A formal model for pricing information systems insurance contracts
Introduction
Over the last decade the evolution of Information and Communication Technologies (ICT) has raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. Active participation in this “information society era” is nowadays an absolute prerequisite for organisations and public bodies wishing to remain competitive in the global electronic marketplace. However, together with the advantages, some serious concerns have been raised. Progressively the operation, but also the investment protection, of most organisations worldwide has turned out to largely depend on the effectiveness and robustness of their information systems. Therefore, information systems security has become an issue of paramount importance, attracting the attention of the scientific community but also that of commercial companies.
One of the top priorities for almost any organisation today is to protect its information system against potential risks. These risks can seriously disturb the operation of the system, causing a Security Incident in the form of unavailability of an end-user service or loss of data confidentiality or/and integrity. Following a security incident, the impact for the organisation, in terms of the consequences caused, may vary from very little to very large, most of the times expressed in terms of financial losses. According to CERT, the number of security incidents follows an exponential increase: the number of reported security incidents back in 1996 was 2,573 while in 2003 the number was 137,529 [2]. Furthermore, Cavusoglu et al. [3] have calculated that, on average, compromised organisations lost approximately 2.1% of their market value within 2 days from the day of the incident.
Consequently, in an attempt to minimize the probability of a security incident to occur, organisations have started investing in security enhancing technologies. Moitra and Konda [10] have demonstrated that as organisations start investing in information systems security their protection increases rapidly, while it increases at a much slower rate as the investments reach a much higher level. It is therefore apparent that a series of questions is raised:
- •
How far should organisations go into investing for the security of their information systems?
- •
Are they aware of the residual risk for their information systems and the consequences that they will face in the event of a security incident?
- •
How can they evaluate the effectiveness of the security measures that they invest on?
Recently, there is considerable interest from the economics community in addressing the above issues. Indicatively, Anderson in Ref. [1] applies economic analysis and employs the language of microeconomics (network externalities, asymmetric information, moral hazard, adverse selection, liability dumping etc.) for explaining a number of phenomena that security researchers had previously found to be pervasive but perplexing. Also in Ref. [6] Gordon and Loeb present an economic model for determining the optimal amount to invest for protecting a given set of information. Finally in Ref. [12] Varian constructs a model based on economic agents decision making on effort spent, to study systems reliability.
Another approach that organisations could consider for enhancing the security of their information systems is to transfer specific technological risks to a financial (insurance) market, covering the financial losses that they may experience in case of a security incident. It should be emphasized that such an approach cannot and will not “replace” the technical security measures; it will act complementary. Similar ideas have been expressed, at a conceptual level, by Gordon et al. in Ref. [7]. The formal probabilistic model proposed in this paper, aims to support the transition of the above ideas from a conceptual to a practical level, assisting insurance companies to calculate in a consistent and accurate way the appropriate premium. Let us consider an example. An insurance company in order to calculate a premium that covers a car against theft or fire must, at least, have an accurate estimate of the current car's value. If the client provides additional information, like, for instance, that a car alarm is installed, this is being evaluated by the insurance company and may result in a reduced premium. In analogy, an insurance company in order to calculate the premium for an information system will seek the following information:
- •
What is the financial loss that the organisation will experience as a result of every possible security incident?
- •
How secure—well protected against potential risks—is the information system?
However, none of the above questions can be answered in a straightforward and accurate way, mainly because of the following facts:
- a)
Every day new threats are appearing. How can someone quantify the consequences of a potential security incident if one doesn't even know which are the major threats that the information system is facing?
- b)
The effectiveness of a security measure cannot be presented in quantitative terms. It can only be evaluated during real attacks against the system, after it has been installed and integrated into the system's operation. However, even in this case the evaluation cannot be accurate since there is no way to know if a specific security measure has really prevented a security incident or not. This is in analogy to a home alarm system. If there is no record of a theft attempt, we don't really know if this is because the home alarm has prevented it or because it simply didn't happen irrespective of the existence of the home alarm.
