opinion

On Robust Estimates of Correlated Risk in Cyber-Insured IT Firms: A First Look at Optimal AI-Based Estimates under “Small” Data

Authors:

Leana Golubchik,

Konstantions Psounis,

Tathagata BandyopadhyayAuthors Info & Claims

ACM Transactions on Management Information Systems (TMIS), Volume 10, Issue 3

Article No.: 9, Pages 1 - 18

https://doi.org/10.1145/3351158

Published: 10 October 2019 Publication History

Abstract

In this article, we comment on the drawbacks of the existing AI-based Bayesian network (BN) cyber-vulnerability analysis (C-VA) model proposed in Mukhopadhyay et al. (2013) to assess cyber-risk in IT firms, where this quantity is usually a joint distribution of multiple risk (random) variables (e.g., quality of antivirus, frequency of monitoring, etc.) coming from heterogeneous distribution families. As a major modeling drawback, Mukhopadhyay et al. (2013) assume that any pair of random variables in the BN are linearly correlated with each other. This simplistic assumption might not always hold true for general IT organizational environments. Thus, the use of the C-VA model in general will result in loose estimates of correlated IT risk and will subsequently affect cyber-insurance companies in framing profitable coverage policies for IT organizations. To this end, we propose methods to (1) find a closed-form expression for the maximal correlation arising between pairs of discrete random variables, whose value finds importance in getting robust estimates of copula-induced computations of organizational cyber-risk, and (2) arrive at a computationally effective mechanism to compute nonlinear correlations among pairs of discrete random variables in the correlation matrix of the CBBN model (Mukhopadhyay et al. 2013). We also prove that an empirical computation of MC using our method converges rapidly, that is, exponentially fast, to the true correlation value in the number of samples. Our proposed method contributes to a tighter estimate of IT cyber-risk under environments of low-risk data availability and will enable insurers to better assess organizational risks and subsequently underwrite profitable cyber-insurance policies.

References

[1]

Kjersti Aas, Claudia Czado, Arnoldo Frigessi, and Henrik Bakken. 2009. Pair-copula constructions of multiple dependence. Insurance: Mathematics and Economics 44, 2 (2009), 182--198.

[2]

Tim Bedford and Roger M. Cooke. 2002. Vines--a new graphical model for dependent random variables. Annals of Statistics 30, 4 (2002), 1031--1068.

[3]

Rainer Bohme and Gaurav Kataria. 2006. Models and measures for correlation in cyber-insurance. In Workshop of Economics of Information Security (WEiS’06).

[4]

Rainer Bohme and Galina Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Workshop of Economics of Information Security (WEiS’10).

[5]

Leo Breiman and Jerome H. Friedman. 1985. Estimating optimal transformations for multiple regression and correlation. Journal of the American Statistical Association 80, 391 (1985), 580--598.

[6]

Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004. The effect of Internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9, 1 (2004), 70--104.

Digital Library

[7]

Robert T. Clemen and Terence Reilly. 1999. Correlations and copulas for decision and risk analysis. Management Science 45, 2 (1999), 208--224.

[8]

Peter J. Danaher and Michael S. Smith. 2011. Modeling multivariate distributions using copulas: Applications in marketing. Marketing Science 30, 1 (2011), 4--21.

Digital Library

[9]

Luc Devroye. 1983. The equivalence of weak, strong and complete convergence in L1 for kernel density estimates. Annals of Statistics 11, 3 (1983), 896--904.

[10]

Soheil Feizi, Ali Makhdoumi, Ken Duffy, Manolis Kellis, and Muriel Medard. 2017. Network maximal correlation. IEEE Transactions on Network Science and Engineering 4, 4 (2017), 229–247.

[11]

Organisation for Economic Co-Operation and Development. 2017. Enhancing the Role of Insurance in Cyber Risk Management. OECD. Retrieved from https://books.google.fi/books?id=R-CctAEACAAJ.

[12]

Fred Glover and Manuel Laguna. 2013. Tabu search? In Handbook of Combinatorial Optimization. Springer, 3261--3362.

[13]

Lawrence A. Gordon and Martin P. Loeb. 2002. Return on information security investments: Myths vs. realities. Strategic Finance 84, 5 (2002), 26--31.

[14]

Siobhan Gorman. 2012. Alert on hacker power play: US official signals growing concern over anonymous group?s capabilities. Wall Street Journal.

[15]

Hemanta S. B. Herath and Tejaswini Herath. 2011. Copula based actuarial model for pricing cyber-insurance policies. Insurance Markets and Companies: Analyses and Actuarial Computations 2 (2011), 7–20.

[16]

Hermann O. Hirschfeld. 1935. A connection between correlation and contingency. In Mathematical Proceedings of the Cambridge Philosophical Society, Vol. 31. Cambridge University Press, 520--524.

