Expanding the Gordon-Loeb Model to Cyber-Insurance

We present an economic model for decisions on competing cyber-security and cyber-insurance investment based on the Gordon-Loeb model for investment in information security. We consider a one-period scenario in which a firm may invest in information security measures to reduce the probability of a breach, in cyber-insurance or in a combination of both. The optimal combination of investment and insurance under the assumptions of the Gordon-Loeb model is investigated via consideration of the costs and benefits of investment in security alongside purchasing insurance at an independent premium rate. Under both exponential (constant absolute risk aversion) and logarithmic (constant relative risk aversion) utility functions it is found that when the insurance premium is below a certain value, utility is maximised with insurance and security investment. These results suggest that cyber-insurance is a worthwhile undertaking provided it is not overly costly. We believe this model to be the first attempt to integrate the Gordon-Loeb model into a classical microeconomic analysis of insurance, particularly using the Gordon-Loeb security breach functions to determine the probability of an insurance claim. The model follows the tradition of the Gordon-Loeb model in being accessible to practitioners and decision makers in information security

Pricing cyber-insurance for systems via maturity models

Pricing insurance for risks associated with information technology systems presents a complex modelling challenge, combining the disciplines of operations management, security, and economics. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, addressing a long-standing research challenge of capturing organizational structure in the design and pricing of cyber-insurance policies. Insurance pricing is usually informed by the long experience insurance companies have of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. A unique challenge of cyber-insurance is that data history is limited and not necessarily informative of future loss risk meaning that established actuarial methodology for other lines of insurance may not be the optimal pricing strategy. The model proposed in this paper provides a vehicle for agreement between practitioners in the cyber-insurance ecosystem on cyber-security risks and allows for the users to choose their desired level of abstraction in the description of a system.Comment: 31 pages, 12 figures, 11 table

RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports

Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide individualized and quantitative monetary estimations of cybersecurity impacts. Due to limited resources and technical expertise, SMEs and even large companies are affected and struggle to quantify their cyberattack exposure. Therefore, novel approaches must be placed to support the understanding of the financial loss due to cyberattacks. This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs using real-world information from public cybersecurity reports. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. Furthermore, RCVaR extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. The evaluation of the approach on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks. Thus, it shows that the RCVaR is a valuable addition to cybersecurity planning and risk management processes

Managing Information Security Investments Under Uncertainty: Optimal Policies for Technology Investment and Information Sharing

Information systems are an integral part of today\u27s business environment. Businesses, government organizations, and the society rely on these systems for various transactions, most of which have huge financial implications. Hence, attacks that breach information systems result in interruption of operations, loss of data and customer confidence, constituting a significant threat to firms. The losses due to attacks on information systems can be mitigated through investments in information security technologies and services. In this thesis we study three practical problems related to information system security investment management: (1) Optimal policies for technology investment in information system security; (2) Optimal policies for information sharing in information system security; and (3) Asymmetric information sharing in information system security. We believe that firms can benefit from this work either through direct implementation for specific guidance, or through indirect use of several policy results obtained. An important characteristic of this studies is that we build this models by using real-world data through survey to information system security practitioners. As one of the few studies on information system security investment management through operations management approaches, this work also set the first step for futures studies on related topics that can be explored by researchers in the field of management science

THE IMPACT OF MALICIOUS AGENTS ON THE ENTERPRISE SOFTWARE INDUSTRY 1

Abstract In this paper, a competitive software market that includes horizontal and quality differentiation, as well as a negative network effect driven by the presence of malicious agents, is modeled. Software products with larger installed bases, and therefore more potential computers to attack, present more appealing targets for malicious agents. One finding is that software firms may profit from increased malicious activity. Software products in a more competitive market are less 1 Peter Gutmann was the accepting senior editor for this paper. Lech Janczewski served as the associate editor. The appendix for this paper is located in the "Online Supplements" section of the MIS Quarterly's website (http://www.misq.org). likely to invest in security, while monopolistic or niche products are likely to be more secure from malicious attack. The results provide insights for IS managers considering enterprise software adoption

