because it simply didn't happen irrespective of the existence of the home alarm.

• Finally, the environment of the information system has a significant impact to both the number and severity of potential threats and to the effectiveness of the security measures. For instance, the security requirements identified for an Internet-based system are not the same if a wireless network was utilised instead. Also, an authentication mechanism may be extremely effective for the Internet-based system but not for the wireless environment.

Summarising, there are two complementary approaches that an organisation could follow for protecting its information system. The first most common one is to invest on a series of technical, organisational and procedural measures that will ensure an adequate level of security. Section 2 presents a scientifically sound methodology, namely the risk analysis and management methodology, that can be utilised for selecting these security measures, combining cost-efficiency and effectiveness. Through the description of the methodology the reader will find the answers to the questions posed at the beginning of this current section.

Keeping in mind that complete security is not feasible and that irrespective of the amount invested for security measures there will always be a residual risk that leaves space for potential security incidents, organisations can also think of insuring their systems. Section 3 introduces a Markov model that can be used for describing the system, while Section 4 demonstrates how this model can be utilised for the estimation of the appropriate insurance premium, providing a satisfactory solution to the problems posed earlier in this section. Furthermore, as explained in Section 5, the same Markov model can be used for supporting organisations to perform a cost-benefit analysis and decide on the amount of money they should invest on technical measures for enhancing the protection of their system. Finally, Section 6 provides some concluding remarks.