[17]

Roger A. Horn and Charles R. Johnson. 2012. Matrix Analysis. Cambridge University Press.

[18]

Harry Joe and James Jianmeng Xu. 1996. The Estimation Method of Inference Functions for Margins for Multivariate Models. Technical Report. University of British Columbia.

[19]

Jay Kesan, Ruperto Majuca, and William Yurcik. 2005. Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study. In WEIS.

[20]

Sergey Kirshner. 2008. Learning with tree-averaged densities and distributions. In Advances in Neural Information Processing Systems. 761--768.

[21]

Daphne Koller, Nir Friedman, and Francis Bach. 2009. Probabilistic Graphical Models: Principles and Techniques. MIT Press.

[22]

Marc Lelarge and Jean Bolot. 2009. Economic incentives to increase security in the Internet: The case for insurance. In IEEE INFOCOM 2009. IEEE, 1494--1502.

[23]

Frank Lin and William W. Cohen. 2010. Power iteration clustering. In Proceedings of the 27th International Conference on International Conference on Machine Learning (ICML’10). Omnipress, 655--662. Retrieved from http://dl.acm.org/citation.cfm?id=3104322.3104406

[24]

Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a chance of breach: Forecasting cyber security incidents. In USENIX Security. 1009--1024.

[25]

Leon Mirsky. 1960. Symmetric gauge functions and unitarily invariant norms. Quarterly Journal of Mathematics 11, 1 (1960), 50--59.

[26]

Amitabha Mukhopadhyay, Samir Chatterjee, Debasis Saha, Ambuja Mahanti, and Samir. K. Sadhukan. 2013. Cyber-risk decision models: To insure IT or not?Decision Support Systems 56 (2013), 11–26.

[27]

Hulisi Ogut, Nirup Menon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment. In WEIS.

[28]

Hulisi Öğüt, Srinivasan Raghunathan, and Nirup Menon. 2011. Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis 31, 3 (2011), 497--512.

[29]

Ranjan Pal and Leana Golubchik. 2010. Analyzing self-defense investments in internet security under cyber-insurance coverage. In 2010 IEEE 30th International Conference on Distributed Computing Systems. IEEE, 339--347.

Digital Library

[30]

Ranjan Pal, Leana Golubchik, and Konstantinos Psounis. 2011. Aegis a novel cyber-insurance model. In International Conference on Decision and Game Theory for Security. Springer, 131--150.

Digital Library

[31]

Ranjan Pal, Leana Golubchik, Konstantinos Psounis, and Pan Hui. 2014. Will cyber-insurance improve network security? A market analysis. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 235--243.

[32]

Ranjan Pal, Leana Golubchik, Konstantinos Psounis, and Pan Hui. 2017. Security pricing as enabler of cyber-insurance a first look at differentiated pricing markets. IEEE Transactions on Dependable and Secure Computing 16, 2 (2017), 358–372.

Digital Library

[33]

Ranjan Pal, Leana Golubchik, Konstantinos Psounis, and Pan Hui. 2018. Improving cyber-security via profitable insurance markets. ACM SIGMETRICS Performance Evaluation Review 45, 4 (2018), 7--15.

Digital Library

[34]

Emanuel Parzen. 1962. On estimation of a probability density function and mode. Annals of Mathematical Statistics 33, 3 (1962), 1065--1076.

[35]

Armin Sarabi, Parinaz Naghizadeh, Yang Liu, and Mingyan Liu. 2016. Risky business: Fine-grained data breach prediction using business profiles. Journal of Cybersecurity 2, 1 (2016), 15--28.

[36]

Cornelia Savu and Mark Trede. 2010. Hierarchies of archimedean copulas. Quantitative Finance 10, 3 (2010), 295--304.

[37]

Gideon Schwarz. 1978. Estimating the dimension of a model. Annals of Statistics 6, 2 (1978), 461--464.

[38]

Daniel A. Spielman and Shang-Hua Teng. 2013. A local clustering algorithm for massive graphs and its application to nearly linear time graph partitioning. SIAM Journal on Computing 42, 1 (2013), 1--26.

[39]

Hans S. Witsenhausen. 1975. On sequences of pairs of dependent random variables. SIAM Journal on Applied Mathematics 28, 1 (1975), 100--113.

