1. Models and Measures for Correlation in Cyber-Insurance Rainer Böhme Technische Universität Dresden rainer.boehme@tu-dresden.de Gaurav Kataria Carnegie Mellon University gauravk@andrew.cmu.edu DIMACS Workshop on Information Security Economics, Jan 19 2007.

2. 2 Cyber-Insurance in a Nutshell Risk sharing  avoid extreme losses at manageable expenses Security metric  premiums differentiate good and bad risks Incentive function  to develop and deploy sound security technology Market for cyber-insurance immature  losses from cyber incidents in the range of $ 200 bn  global cyber-insurance market < $ 2 bn -Majuca et al., 2006 (Danger of) High correlation of cyber-risks  due to homogeneous technology -Geer et al., 2003

3. 3 Decision to Offer Insurance Cost of offering insurance: C = E(L) + A + i · c Where, E(L) is the expected loss amount, L being a random variable A is the sum of all administrative costs, assumed negligible c is the safety capital required to settle all claims if the realization of L turns out to the є-worst case (є is the probability of ruin for the insurer) i is the interest rate to be paid for the safety capital c. The rate should reflect the risk associated with the business in general and the choice of є in particular Shape of the loss distribution function is crucial

4. 4 Decision to Seek Insurance Disutility 0n Number of nodes simultaneously compromised

5. 5 Decision to Seek Insurance Given the degree of risk aversion σ and a measure of initial wealth I 0, we can compute the maximum premium γ

6. 6 Classes of Cyber-Risks Insider attack Degree of event correlation Hardware failure Configuration vulnerability (user settings) Configuration vulnerability (default settings) Viruses and worms Targeted hacker attack Standard software exploit requiring user interaction Remote standard software exploit Systemic errors (Y2K, break of assumed secure cryptography)

7. 7 Cyber-Insurance Scenario Insurer’s view k : firms in portfolio n : risks per firm Global Risk Correlation Decisions are made at firm-level

8. 8 Cyber-Insurance Scenario Insuree’s view n : risks within firm Internal Risk Correlation Decisions are made at firm-level

9. 9 Two-Step Risk Arrival

10. 10 Modeling Two-Step Risk Arrival Monte-Carlo Simulation  Computed minimum profitable premium for given correlation structure

11. 11 Equilibrium Conditions Results of 20,000 simulation trials per parameter setting

12. 12 How strong is cyber-risk correlation in reality? Standard Response  lack of actuarial data on loss amounts Our Approach  if correlation of losses is caused by attack correlation, then we can try to estimate correlation from sensor data measuring attack activity

13. 13 Data Source Honeypots decoy for hackers and automated attacks useful monitoring tool for malicious activity -http://www.honeynet.org Leurre.com honeynet project (Eurecom, France) 35 sensors emulating 3 TCP/IP stacks each deployed in 25 countries over five continents - Pouget et al., 2004, Pouget/Dancier/Pham, 2005 Observations Location Port Sequence Time (days) Hits

14. 14 Global Attack Activity

15. 15 Correlation Measure Do attacks coincide at different sensor locations? Fit stochastic models for global attack pattern

16. 16 Alternative Models of Risk Arrival

17. 17 Estimation Results

18. 18 Conclusion Take home message  though our current risk models are suboptimal and not fully empirically validated, it might be a good idea to design future cyber-insurance models with two-step risk arrival

19. 19 We gratefully acknowledge support from the owners of Leurre.com at Eurecom, France, for sharing their fabulous honeynet database with us. The second author was supported by grant no. CNS-0433540 from the National Science Foundation. Q & A