skip to main content
research-article

On the Assessment of Systematic Risk in Networked Systems

Published: 07 August 2018 Publication History

Abstract

In a networked system, the risk of security compromises depends not only on each node’s security but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes we should expect to lose, on average, for a given network topology, after certain types of incidents. Meanwhile, the pricing of insurance contracts for risks related to information technology (better known as cyber-insurance) requires determining additional information, for example, the maximum number of nodes we should expect to lose within a 99.5% confidence interval. Previous modeling research in network security has not addressed these types of questions, while research on cyber-insurance pricing for networked systems has not taken into account the network’s topology. Our goal is to bridge that gap, by providing a mathematical basis for the assessment of systematic risk in networked systems.
We define a loss-number distribution to be a probability distribution on the total number of compromised nodes within a network following the occurrence of a given incident, and we provide a number of modeling results that aim to be useful for cyber-insurers in this context. We prove NP-hardness for the general case of computing the loss-number distribution for an arbitrary network topology but obtain simplified computable formulas for the special cases of star topologies, ER-random topologies, and uniform topologies. We also provide a simulation algorithm that approximates the loss-number distribution for an arbitrary network topology and that appears to converge efficiently for many common classes of topologies.
Scale-free network topologies have a degree distribution that follows a power law and are commonly found in real-world networks. We provide an example of a scale-free network in which a cyber-insurance pricing mechanism that relies naively on incidence reporting data will fail to accurately predict the true risk level of the entire system. We offer an alternative mechanism that yields an accurate forecast by taking into account the network topology, thus highlighting the lack/importance of topological data in security incident reporting. Our results constitute important steps toward the understanding of systematic risk and help to contribute to the emergence of a viable cyber-insurance market.