- c)
Finally, the environment of the information system has a significant impact to both the number and severity of potential threats and to the effectiveness of the security measures. For instance, the security requirements identified for an Internet-based system are not the same if a wireless network was utilised instead. Also, an authentication mechanism may be extremely effective for the Internet-based system but not for the wireless environment.
Summarising, there are two complementary approaches that an organisation could follow for protecting its information system. The first most common one is to invest on a series of technical, organisational and procedural measures that will ensure an adequate level of security. Section 2 presents a scientifically sound methodology, namely the risk analysis and management methodology, that can be utilised for selecting these security measures, combining cost-efficiency and effectiveness. Through the description of the methodology the reader will find the answers to the questions posed at the beginning of this current section.
Keeping in mind that complete security is not feasible and that irrespective of the amount invested for security measures there will always be a residual risk that leaves space for potential security incidents, organisations can also think of insuring their systems. Section 3 introduces a Markov model that can be used for describing the system, while Section 4 demonstrates how this model can be utilised for the estimation of the appropriate insurance premium, providing a satisfactory solution to the problems posed earlier in this section. Furthermore, as explained in Section 5, the same Markov model can be used for supporting organisations to perform a cost-benefit analysis and decide on the amount of money they should invest on technical measures for enhancing the protection of their system. Finally, Section 6 provides some concluding remarks.
Section snippets
Risk analysis and management methodology
Risk analysis and management is a methodology towards the establishment of a secure Information System. It tackles the security problems and assists the analysts to select the measures that will ensure, in a cost-effective way, a level of security that is analogous to the level of risks (adequate security). Furthermore, through a risk analysis study, security analysts can accurately derive the residual risk for the information system; this is expressed in terms of threats and system
A Markov model describing the system
Let us assume that the information system may result into one of N different states after possible security incidents that affect a single asset Ak, where k=1,..,M. We will denote these states by i, where i=1,..,N. By i=0 we will denote the state where no successful attack has been made on the information system and thus it is fully operational. We assume that at time t=0 the information system is in the fully operational state i=0 and as time passes it will end up in different states of
Insurance of the system
The question we wish to answer in this section using this simple model is how the insurance company can calculate the fair amount of money it will charge for this insurance service, that is how one may calculate the net or mathematical premium. There is not a unique way to do this, however we will present here a simple, actuarially fair way of determining the cost of this service.
Valuation of the maximum investment on security measures
In this section we address the problem of finding the maximum amount that an organisation should invest on security measures for achieving an adequate level of security for the information system. We will use the Markov model proposed in Section 3, to provide a way for a fair estimation of this cost. The problem has an intertemporal structure (time dependence). However, for the ease of presentation we first present the methodology for resolving this problem in the time independent case before
Conclusions
In this paper we have proposed a Markov model describing the transitions of an information system from the fully operational state in states of non-fully operational status, as a result of a security incident that damages an asset of the information system, using the transition intensity approach. This model has been utilised for estimating the premium of the insurance contract against the expected losses that will result from potential security incidents. Using the same model we have proposed
Costas LAMBRINOUDAKIS was born in Greece in 1963. He holds a B.Sc. (Electrical and Electronic Engineering) degree from the University of Salford (UK), an M.Sc. (Control Systems) and a Ph.D. (Computer Science) degree form the University of London (UK). Currently he is an Assistant Professor at the Department of Information and Communication Systems of the University of the Aegean. His current research interests include: Information Systems Security, Smart Cards and Computer Architectures. He is
References (12)
- et al.
A comparative framework for risk analysis methods
Computers and Security
(1993) Why information security is hard–An economic perspective
- et al.
A model for evaluating IT security investments
Communications of the ACM
(2004) - et al.
The effect of internet security breach announcements on shareholder wealth: capital market reactions for breached firms and internet security developers
International Journal of Electronic Commerce
(2004) - Commission of the European Communities. Risk analysis methods database, INFOSEC Programme, Project S2014,...
- et al.