The barriers to sustainable risk transfer in the cyber-insurance market

Efficient risk transfer is an important condition for ensuring the sustainability of a market according to the established economics literature. In an inefficient market, significant financial imbalances may develop and potentially jeopardise the solvency of some market participants. The constantly evolving nature of cyber-threats and lack of public data sharing mean that the economic conditions required for quoted cyber-insurance premiums to be considered efficient are highly unlikely to be met. This paper develops Monte Carlo simulations of an artificial cyber-insurance market and compares the efficient and inefficient outcomes based on the informational setup between the market participants. The existence of diverse loss distributions is justified by the dynamic nature of cyber-threats and the absence of any reliable and centralised incident reporting. It is shown that the limited involvement of reinsurers when loss expectations are not shared leads to increased premiums and lower overall capacity. This suggests that the sustainability of the cyber-insurance market requires both better data sharing and external sources of risk tolerant capital.Comment: 32 pages, 9 figures, 17 table

Mixed structural models for decision making under uncertainty using stochastic system simulation and experimental economic methods: application to information security control choice

This research is concerned with whether and to what extent information security managers may be biased in their evaluation of and decision making over the quantifiable risks posed by information management systems where the circumstances may be characterized by uncertainty in both the risk inputs (e.g. system threat and vulnerability factors) and outcomes (actual efficacy of the selected security controls and the resulting system performance and associated business impacts). Although ‘quantified security’ and any associated risk management remains problematic from both a theoretical and empirical perspective (Anderson 2001; Verendel 2009; Appari 2010), professional practitioners in the field of information security continue to advocate the consideration of quantitative models for risk analysis and management wherever possible because those models permit a reliable economic determination of optimal operational control decisions (Littlewood, Brocklehurst et al. 1993; Nicol, Sanders et al. 2004; Anderson and Moore 2006; Beautement, Coles et al. 2009; Anderson 2010; Beresnevichiene, Pym et al. 2010; Wolter and Reinecke 2010; Li, Parker et al. 2011) The main contribution of this thesis is to bring current quantitative economic methods and experimental choice models to the field of information security risk management to examine the potential for biased decision making by security practitioners, under conditions where information may be relatively objective or subjective and to demonstrate the potential for informing decision makers about these biases when making control decisions in a security context. No single quantitative security approach appears to have formally incorporated three key features of the security risk management problem addressed in this research: 1) the inherently stochastic nature of the information system inputs and outputs which contribute directly to decisional uncertainty (Conrad 2005; Wang, Chaudhury et al. 2008; Winkelvos, Rudolph et al. 2011); 2) the endogenous estimation of a decision maker’s risk attitude using models which otherwise typically assume risk neutrality or an inherent degree of risk aversion (Danielsson 2002; Harrison, Johnson et al. 2003); and 3) the application of structural modelling which allows for the possible combination and weighting between multiple latent models of choice (Harrison and Rutström 2009). The identification, decomposition and tractability of these decisional factors is of crucial importance to understanding the economic trade-offs inherent in security control choice under conditions of both risk and uncertainty, particularly where established psychological decisional biases such as ambiguity aversion (Ellsberg 1961) or loss aversion (Kahneman and Tversky 1984) may be assumed to be endemic to, if not magnified by, the institutional setting in which these decisions take place. Minimally, risk averse managers may simply be overspending on controls, overcompensating for anticipated losses that do not actually occur with the frequency or impact they imagine. On the other hand, risk-seeking managers, where they may exist (practitioners call them ‘cowboys’ – they are a familiar player in equally risky financial markets) may be simply gambling against ultimately losing odds, putting the entire firm at risk of potentially catastrophic security losses. Identifying and correcting for these scenarios would seem to be increasingly important for now universally networked business computing infrastructures. From a research design perspective, the field of behavioural economics has made significant and recent contributions to the empirical evaluation of psychological theories of decision making under uncertainty (Andersen, Harrison et al. 2007) and provides salient examples of lab experiments which can be used to elicit and isolate a range of latent decision-making behaviours for choice under risk and uncertainty within relatively controlled conditions versus those which might be obtainable in the field (Harrison and Rutström 2008). My research builds on recent work in the domain of information security control choice by 1) undertaking a series of lab experiments incorporating a stochastic model of a simulated information management system at risk which supports the generation of observational data derived from a range of security control choice decisions under both risk and uncertainty (Baldwin, Beres et al. 2011); and 2) modeling the resulting decisional biases using structural models of choice under risk and uncertainty (ElGamal and Grether 1995; Harrison and Rutström 2009; Keane 2010). The research contribution consists of the novel integration of a model of stochastic system risk and domain relevant structural utility modeling using a mixed model specification for estimation of the latent decision making behaviour. It is anticipated that the research results can be applied to the real world problem of ‘tuning’ quantitative information security risk management models to the decisional biases and characteristics of the decision maker (Abdellaoui and Munier 1998

