Abstract
In this paper, we assume the security level of a system is a quantifiable metric and apply the insurance company ruin theory in assessing the defense failure frequencies. The current security level of an information system can be viewed as the initial insurer surplus; defense investment can be viewed as premium income resulting in an increase in the security level; cyberattack arrivals follow a Poisson process, and the impact of attacks is modeled as losses on the security level. The occurrence of cyber breach is modeled as a ruin event. We use this framework to determine optimal investment in cyber security that minimizes the total cyber costs. We show by numerical examples that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer.
Highlights
Cyber risk has become a hot topic given the ever-increasing cyber breaches and resulting losses of data and business disruptions
Traditional actuarial ruin theory was developed in modeling of insurance capital solvency, whereas the level of capital is influenced by two opposing forces: the upward drift driven by a stream of insurance premium income and the random downward jump driven by insurance claims
We assume that the security level of a system changes over time due to attack and defense. e security level is modeled by a modified surplus process: the current security level of an information system can be viewed as the initial surplus; defense investment resulting in an increase in the security level can be viewed as the premium income; the cyberattack arrivals are modeled as a Poisson process, and the impact of attacks is modeled as losses on the security level using an assumed loss
Summary
Cyber risk has become a hot topic given the ever-increasing cyber breaches and resulting losses of data and business disruptions. We apply traditional ruin theory in an innovative way to assess the stochastic changes in the level of cyber security and derived interesting insights from this theoretical framework. We assume the security level of a system is a quantifiable metric and apply the ruin theoretic framework in assessing the defense failure frequencies. E goal of this paper is not to propose a new actuarial model for cyber losses (in terms of frequency and severity distributions), but instead, we apply the ruin theoretical framework to the level of cyber security over the course of time, under opposing forces of attackers and defenders. We use the framework to draw insights about optimal allocation of cyber security budget
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
