Reducing Informational Disadvantages to Improve Cyber Risk Management

Abstract

Effective cyber risk management should include the use of insurance not only to transfer cyber risk but also to provide incentives for insured enterprises to invest in cyber self-protection. Research indicates that asymmetric information, correlated loss, and interdependent security issues make this difficult if insurers cannot monitor the cybersecurity efforts of the insured enterprises. To address this problem, this paper proposes the Cyber Risk Scoring and Mitigation (CRISM) tool, which estimates cyberattack probabilities by directly monitoring and scoring cyber risk based on assets at risk and continuously updated software vulnerabilities. CRISM also produces risk scores that allow organisations to optimally choose mitigation policies that can potentially reduce insurance premiums.

This is a preview of subscription content, access via your institution.

Figure 1
Figure 2
Figure 3

Notes

  1. 1.

    We use the terms “cyber risk insurance” and “cyber insurance” interchangeably.

  2. 2.

    See Gordon et al. (2003); Kesan et al. (2004); Böhme (2005); Ogut et al. (2005); Majuca et al. (2006).

  3. 3.

    See Eling and Schnell (2016).

  4. 4.

    See Ehrlich and Becker (1972).

  5. 5.

    See Schwartz et al. (2010).

  6. 6.

    See Marotta et al. (2017).

  7. 7.

    See Biener et al. (2015).

  8. 8.

    See Berliner (1982).

  9. 9.

    AIG offered the first cyber insurance policy to cover policyholders for third-party losses caused by breaches that originated from outside the company: http://www.aei.org/publication/cyber-insurance-why-is-the-market-still-largely-untapped/.

  10. 10.

    See RMS (2016).

  11. 11.

    See SANS Institute (2016).

  12. 12.

    See Aon (2017).

  13. 13.

    See Lloyds (2015).

  14. 14.

    See Cebula and Young (2010).

  15. 15.

    See Filtner (2010).

  16. 16.

    See NIST (2012).

  17. 17.

    See Jouini et al. (2014).

  18. 18.

    See NIST (2011).

  19. 19.

    This list was compiled by the authors using a website for each tool.

  20. 20.

    Traditional risk scoring tools, for example used by underwriters for determining policyholder risk for auto insurance, depend on proxy categories, such as driver age, gender, vehicle type, address, and policyholder-specific information such as credit score and claims history. CRISM can be considered analogous to the use of telematics in determining auto insurance premiums where the continuously monitored actual behaviour of the specific policyholder is added as a factor in determining the premium (Baecke and Bocca, 2017).

  21. 21.

    An attack graph models system security vulnerabilities and all potential sequences through which the vulnerabilities can be exploited.

  22. 22.

    CVSS is an open framework for estimating and quantifying software vulnerabilities of various vendors.

  23. 23.

    The CRISM approach to using attack graphs and converting the CVSS base scores into probabilities leverages work from other researchers, such as Wang et al. (2008); Poolsappasit et al. (2012); Homer et al. (2013).

  24. 24.

    NVD is a repository that provides CVSS scores for all known vulnerabilities for software and operating systems. The NVD was created by the Department of Homeland Security to inform the public about common computer vulnerabilities (http://nvd.nist.gov/). It is maintained by the National Institute of Standards and Technology (NIST). Before CVSS, there was no common platform to identify the vulnerabilities, and therefore vendors used their own methods for scoring the vulnerabilities. The National Infrastructure Assurance Council (NIAC) launched CVSS in 2005 (http://www.dhs.gov/national-infrastructure-advisory-council). Several major organisations such as CERT, IBM, and Cisco were involved in the development of CVSS. These organisations also use these metrics to prioritise the response to the vulnerabilities they encounter in their day-to-day activities. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST).

  25. 25.

    CVE is a dictionary that assigns unique identifiers for all the security vulnerabilities that are publicly known (http://cve.mitre.org/about/index.html). CVE is used as the industry standard for vulnerability and exposures names. Once a vulnerability is discovered, it is assigned a unique CVE Identifier (e.g. CVE-2012-0015), which includes a brief description and references, such as advisories or vulnerability reports. CVE was quickly adopted by organisations, and its use is so widespread that organisations are producing “CVE Compatible” products and services.

  26. 26.

    For CVSS details related to these components, refer to https://www.first.org/cvss/v2/guide.

  27. 27.

    See Tøndel et al. (2016).

References

  1. Aon (2017) Cyber Update: 2016 Cyber Insurance Profits and Performance, from http://thoughtleadership.aonbenfield.com/Documents/20170504-ab-cyber-naic-supplemental-study.pdf, accessed 19 August 2017.

  2. Baecke, P. and Bocca, L. (2017) ‘The value of vehicle telematics data in insurance risk selection processes’, Decision Support Systems 98: 69–79.

    Article  Google Scholar 

  3. Berliner, B. (1982) Limits of Insurability of Risks, Englewood Cliffs, NJ: Prentice-Hall.

    Google Scholar 

  4. Biener, C., Eling, M. and Wirfs, J.H. (2015) ‘Insurability of cyber risk: An empirical analysis’, The Geneva Papers on Risk and InsuranceIssues and Practice 40(1): 131–158.

    Article  Google Scholar 

  5. Böhme, R. (2005) ‘Cyber-insurance revisited’, in Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS 2005), Cambridge, MA: Kennedy School of Government, Harvard University.