References

[1]
Ross Anderson. 1994. Liability and computer security: Nine principles. In Proceedings of the 3rd European Symposium on Research in Computer Security (ESORICS’94). 231--245.
[2]
Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The Economics of Information Security and Privacy, Rainer Böhme (Ed.). Springer, Berlin, 265--300.
[3]
James Aspnes, Kevin Chang, and Aleksandr Yampolskiy. 2006. Inoculation strategies for victims of viruses and the sum-of-squares partition problem. J. Comput. Syst. Sci. 72, 6 (Sept. 2006), 1077--1093.
[4]
Albert-László Barabási. 2009. Scale-free networks: A decade and beyond. Science 325, 5939 (July 2009), 412--413.
[5]
Albert-László Barabási and Réka Albert. 1999. Emergence of scaling in random networks. Science 286, 5439 (Oct. 1999), 509--512.
[6]
Andrew Betts. 2013. A sobering day. Financial Times Labs, Retrieved from http://labs.ft.com/2013/05/a-sobering-day/.
[7]
Kenneth Birman and Fred Schneider. 2009. The monoculture risk put into context. IEEE Secur. Privacy 7, 1 (Jan. 2009), 14--17.
[8]
Rainer Böhme. 2005. Cyber-insurance revisited. In Proceedings of the Workshop on the Economics of Information Security.
[9]
Rainer Böhme. 2010. Towards insurable network architectures. Info. Technol. 52, 5 (Sept. 2010), 290--293.
[10]
Rainer Böhme and Gaurav Kataria. 2006. Models and measures for correlation in cyber-insurance. In Proceedings of the Workshop on the Economics of Information Security.
[11]
Rainer Böhme and Galina Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Proceedings of the Workshop on the Economics of Information Security.
[12]
Deepayan Chakrabarti, Yang Wang, Chenxi Wang, Jurij Leskovec, and Christos Faloutsos. 2008. Epidemic thresholds in real networks. ACM Trans. Info. Syst. Secur. 10, 4 (2008), 1.
[13]
Hau Chan, Michael Ceyko, and Luis Ortiz. 2012. Interdependent defense games: Modeling interdependent security under deliberate attacks. In Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI’12). 152--162.
[14]
Pei-Yu Chen, Gaurav Kataria, and Ramayya Krishnan. 2011. Correlated failures, diversification, and information security risk management. MIS Quarterly 35, 2 (June 2011), 397--422.
[15]
Fred Chong, Ruby Lee, Claire Vishik, Alessandro Acquisti, William Horne, Charles Palmer, Anup Ghosh, Dimitrios Pendarakis, William Sanders, Eric Fleischman, Hugo Teufel, Gene Tsudik, Dipankar Dasgupta, Steven Hofmeyr, and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-Chairs’ Report. Retrieved from https://www.qinetiq-na.com/wp-content/uploads/2011/12/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf.
[16]
Sudarshan Dhall, Sivaramakrishnan Lakshmivarahan, and Pramode Verma. 2009. On the number and the distribution of the nash equilibria in supermodular games and their impact on the tipping set. In Proceedings of the International Conference on Game Theory for Networks (GameNets’09). 691--696.
[17]
Christopher Drew. 2011. Stolen data is tracked to hacking at Lockheed. New York Times. Retrieved from http://www.nytimes.com/2011/06/04/technology/04security.html.
[18]
Victor Eguiluz and Konstantin Klemm. 2002. Epidemic threshold in structured scale-free networks. Phys. Rev. Lett. 89, 10 (Aug. 2002), 108701.
[19]
Paul Erdős and Alfréd Rényi. 1959. On random graphs. Publicationes Mathematicae (Debrecen) 6 (1959), 290--297.
[20]
Paul Erdős and Alfréd Rényi. 1960. On the evolution of random graphs. Publicat. Math. Inst. Hungarian Acad. Sci. 5 (1960), 17--61.
[21]
Ayalvadi Ganesh, Laurent Massoulié, and Don Towsley. 2005. The effect of network topology on the spread of epidemics. In Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM’05). 1455--1466.
[22]
Daniel Geer, Charles Pfleeger, Bruce Schneier, John Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann. 2003. CyberInsecurity: The cost of monopoly. How the dominance of Microsoft’s products poses a risk to society. Technical Report, Computer and Communications Industry Association, September 24, 2003.
[23]
Jens Grossklags, Nicolas Christin, and John Chuang. 2008. Secure or insure?: A game-theoretic analysis of information security games. In Proceedings of the 17th International World Wide Web Conference (WWW’08). 209--218.
[24]
Geoffrey Heal and Howard Kunreuther. 2004. Interdependent Security: A General Model. NBER Working Paper No. 10706.
[25]
Benjamin Johnson, Rainer Böhme, and Jens Grossklags. 2011. Security games with market insurance. In Proceedings of the 2nd Conference on Decision and Game Theory for Security (GameSec’11). 117--130.
[26]
Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang. 2010. Uncertainty in interdependent security games. In Proceedings of the 1st Conference on Decision and Game Theory for Security (GameSec’10). 234--244.
[27]
Benjamin Johnson, Aron Laszka, and Jens Grossklags. 2014a. The complexity of estimating systematic risk in networks. In Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF’14). 325--336.
[28]
Benjamin Johnson, Aron Laszka, and Jens Grossklags. 2014b. How many down? Toward understanding systematic risk in networks. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS’14). 495--500.
[29]
Michael Kearns and Luis Ortiz. 2004. Algorithms for interdependent security games. In Advances in Neural Information Processing Systems, vol. 16, S. Thrun, L. Saul, and B. Schölkopf (Eds.). MIT Press, 561--568.
[30]
Jeffrey Kephart and Steve White. 1991. Directed-graph epidemiological models of computer viruses. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. 343--359.
[31]
Jeffrey Kephart and Steve White. 1993. Measuring and modeling computer virus prevalence. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. 2--15.
[32]
Howard Kunreuther and Geoffrey Heal. 2003. Interdependent security. J. Risk Uncert. 26, 2 (March 2003), 231--249.
[33]
Carl Landwehr, Dan Boneh, John Mitchell, Steven Bellovin, Susan Landau, and Michael Lesk. 2012. Privacy and cybersecurity: The next 100 years. Proc. IEEE 100 (May 2012), 1659--1673.
[34]
Aron Laszka, Mark Felegyhazi, and Levente Buttyan. 2014a. A survey of interdependent information security games. Comput. Surveys 47, 2 (August 2014), 23:1--23:38.
[35]
Aron Laszka, Benjamin Johnson, Jens Grossklags, and Mark Felegyhazi. 2014b. Estimating systematic risk in real-world networks. In Proceedings of the 18th International Conference on Financial Cryptography and Data Security (FC’14). 417--435.
[36]
Marc Lelarge. 2009. Economics of malware: Epidemic risks model, network externalities and incentives. In Proceedings of the 47th Annual Allerton Conference on Communication, Control, and Computing. IEEE, 1353--1360.
[37]
Marc Lelarge and Jean Bolot. 2008a. A local mean field analysis of security investments in networks. In Proceedings of the 3rd International Workshop on Economics of Networked Systems. ACM, 25--30.
[38]
Marc Lelarge and Jean Bolot. 2008b. Network externalities and the deployment of security features and protocols in the internet. ACM SIGMETRICS Perform. Eval. Rev. 36, 1 (June 2008), 37--48.
[39]
Marc Lelarge and Jean Bolot. 2009. Economic incentives to increase security in the internet: The case for insurance. In Proceedings of the 33rd IEEE International Conference on Computer Communications (INFOCOM’09). 1494--1502.
[40]
Lun Li, David Alderson, John Doyle, and Walter Willinger. 2005. Towards a theory of scale-free graphs: Definition, properties, and implications. Internet Math. 2, 4 (2005), 431--523.
[41]
Thomas Moscibroda, Stefan Schmid, and Roger Wattenhofer. 2006. When selfish meets evil: Byzantine players in a virus inoculation game. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC’06). 35--44.
[42]
Hulisi Ogut, Nirup Menon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependent risk. In Proceedings of the Workshop on the Economics of Information Security.
[43]
Romualdo Pastor-Satorras and Alessandro Vespignani. 2001. Epidemic spreading in scale-free networks. Phys. Rev. Lett. 86, 14 (April 2001), 3200--3203.
[44]
Romualdo Pastor-Satorras and Alessandro Vespignani. 2002. Epidemic dynamics in finite size scale-free networks. Phys. Rev. E 65, 3 (March 2002), 035108.
[45]
Michael Stumpf, Carsten Wiuf, and Robert May. 2005. Subnets of scale-free networks are not scale-free: Sampling properties of networks. Proc. Natl. Acad. Sci. U.S.A. 102, 12 (March 2005), 4221--4224.
[46]
Symantec. 2014. Emerging Threat: Dragonfly/Energetic Bear--APT Group. Symantec Connect, Retrieved from http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group.
[47]
Hal Varian. 2004. System reliability and free riding. In Economics of Information Security, J. Camp and S. Lewis (Eds.). Kluwer Academic Publishers, Dordrecht, The Netherlands, 1--15.
[48]
Yang Wang, Deepayan Chakrabarti, Chenxi Wang, and Christos Faloutsos. 2003. Epidemic spreading in real networks: An eigenvalue viewpoint. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (SRDS’03). 25--34.