Big Data in MultiAgent Systems: Market Design Solutions

El objetivo principal de esta Tesis es presentar un conjunto de novedosos y diferentes métodos en los que los sistemas multiagente pueden jugar un papel clave en predicciones y modelos económicos en un amplio conjunto de contextos. La hipótesis principal es que los sistemas multiagente permiten la creación de modelos macroeconómicos con microfundamentos reales que son capaces de representar la economía en los diferentes niveles de acuerdo con diferentes propósitos y necesidades. La investigación se estructura en seis capítulos. El Capítulo 1 es una introducción teórica al resto de los capítulos que presentan aplicaciones empíricas. En él se compara los sistemas multiagente con dos alternativas: los modelos de equilibrio general computable y la econometría espacial. El resto de los capítulos son intencionadamente diferentes en sus objetivos y sus contenidos. Estas cinco aplicaciones incorporan diferentes tipos de agentes: incluyen individuos (2, 5, 6), familias (2, 5), empresas (3, 5, 6), establecimientos (5), instituciones financieras (6) y usuarios (4). En el ámbito espacial, la desagregación espacial es deliberadamente diferente en cada aplicación: El capítulo 4 no incluye el espacio, El capítulo 6 es una aplicación para la zona euro en su conjunto y en el capítulo 3 se toma España en su conjunto. Los capítulos 2 y 5 exploran las dos de las principales posibilidades para la incorporación del espacio en los sistemas multiagente: el capítulo 2 incluye las regiones NUTS 3 de la Unión Europea y en el capítulo 5 se geolocalizan los agentes. En el capítulo 2 se desarrolla un sistema multiagente que incluye a todos los individuos de la Unión Europea. Con este sistema podemos predecir la población a escala regional para toda la Unión Europea y cómo distintos niveles de crecimiento económico repercuten asimismo sobre el empleo. En el capítulo 3 se presenta un modelo de simulación con los principales puntos de vista de la teoría de negocios para estudiar el crecimiento empresarial y la demografía empresarial en un modelo evolutivo estocástico. El modelo que se presenta también muestra cómo las empresas se adaptan a los cambios en las características deseadas del producto y el efecto de la crisis sobre estas dinámicas. El capítulo 4 discute el papel clave de los incentivos en la seguridad de los sistemas de información. Trabajos anteriores realizan este estudio utilizando un enfoque de teoría de juegos, pero el capítulo muestra que un modelo basado en agentes es capaz de incluir la heterogeneidad y las interrelaciones entre los individuos, y no se centra en el equilibrio alcanzado sino en la dinámica antes de su aparición. El objetivo del capítulo 5 es el estudio de los efectos de la Ley para la Revitalización Comercial (Ley de Dinamización Comercial) que fue aprobada en la Comunidad de Madrid durante el año 2012. Por último, el objetivo del capítulo 6 es explicar los determinantes de la inflación y pronosticar la tasa de inflación en la zona euro en los próximos cinco años. Se predice una inflación para la zona euro creciente hasta 2018 con un límite cercano al 2,5% en tasa interanual siempre que no se produzcan perturbaciones externas relevantes