  6. Cebula, J.J. and Young, L.R. (2010) A Taxonomy of Operational Cyber Security Risks, Technical Note CMU/SEI-2010-TN-028, Software Engineering Institute, Carnegie Mellon University, from http://www.dtic.mil/get-tr-doc/pdf?AD=ADA537111, accessed 18 August 2017.

  7. Ehrlich, I. and Becker, G.S. (1972) ‘Market insurance, self-insurance, and self-protection’, Journal of Political Economy 80(4): 623–648.

    Article  Google Scholar 

  8. Eling, M. and Schnell, W. (2016) Ten Key Questions on Cyber Risk and Cyber Risk Insurance, The Geneva Association, from https://www.genevaassociation.org/media/954708/cyber-risk-10-key-questions.pdf, accessed 11 May 2017.

  9. Filtner, A. (2010) Foundations of Risk Management and Insurance, CPCU Series, Malvern, PA: American Institute for Chartered Property Casualty Underwriters, p. 1.16.

  10. Gordon, L.A., Loeb, M.P. and Sohail, T. (2003) ‘A framework for using insurance for cyber-risk management’, Communications of the ACM 46(3): 81–85.

    Article  Google Scholar 

  11. Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S. R. and Singhal, A. (2013) ‘Aggregating vulnerability metrics in enterprise networks using attack graphs’, Journal of Computer Security 21(4): 561–597.

    Article  Google Scholar 

  12. Jouini, M., Rabai, L.B.A. and Aissa, A.B. (2014) ‘Classification of security threats in information systems’, Procedia Computer Science 32: 489–496.

    Article  Google Scholar 

  13. Kesan, J.P., Majuca, R.P. and Yurcik, W.J. (2004) The Economic Case for Cyberinsurance, University of Illinois Law and Economics working papers.

  14. Lloyds (2015) Business Blackout, Lloyds of London and University of Cambridge Centre for Risk Studies, from https://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout, accessed 19 August 2017.

  15. Majuca, R.P., Yurcik, W. and Kesan, J.P. (2006) The Evolution of Cyberinsurance, working paper, from https://arxiv.org/ftp/cs/papers/0601/0601020.pdf, accessed 18 August 2017.

  16. Marotta, A., Martinelli, F., Nanni, S., Orlando, A. and Yautsiukhin, A. (2017) ‘Cyber-insurance survey’, Computer Science Review 24: 35–61.

    Article  Google Scholar 

  17. NIST (2011) Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800-39, from https://dl.acm.org/citation.cfm?id=2206253, accessed 3 December 2017.

  18. NIST (2012) Guide for Conducting Risk Assessments, NIST Special Publication 800-30, from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf, accessed 3 December 2017.

  19. Ogut, H., Menon, N. and Raghunathan, S. (2005) ‘Cyber insurance and IT security investment: Impact of interdependent risk’, in Workshop on the Economics of Information Security (WEIS), Harvard University.

  20. Poolsappasit, N., Dewri, R. and Ray, I. (2012) ‘Dynamic security risk management using Bayesian attack graphs’, IEEE Transactions on Dependable and Secure Computing 9 (1): 61–74.

    Article  Google Scholar 

  21. RMS (2016) Managing Cyber Insurance Accumulation Risk, Risk Management Solutions, Inc., and the Cambridge Centre for Risk Studies, from http://cambridgeriskframework.com/getdocument/39, accessed 11 May 2017.

  22. SANS (2016) Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey, from https://www.sans.org/reading-room/whitepapers/legal/bridging-insurance-infosec-gap-2016-cyber-insurance-survey-37062, accessed 11 May 2017.

  23. Schwartz, G., Shetty, N. and Walrand, J. (2010) Cyber-insurance: Missing market driven by user heterogeneity, from https://pdfs.semanticscholar.org/d1db/6af4b7c93315e48c8ab407f1f75187a88687.pdf, accessed 18 August 2017.

  24. Tøndel, I.A., Seehusen, F., Gjære, E.A. and Moe, M.E.G. (2016) ‘Differentiating cyber risk of insurance customers: The insurance company perspective’ in Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A.M. and Weippl, E. (eds.) International Conference on Availability, Reliability, and Security, Springer, pp. 175–190.

  25. Wang, L., Islam, T., Long, T., Singhal, A. and Jajodia, S. (2008) ‘An attack graph-based probabilistic security metric’, in Proceedings of The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, UK: pp. 283–296.

Download references

Acknowledgements

This work was supported by the Office of the Assistant Secretary of Defense for Research and Engineering [OASD (R&E)] Agreement FA8750-15-2-0120 and Department of Homeland Security Grant 2015-ST-061-CIRC01.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Michael McShane.

Additional information

 Approved for public release: distribution unlimited. Case Number: 88ABW-2017-2684, dated 26 May 2017.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Shetty, S., McShane, M., Zhang, L. et al. Reducing Informational Disadvantages to Improve Cyber Risk Management. Geneva Pap Risk Insur Issues Pract 43, 224–238 (2018). https://doi.org/10.1057/s41288-018-0078-3

Download citation

Keywords

  • cyber risk management
  • cyber insurance
  • vulnerability assessment
  • security risk scores
  • Bayesian belief networks
  • attack graphs