Cited By

View all
  • (2024)Structural Model for Cyber Risk Loss Distribution of Multi-Tenant Smart Buildings: An Application to the Hospitality SectorSSRN Electronic Journal10.2139/ssrn.4829597Online publication date: 2024
  • (2024)Evaluating cyber loss in star-ring and star-bus hybrid networks based on the bond percolation modelCommunications in Statistics - Theory and Methods10.1080/03610926.2024.231529154:2(500-533)Online publication date: 21-Feb-2024
  • (2021)Robust Networking: Dynamic Topology Evolution Learning for Internet of ThingsACM Transactions on Sensor Networks10.1145/344693717:3(1-23)Online publication date: 21-Jun-2021
  • Show More Cited By

Index Terms

  1. On the Assessment of Systematic Risk in Networked Systems

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Transactions on Internet Technology
    ACM Transactions on Internet Technology  Volume 18, Issue 4
    Special Issue on Computational Ethics and Accountability, Special Issue on Economics of Security and Privacy and Regular Papers
    November 2018
    348 pages
    ISSN:1533-5399
    EISSN:1557-6051
    DOI:10.1145/3210373
    • Editor:
    • Munindar P. Singh
    Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 07 August 2018
    Accepted: 01 November 2017
    Revised: 01 October 2017
    Received: 01 November 2016
    Published in TOIT Volume 18, Issue 4

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Networks
    2. cyber-insurance
    3. economics of security
    4. risk mitigation
    5. scale-free networks
    6. security
    7. topology

    Qualifiers

    • Research-article
    • Research
    • Refereed

    Funding Sources

    • German Institute for Trust and Safety on the Internet (DIVSI)

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)22
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 17 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Structural Model for Cyber Risk Loss Distribution of Multi-Tenant Smart Buildings: An Application to the Hospitality SectorSSRN Electronic Journal10.2139/ssrn.4829597Online publication date: 2024
    • (2024)Evaluating cyber loss in star-ring and star-bus hybrid networks based on the bond percolation modelCommunications in Statistics - Theory and Methods10.1080/03610926.2024.231529154:2(500-533)Online publication date: 21-Feb-2024
    • (2021)Robust Networking: Dynamic Topology Evolution Learning for Internet of ThingsACM Transactions on Sensor Networks10.1145/344693717:3(1-23)Online publication date: 21-Jun-2021
    • (2021)Ensuring confidentiality and availability of sensitive data over a network system under cyber threatsReliability Engineering & System Safety10.1016/j.ress.2021.107697214(107697)Online publication date: Oct-2021
    • (2021)Multivariate dependence among cyber risks based on L-hop propagationInsurance: Mathematics and Economics10.1016/j.insmatheco.2021.09.005101(525-546)Online publication date: Nov-2021

    View Options

    Login options

    Full Access

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media