The economics of information security investment
ACM Transactions on Information and System Security
(2002)
Cited by (13)
Cyber-insurance survey
2017, Computer Science ReviewCitation Excerpt :The first, the smallest, group considers various specific problems which relate to cyber insurance, while the second group is mostly focused on problems related to analysis of effect of externalities. From the high level point of view, specification of cyber risk insurance policy for a single agent does not differ much from other types of risk [98,129,183–185]. Nevertheless, several interesting problems were considered.
Optimal Cyber-Insurance Contract Design for Dynamic Risk Management and Mitigation
2022, IEEE Transactions on Computational Social SystemsChallenges and implications for cyber risk management and insurance of cyber risks—An empirical analysis
2018, Zeitschrift fur die gesamte VersicherungswissenschaftDevelopment of the comprehensive method to manage risks in projects related to information technologies
2018, Eastern-European Journal of Enterprise TechnologiesSecInvest: Balancing security needs with financial and business constraints
2011, Dependability and Computer Engineering: Concepts for Software-Intensive SystemsA loss assessment design method based on SOA for insurance informationization
2011, Proceedings of the 2011 2nd International Conference on Digital Manufacturing and Automation, ICDMA 2011
Costas LAMBRINOUDAKIS was born in Greece in 1963. He holds a B.Sc. (Electrical and Electronic Engineering) degree from the University of Salford (UK), an M.Sc. (Control Systems) and a Ph.D. (Computer Science) degree form the University of London (UK). Currently he is an Assistant Professor at the Department of Information and Communication Systems of the University of the Aegean. His current research interests include: Information Systems Security, Smart Cards and Computer Architectures. He is an author of several refereed papers in international scientific journals and conference proceedings. He has participated in many national and EU funded R and D Projects. He has served on program and organizing committees of national and international conferences on Informatics and he is a reviewer for several scientific journals.
Stefanos GRITZALIS was born in Greece in 1961. He holds a BSc in Physics, an MSc in Electronic Automation, and a PhD in Informatics all from the University of Athens, Greece. Currently he is an Associate Professor at the Department of Information and Communication Systems Engineering, University of the Aegean, Greece, and Assistant Director of the Info-Sec-Lab. He has been involved in more than thirty national and CEC funded R and D projects in the areas of Information and Communication Systems. His published scientific work includes six books (in Greek) on Information and Communication Technologies topics, and more than seventy journal and national and international conference papers. The focus of these publications is on Information and Communication Systems Security. He has served on program and organizing committees of national and international conferences on Informatics and is a reviewer for several scientific journals.
Peter HATZOPOULOS was born in Greece in 1967. He holds a BSc in Mathematics from University of Crete, an MSc and a PhD from the City University of London, UK. Currently he is a Lecturer at the Department of Statistics and Actuarial Science, University of the Aegean, Greece. He has been involved in a national and EC funded projects in the areas of Life and General Insurance. His published scientific work involves Life Insurance and Actuarial Statistical topics.
Athanasios YANNACOPOULOS was born in Greece in 1968. He holds a BSc in Physics from the University of Athens and a PhD in Dynamical Systems from the University of Warwick. He has worked as a Research Fellow in the Universities of Leeds and Warwick and was lecturer in Applied Mathematics at the School of Mathematics and Statistics, University of Birmingham. Since 2002 he is with the University of the Aegean, where he currently is Associate Professor at the Department of Statistics and Actuarial Science. His research interests and published work are in random and deterministic dynamical systems, stochastic processes and applied stochastic analysis.
Sokratis K. KATSIKAS was born in Greece in 1960. He received the Diploma in Electrical Engineering degree from the University of Patras, Greece, the M.Sc. in Electrical and Computer Engineering from the University of Massachusetts at Amherst, USA, and the Ph.D. in Computer Engineering from the University of Patras, Greece. He now is Professor at the Department of Information and Communication Systems Engineering and Rector of the University of the Aegean, Greece. He has authored or co-authored more than 140 technical papers and conference presentations in his areas of research interest, which include information and communication systems security, estimation theory, adaptive control, and artificial intelligence. He has served on steering, program and organizing committees of international conferences on informatics and is a reviewer for several scientific journals.