Digital Library

Cited By

Barcelos VDos Santos A(2023)Transformação digital e seguro: uma revisão sistemática da literaturaRevista de Gestão e Secretariado (Management and Administrative Professional Review)10.7769/gesec.v14i6.226914:6(8849-8874)Online publication date: 7-Jun-2023
https://doi.org/10.7769/gesec.v14i6.2269
Pal RNag B(2023)A Mathematical Theory to Price Cyber-Cat Bonds Boosting IT/OT SecurityProceedings of the Winter Simulation Conference10.5555/3643142.3643196(648-659)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3643142.3643196
Pal RLiu PLu THua E(2023)How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSsACM Transactions on Cyber-Physical Systems10.1145/35683996:4(1-31)Online publication date: 6-Jan-2023
https://dl.acm.org/doi/10.1145/3568399
Show More Cited By

Index Terms

On Robust Estimates of Correlated Risk in Cyber-Insured IT Firms: A First Look at Optimal AI-Based Estimates under “Small” Data
1. Mathematics of computing
  1. Probability and statistics
    1. Multivariate statistics
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy

Recommendations

Cyber-risk decision models

Security breaches adversely impact profit margins, market capitalization and brand image of an organization. Global organizations resort to the use of technological devices to reduce the frequency of a security breach. To minimize the impact of ...
Monitoring risk response actions for effective project risk management

Complex projects typically involve high-consequence, project-specific risks that require detailed analysis and for which risk response actions (RRAs) need to be developed and implemented. The risk picture is dynamic. The sources and consequences of ...
Integrated process safety and process security risk assessment of industrial cyber-physical systems in chemical plants
Abstract
Aligned with the development needs of Industry 4.0, industrial cyber-physical systems (ICPSs) are widely applied to chemical facilities to facilitate so-called intelligent production processes. Meanwhile, emerging cyber-to-physical (C2P) risks ...
Highlights
- An approach is proposed for the risk assessment of ICPSs considering safety hazards, C2P attacks, and physical attacks.
- Interdependency between safety-associated events and security-related events is considered in the risk assessment.

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Management Information Systems

ACM Transactions on Management Information Systems Volume 10, Issue 3

Research Commentary and Regular Paper

September 2019

83 pages

ISSN:2158-656X

EISSN:2158-6578

DOI:10.1145/3361142

Editor:
Daniel Zeng
Chinese Academy of Sciences, China

Issue’s Table of Contents

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 October 2019

Accepted: 01 January 2019

Revised: 01 November 2018

Received: 01 February 2018

Published in TMIS Volume 10, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Opinion
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
294
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Barcelos VDos Santos A(2023)Transformação digital e seguro: uma revisão sistemática da literaturaRevista de Gestão e Secretariado (Management and Administrative Professional Review)10.7769/gesec.v14i6.226914:6(8849-8874)Online publication date: 7-Jun-2023
https://doi.org/10.7769/gesec.v14i6.2269
Pal RNag B(2023)A Mathematical Theory to Price Cyber-Cat Bonds Boosting IT/OT SecurityProceedings of the Winter Simulation Conference10.5555/3643142.3643196(648-659)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3643142.3643196
Pal RLiu PLu THua E(2023)How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSsACM Transactions on Cyber-Physical Systems10.1145/35683996:4(1-31)Online publication date: 6-Jan-2023
https://dl.acm.org/doi/10.1145/3568399
Srivastava RPrashar AIyer SGotise P(2022)Insurance in the Industry 4.0 environment: A literature review, synthesis, and research agendaAustralian Journal of Management10.1177/0312896222113245849:2(290-312)Online publication date: 2-Nov-2022
https://doi.org/10.1177/03128962221132458
Wang CGuo ZLi JLi GPan P(2022)A Text-based Deep Reinforcement Learning Framework Using Self-supervised Graph Representation for Interactive RecommendationACM/IMS Transactions on Data Science10.1145/35225962:4(1-25)Online publication date: 17-May-2022
https://dl.acm.org/doi/10.1145/3522596
Shandilya SUpadhyay SKumar ANagar A(2022)AI-assisted Computer Network Operations testbed for Nature-Inspired Cyber Security based adaptive defense simulation and analysisFuture Generation Computer Systems10.1016/j.future.2021.09.018127:C(297-308)Online publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1016/j.future.2021.09.018
Pal RLiu M(2022)Cyber-Insurance MarketEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_1636-1(1-6)Online publication date: 26-Mar-2022
https://doi.org/10.1007/978-3-642-27739-9_1636-1
Kelly TGu WMaksimovski V(2021)Schrödinger's CodeQueue10.1145/3466132.346826319:2(28-44)Online publication date: 27-May-2021
https://dl.acm.org/doi/10.1145/3466132.3468263
Mashatan AHeintzman D(2021)The Complex Path to Quantum ResistanceQueue10.1145/3466132.346677919:2(65-92)Online publication date: 18-May-2021
https://dl.acm.org/doi/10.1145/3466132.3466779
Srinivasan RChander A(2021)Biases in AI SystemsQueue10.1145/3466132.346613419:2(45-64)Online publication date: 12-May-2021
https://dl.acm.org/doi/10.1145/3466132.3466134
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents