A formal model for pricing information systems insurance contracts

Computer Standards & Interfaces 27 (2005) 521 – 532 www.elsevier.com/locate/csi

A formal model for pricing information systems insurance contracts Costas Lambrinoudakisa,T, Stefanos Gritzalisa, Petros Hatzopoulosb, Athanasios N. Yannacopoulosb, Sokratis Katsikasa a

University of the Aegean, Department of Information and Communication Systems Engineering, Samos, GR 83 200, Greece b University of the Aegean, Department of Statistics and Actuarial Science, Samos, GR 83 200, Greece Available online 2 February 2005

Abstract Information systems security has become a top priority issue for most organisations worldwide, mainly because of the rapidly increasing number of threats and the highly sophisticated methods utilised for realising the attacks. The typical reaction of IT officials is to protect their systems through a series of technical security measures. However, in the absence of a scientifically sound methodology for evaluating the cost-effectiveness of the security measures employed, the problem is that they are unable to quantify the security level of their system and thus to determine the appropriate amount that they should invest for its protection. Another option that organisations can explore is to insure their information systems against potential security incidents, aiming to balance the consequences that they will experience, in terms of financial losses, through the compensation that they will get from the insurance company. Even in that case, though, the difficulty for the insurance company is the calculation of the appropriate premium. In this paper we present a probabilistic structure, in the form of a Markov model, used to provide detailed information about all possible transitions of the system state in the course of time. Specifically, we are interested on transitions from the fully operational system state to other non-fully operational states that may result as the effect of a security incident. The aforementioned probabilistic structure enables both the estimation of the insurance premium and the valuation of the security investment. D 2005 Elsevier B.V. All rights reserved. Keywords: Information systems security; Risk analysis and management methodology; Markov model; Transition intensity approach; Information systems insurance; Premium estimation; Valuation of security investment

1. Introduction

T Corresponding author. E-mail addresses: [email protected] (C. Lambrinoudakis), [email protected] (S. Gritzalis), [email protected] (P. Hatzopoulos), [email protected] (A.N. Yannacopoulos), [email protected] (S. Katsikas). 0920-5489/$ - see front matter D 2005 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2005.01.010

Over the last decade the evolution of Information and Communication Technologies (ICT) has raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. Active participation in this binformation society eraQ is nowadays an absolute prerequisite for organisations and public bodies

522

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

wishing to remain competitive in the global electronic marketplace. However, together with the advantages, some serious concerns have been raised. Progressively the operation, but also the investment protection, of most organisations worldwide has turned out to largely depend on the effectiveness and robustness of their information systems. Therefore, information systems security has become an issue of paramount importance, attracting the attention of the scientific community but also that of commercial companies. One of the top priorities for almost any organisation today is to protect its information system against potential risks. These risks can seriously disturb the operation of the system, causing a Security Incident in the form of unavailability of an end-user service or loss of data confidentiality or/and integrity. Following a security incident, the impact for the organisation, in terms of the consequences caused, may vary from very little to very large, most of the times expressed in terms of financial losses. According to CERT, the number of security incidents follows an exponential increase: the number of reported security incidents back in 1996 was 2,573 while in 2003 the number was 137,529 [2]. Furthermore, Cavusoglu et al. [3] have calculated that, on average, compromised organisations lost approximately 2.1% of their market value within 2 days from the day of the incident. Consequently, in an attempt to minimize the probability of a security incident to occur, organisations have started investing in security enhancing technologies. Moitra and Konda [10] have demonstrated that as organisations start investing in information systems security their protection increases rapidly, while it increases at a much slower rate as the investments reach a much higher level. It is therefore apparent that a series of questions is raised: ! How far should organisations go into investing for the security of their information systems? ! Are they aware of the residual risk for their information systems and the consequences that they will face in the event of a security incident? ! How can they evaluate the effectiveness of the security measures that they invest on? Recently, there is considerable interest from the economics community in addressing the above issues. Indicatively, Anderson in Ref. [1] applies economic

analysis and employs the language of microeconomics (network externalities, asymmetric information, moral hazard, adverse selection, liability dumping etc.) for explaining a number of phenomena that security researchers had previously found to be pervasive but perplexing. Also in Ref. [6] Gordon and Loeb present an economic model for determining the optimal amount to invest for protecting a given set of information. Finally in Ref. [12] Varian constructs a model based on economic agents decision making on effort spent, to study systems reliability. Another approach that organisations could consider for enhancing the security of their information systems is to transfer specific technological risks to a financial (insurance) market, covering the financial losses that they may experience in case of a security incident. It should be emphasized that such an approach cannot and will not breplaceQ the technical security measures; it will act complementary. Similar ideas have been expressed, at a conceptual level, by Gordon et al. in Ref. [7]. The formal probabilistic model proposed in this paper, aims to support the transition of the above ideas from a conceptual to a practical level, assisting insurance companies to calculate in a consistent and accurate way the appropriate premium. Let us consider an example. An insurance company in order to calculate a premium that covers a car against theft or fire must, at least, have an accurate estimate of the current car’s value. If the client provides additional information, like, for instance, that a car alarm is installed, this is being evaluated by the insurance company and may result in a reduced premium. In analogy, an insurance company in order to calculate the premium for an information system will seek the following information: ! What is the financial loss that the organisation will experience as a result of every possible security incident? ! How secure—well protected against potential risks—is the information system? However, none of the above questions can be answered in a straightforward and accurate way, mainly because of the following facts: a) Every day new threats are appearing. How can someone quantify the consequences of a potential

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

security incident if one doesn’t even know which are the major threats that the information system is facing? b) The effectiveness of a security measure cannot be presented in quantitative terms. It can only be evaluated during real attacks against the system, after it has been installed and integrated into the system’s operation. However, even in this case the evaluation cannot be accurate since there is no way to know if a specific security measure has really prevented a security incident or not. This is in analogy to a home alarm system. If there is no record of a theft attempt, we don’t really know if this is because the home alarm has prevented it or because it simply didn’t happen irrespective of the existence of the home alarm. c) Finally, the environment of the information system has a significant impact to both the number and severity of potential threats and to the effectiveness of the security measures. For instance, the security requirements identified for an Internet-based system are not the same if a wireless network was utilised instead. Also, an authentication mechanism may be extremely effective for the Internet-based system but not for the wireless environment. Summarising, there are two complementary approaches that an organisation could follow for protecting its information system. The first most common one is to invest on a series of technical, organisational and procedural measures that will ensure an adequate level of security. Section 2 presents a scientifically sound methodology, namely the risk analysis and management methodology, that can be utilised for selecting these security measures, combining cost-efficiency and effectiveness. Through the description of the methodology the reader will find the answers to the questions posed at the beginning of this current section. Keeping in mind that complete security is not feasible and that irrespective of the amount invested for security measures there will always be a residual risk that leaves space for potential security incidents, organisations can also think of insuring their systems. Section 3 introduces a Markov model that can be used for describing the system, while Section 4 demonstrates how this model can be utilised for the estimation of the appropriate

523

insurance premium, providing a satisfactory solution to the problems posed earlier in this section. Furthermore, as explained in Section 5, the same Markov model can be used for supporting organisations to perform a cost-benefit analysis and decide on the amount of money they should invest on technical measures for enhancing the protection of their system. Finally, Section 6 provides some concluding remarks.

2. Risk analysis and management methodology Risk analysis and management is a methodology towards the establishment of a secure Information System. It tackles the security problems and assists the analysts to select the measures that will ensure, in a cost-effective way, a level of security that is analogous to the level of risks (adequate security). Furthermore, through a risk analysis study, security analysts can accurately derive the residual risk for the information system; this is expressed in terms of threats and system vulnerabilities that have not been covered by some security measure, normally due to the high cost involved. Also with the completion of the study the organisation has a clear picture of the impact, in financial terms, which will be caused if any asset of the information system gets compromised. Finally, it should be stressed that in order to evaluate the security of the system and thus the effectiveness of the security measures employed, risk analysis must be seen as a live process of the information system. In other words, the study must be repeated at regular intervals, every time taking into account the security mechanisms integrated into the system. A database of risk analysis and management methods, which was developed within the Infosec Programme of the European Commission, contains more than seventy methods [4]. However, the generic model of several of them is similar and consists of the following main stages [5,9]. 2.1. Identify and valuate the assets of the information system The main assets of an information system are the equipment, the systems software, the applications

524

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

software and the data. All of them have a value that can be measured in terms of: ! their purchase price (e.g. a computer system), or ! the price for reconstructing an asset (e.g. rebuild a custom-made application), or ! the impact, in financial terms, that will be caused to the owner of a compromised asset (e.g. loss of customers due to unavailability of a service, legal action against the organisation due to disclosure of sensitive data, bad reputation due to the loss of integrity on selected data, etc.). By following the steps specified by the risk analysis methodology for this stage, the security analysts can derive the impact value of every asset in the information system. It is emphasised that the impact value of an asset may vary according to the incident type; for instance the impact from the loss of confidentiality of a specific asset may be much higher than that for unavailability of the same asset. 2.2. Identify and assess threats and vulnerabilities The threats that the information system is facing can exploit certain system vulnerabilities and thus damage specific system assets (Fig. 1). During this stage, the security analysts identify, for each asset A k , where k=1,..,M, of the information system, the set of threats that over some period of time can exploit certain system vulnerabilities, in order to harm asset A k and cause a security incident. Assuming that the asset A k has not been compromised and thus that the system is fully operational being in state 0 at time u, S(u)=0, if a security incident occurs at time t, u V t, damaging asset A k , the system Threats

exploit

Vulnerabilities

damage

Incidents

cause

Assets

have

Impacts

will transit in a new state i, S(t)=i, where i=1,..,N. For every possible system state i, each one representing a different type of security incident on asset A k , the security analysts will estimate: ! the occurrence rate of each threat attempting to harm asset A k . ! the probability of each threat to explore a system vulnerability and damage asset A k , assuming that the treat has occurred. 2.3. Risk assessment The combination {threat, vulnerability, impact} provides a measure of the risk level an asset is exposed to. Specifically, if we assume that the system can transit from the fully operational state 0 in a state i, where i=1,. . .,N, as a result of different security incidents on asset A k , then: ! The impact (financial loss), for the owner of the asset A k , caused by a security incident that brings the system in state i, is L i , where i=1,..,N (this is the impact value derived for asset A k during stage (a) of the methodology). ! If at time u the system rests in the fully operational state 0 (S(u)=0), the transition rate in some state i at time t (S(t)=i), as a result of a security incident on asset A k , is l 0i (u). This is computed by utilising the results of stage (b) of the methodology. These transition rates characterise the system as shown in Section 3 below. 2.4. Risk management The derived risk levels are assessed in order to select, in a cost-effective and justifiable (analogous to the level of risk) way, the appropriate security measures. It should be stressed that the risk management process takes into account any existing security measures by assessing their effectiveness against specific threats.

3. A Markov model describing the system Owner

Fig. 1. Risk analysis generic entities.

on

Let us assume that the information system may result into one of N different states after possible

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

security incidents that affect a single asset A k , where k=1,..,M. We will denote these states by i, where i=1,..,N. By i=0 we will denote the state where no successful attack has been made on the information system and thus it is fully operational. We assume that at time t=0 the information system is in the fully operational state i=0 and as time passes it will end up in different states of non-fully operational status, that is it will end up into one of the states i=1,. . .,N. Following a risk analysis study, during which the information system has been modelled taking into account all security mechanisms that have been installed at that time, the transition rates from state 0 in any other state i, as a result of a security incident compromising asset A k , are known. Furthermore, the impact (financial loss) of every possible security incident L i has been computed. The aforementioned data, as far as asset A k is concerned, for different types of security incidents, are listed in Table 1. Without loss of generality in the rest of the paper we focus on a single asset (M=1) of the information system. Assume now that the owner of the information system enters an insurance contract with the following terms. If the information system ends up into state i, ip0 then the owner of the information system will receive some compensation, which of course depends on the state that the information system is in at time t. This compensation may be either in terms of continuous payments c i (s) (that is the owner of the information system will receive the compensation c i (s)d ds, in the time interval (s, s+ds) if the information system is in state i at time s, or in terms of lump sums di (s).

525

Without loss of generality we will only assume the case of continuous compensation payments. The compensation received by the owner of the information system in case of security incidents reflects the value of the data or of the services provided by the information system and which may no longer be provided as a result of the security incident. Note that the benefit received at state j is not necessarily equal to the loss L j caused by the occurrence of the state j, since the client may choose an insurance contract that offers lower compensation than her true loss in order to achieve lower premium. In order to be entitled to such compensation the owner of the information system will have to pay to the insurance company some premium. The premium is paid only as long as the information system is in the fully operational state 0 and payment of the premium stops automatically when any type of security incident happens. Again without loss of generality we may assume that the premium is paid continuously and the rate is P 0(s). That means that the sum paid by the information system owner in the time interval (s, s+z), as long as the information system is fully operational in this time interval, is P 0(s)d ds. The case where premium is paid discretely in e.g. monthly installments etc. may be easily included in the model in a straightforward manner. The inclusion of such effects is omitted in order to make the exposition more straightforward. One of the most important steps in the study of various issues related to the function and security of the information system is the determination of the probability of the state of the system in various times. In order to obtain that we propose a Markov model [8]

Table 1 Transition rates and impact values for security incidents on an asset of the information system Security incident

System state i

Transition rate from state 0 in state I S(u)=0YS(t)=i

Impact value (loss) L I

Comments

N/A

State 0

N/A

N/A

Unavailability of asset A k

State State State State State State State State

l 01(u) l 02(u) l 03(u) l 04(u) l 05(u) l 06(u) l 0(I´
1)(u) l 0I´(u)

L1 L2 L3 L 10 L 11 L 12 L N
1 LN

System fully operational. No security incidents have occurred. Asset A k is unavailable for 10 min Asset A k is unavailable for 1 day Asset A k is unavailable for 1 week Data (asset A k ) disclosed to insiders Data (asset A k ) disclosed to outsiders Data (asset A k ) disclosed to service providers Small scale data errors on asset A k Deliberate modification of data (asset A k )

Loss of confidentiality

Loss of integrity

1 2 3 10 11 12 N-1 N

526

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

that describes the transition between the various possible states of the system. Let us assume the simplest possible structure in which the only transitions allowed are the transitions 0Yi, i=1,. . .,N. By S(t) we will denote the state of the system at time t. We assume that S(0)=0 and {S(t);tz0} is a timecontinuous stochastic process, with values in the finite set {0,1,. . .,N}. Further we assume that states 1,2,. . .,N are absorbing states, that is it is not possible to leave this state once it has been entered, as shown in Fig. 2. Clearly, S(t) may take one of the values 0,1,. . .,N. In the framework of the Markov model the most important quantities are the transition probabilities between states, Pij ðu; t Þ : ¼ P½S ðt Þ ¼ jjS ðuÞ ¼ i that is the probability that the information system is in state j at time t given that it was in state i at time u, uVt. Clearly P ij (t,t):=d ij where d ij is the Kronecker delta and the transition probabilities must fulfil the conditions 0VP ij (u,t)V1 for all u,t and N X

Note that the expression l j (t)d dt can be interpreted as the conditional probability of leaving state j over the infinitesimal interval [t, t+dt] given that the system is in state j at time t. The forward Kolmogorov equation may be used to calculate the transition probabilities from the transition rates. This equation reads X d Pij ð z; t Þ ¼ Pik ð z; t Þdlkj ðt Þ
Pij ð z; t Þdlj ðt Þ dt k:kpj with initial condition P ij (z,z)=d ij . We now provide the solution of the forward Kolmogorov equation for our model. Since only transition rates of the form l 0j are non-zero, the Kolmogorov equations become d P00 ð z; t Þ ¼
P00 ð z; t Þdl0 ðt Þ dt which can be readily solved to give  Z t  P00 ð z; t Þ ¼ exp
l0 ðsÞdds z

Pij ðu; t Þ ¼ 1

where

j¼0

which means that once in state i at time u the system must end up in one of the states 0,1,. . .,N at time t, uVt. Of considerable interest is also the occupancy probability of a state

l0 ðtÞ ¼ l01 ðt Þ þ . . . þ l0N ðt Þ

P¯ij ðu; t Þ : ¼ P½S ðt Þ ¼ i; 8za½u; t jS ðuÞ ¼ i

d P0j ð z; t Þ ¼ P00 ð z; t Þdl0j ðt Þ dt

By the general theory of Markov processes in continuous time we know that the model may be fully determined by the transition rates (or intensities), the so-called transition intensity approach (TIA). The transition rate between states i and j, ipj, is defined as

with initial condition P 0j (z,z)=0. This is readily integrated to give   Z t  Z v P0j ð z; t Þ ¼ exp
l0 ðsÞds l0j ðvÞ dv

lij ðuÞ ¼ lim tYu

z

P00 ð z; t Þ ¼ expð
l0 ðt
zÞÞ P0j ð z; t Þ ¼

0 2

z

In the special case of constant transition rates, i.e. l ij (t)=l ij that is the Markov process is assumed to be time-homogeneous, the above simplify to

Pij ðu; t Þ t
u

and the probabilistic structure is completely defined by the matrix form M(t):M ðt Þ ¼ P tlij ðt Þt, assuming that l jj (t)=
l j (t) where lj ðt Þ ¼ jV:jVpj ljjV ðt Þ:

1

For the transition probabilities P 0j , for jp0, the Kolmogorov equations read

...

Fig. 2. Set of states and set of transitions.

N

l0j ð1
expð
l0 ðt
zÞÞÞ l0

where l 0=l 01+. . .+l 0N .

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

The occupancy may be calculated gorov equations or tions to be  P¯00 ð z; t Þ ¼ exp


probability of the various states through the use of the Kolmothe Chapman–Kolmogorov equaZ



t

l0 ðsÞdds

z

P¯ii ð z; t Þ ¼ 1 the last relation confirming the fact that the states i=1,. . .,N are absorbing states.

527

received or given at different times we need to evaluate their value at the same time instance. This is done using a properly chosen discounting factor. We will assume (without loss of generality) that there is a constant deterministic interest rate d. Thus the discounting factor, relating the value of a payment at time t to the value of this payment at time 0 is e
dd t . Using the above assumptions, the present value at time t of a continuous benefit at rate c j (u) given by the insurance company to the owner of the information system at time u as long as S(u)=j is the random sum of money

4. Insurance of the system

Yt ¼ e
ddðu
tÞ d1fS ðuÞ¼jg dcj ðuÞddu

The question we wish to answer in this section using this simple model is how the insurance company can calculate the fair amount of money it will charge for this insurance service, that is how one may calculate the net or mathematical premium. There is not a unique way to do this, however we will present here a simple, actuarially fair way of determining the cost of this service.

where by 1{S(u)=j} we denote the indicator of the event {S(u)=j} and c j (u) is the benefit amount paid out in the infinitesimal interval [u, u+du]. The present value at time t of a continuous benefit obtained at rate c j (u) between time t 1 and t 2 as long as S(u)=j is Yt ðt1 ; t2 Þ¼

t2

e
ddðu
tÞ d1fS ðuÞ¼jg dcj ðuÞddu for tVt1 Vt2

t1

4.1. Actuarial values of premium and benefits Having obtained the probabilistic structure of the model which will allow us to characterize the state of the system at various times we may now calculate the actuarial values of the net premium and the benefits [8]. Let us explain briefly what we mean by actuarial values. The benefits as well as the net premium received depend on the state of the information system, which is random. Thus the benefits and the net premium received at time t are random variables. By actuarial value we mean the best possible prediction for these random variables given some information up to time t. Because of the Markov structure of the model, the information from time 0 to time t is summed up to the information on the state of the system at time t, i.e. it sums up to the information provided by the random variable S(t). As the best possible prediction we will take the conditional expectation of the random variable given the information provided by S(t). Also note that the benefits and the premium are paid in different times. In order to be able to compare sums of money

Z

As stated above the actuarial values are expected present values. These are random variables whose value depends on the state of the system. For instance if S(t)=i then the actuarial value of the benefit obtained between times t 1 and t 2 as compensation for the system being in state j is Yt;i;j : ¼ E ½Yt ðt1 ; t2 ÞjS ðt Þ ¼ i Z t2 ¼ e
ddðu
tÞ dPij ðt; uÞdcj ðuÞddu t1

In a similar manner one may calculate the premium. Let us assume that the premium paid varies with the state the system is in. The actuarial value of the net premium at time t, paid at time u if the system is in state j and if S(t)=i will be given by the formula Pt;i;j ðuÞ : ¼ e
ddðu
tÞ dPij ðt; uÞdcj ðuÞddu:

528

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

The premium paid between time t 1 and t 2 is Z t2 Pt;i;j ðt1 ; t2 Þ: ¼ e
ddðu
tÞdPij ðt; uÞdpj ðuÞddu for tVt1 Vt2 t1

our model only the transition probabilities P 0i are non-zero. Therefore we have that B0 ð0; T Þ ¼

Z

T

e
ddu d

0

The total benefits and premium paid will result as the sum over all possible states. Thus the actuarial value of the benefits and premium at time t, paid between time t and T, if the system is in the state S(t)=i at time t will be equal to

Bi ðt; T Þ ¼

Z

T

e
ddðu
tÞ d

t

Pi ðt; T Þ ¼

Z

N X

Pij ðt; uÞdbj ðuÞddu

j¼0

T

e


ddðu
t Þ

t

d

N X

P0 ð0; T Þ ¼

P0j ð0; uÞdbj ðuÞddu

j¼0

T

e
ddu dP00 ð0; uÞdP0 ðuÞddu

0

Using the equivalence principle and the expressions for the transition probabilities obtained in Section 3 we have the following relation (in the case of constant transition rates) Z

Pij ðt; uÞdpj ðuÞddu

Z

N X

T

e
ddu d

0

N X

l0j d ð1
e
l0 du Þdbj ðuÞddu

j¼0

j¼0

¼ l0 d

Z

T

e
ddu de
l0 du dP0 ðuÞddu: 0

By T we denote the term of the contract, i.e. the time when the contract expires. 4.2. Calculation of the premium For the calculation of the premium one may follow several approaches (giving possibly different results). We present here a simple way for obtaining the premium which does not involve the use of utility functions. The insurance contract is entered at time t=0 when the system is in state 0. A fair way to calculate the premium would be using the principle of equivalence. This means that we choose the premium in such a way so that the actuarial value of the benefits at time t=0 and in state 0 is equal to the actuarial value of the total premium paid, again calculated at time t=0 and state 0. Mathematically this means that

This may be treated as an integral equation with unknown function P 0(u). The solution of this integral equation will furnish the net premium that has to be paid at time u while the system is in state 0. This is a Fredholm integral equation of the first kind. The solution of this equation is particularly simple if we assume P 0(u)=P 0=constant. Then the net premium is equal to P0 ¼

d þ l0 1 d l0 1
e
ðdþl0 ÞdT Z T N X e
ddu d l0j d ð1
e
l0 du Þdbj ðuÞddu: 0

j¼0

Other forms of the premium, possibly time dependent, can also be treated.

B0 ð0; T Þ ¼ P0 ð0; T Þ

5. Valuation of the maximum investment on security measures

According to this principle the insured expects to pay to the insurer as much as she expects to get (of course in terms of estimates of the random variables involved). In our simple model the insured pays premium only when the system is in state 0. Also for

In this section we address the problem of finding the maximum amount that an organisation should invest on security measures for achieving an adequate level of security for the information system. We will use the Markov model proposed

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

in Section 3, to provide a way for a fair estimation of this cost. The problem has an intertemporal structure (time dependence). However, for the ease of presentation we first present the methodology for resolving this problem in the time independent case before proceeding to the time dependent case in Section 5.2. 5.1. The time independent case For simplicity, let us assume that all consequences an organisation may face, as a result of some security incident, can be modelled as financial losses. We will therefore consider that the possible financial loss of the organisation is a random variable X which (without loss of generality) may be described by a probability density distribution f(x). We also assume that the organisation has the option to invest an amount p for installing a series of technical security measures that will protect the organisation against the aforementioned financial losses. The question we wish to answer is the following: Is there a consistent way to price the security measures? There is no single answer to this question. The question of pricing goods has troubled economists for long and several methodologies have been proposed to the resolution of this problem. We will present here a simple way based on the use of utility functions [11]. Let us assume that the organisation has a utility function for its data, let us say u. Since in this simple model we assume that all consequences resulting form a security incident can be translated to financial losses, it is reasonable to assume that this utility function expresses the views of the organisation towards financial losses, i.e. it provides a way to evaluate how important a financial loss caused by a security incident is for the organisation. Since losses are random, this utility function is a function u : IYR where I is the space of all possible random losses (or even better of all possible random wealth) of the organisation. Assume also that the initial wealth of the organisation is w (which may be considered non-random without loss of generality). The organisation is endorsing in the following lottery (bet): ! If the organisation chooses to invest on the technical security measures then it will pay p (a

529

non-random price) and will end up with riskless wealth w
p. ! If the organisation chooses not to adopt the security measures, it is subject to possible security incidents which will cause a financial loss X which is randomly distributed by the probability density distribution f(x). Thus it will end up with the risky wealth w
X. The organisation makes economic decisions according to the preferences described by its utility function. Since it is asked to make decisions in an uncertain environment we have to model in some way its attitudes towards risk. There is a vast literature in economics in this direction. In this preliminary model we will adopt the classical way of treating this problem through the use of expected utility, proposed by Morgernstern and Von Neumann in the 1940s. According to this approach, the organisation makes its decisions using as a decision making tool the expectation of its random utility. In this context we may provide an estimate for the maximum cost an organisation is willing to undertake for the security measures. The maximum cost p m will be such that the two possible outcomes in the above lottery are indifferent to the organisation. By that we mean that the expected utility of the two possible outcomes is the same that is uðw
pm Þ ¼ E½uðw
X Þ Z Lmax ¼ uðw
xÞdf ð xÞddx

ð1Þ

Lmin

where L min and L max is the minimum and maximum financial loss of the organisation, respectively. Note that the left hand side does not have an expectation sign since the first outcome is a certain outcome. The solution to this functional equation will provide the maximum cost the organisation is willing to undertake for securing its information system. An alternative formulation to this problem is to assume that we may express the financial loss in terms of proportional loss, that is the loss will be wX. In this

530

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

case we may denote the cost as P m and by arguments similar to the above we may see that the cost will be given by the solution of the equation Y

¼ E½uðw
wdX Þ u w
m ¼

Z

Lmax

uðw
wdxÞdf ð xÞddx:

ð2Þ

Lmin

Of course the crucial question in the above arguments is how one may obtain the utility function for the organisation. One may always use econometric models based on questionnaires, which may allow us to deduce the organisations’ preferences. However, fundamental economic considerations have led to some basic classes of utility functions, which may be used to describe the organisation’s preferences. These classes are: 1. u(w)=c 1
c 2d e
kd w, the so-called utility functions with constant absolute risk aversion. 2. u(w)=ln(w), or u(w)=w g/g, gb1 the so-called utility functions with constant relative risk aversion. The first class of utility functions, as we shall see, allows us to obtain a particularly simple form for the pricing equation when the losses are in absolute form as in Eq. (1). The second class of utility functions allows us to obtain a particularly simple form for the pricing equation when losses are in relative form as in Eq. (2). Example: assume that the financial losses are expressed in absolute form and that the organisation has a utility function of the form u(w)=c 1
c2d e kd w. Then the pricing Eq. (1) becomes c1
c2 de
kdðw
pm Þ Z Lmax

¼ c1
c2 de
kdðw
xÞ df ð xÞddx Lmin

which (using the fact that f(x) is a probability density) simplifies to

e


kdpm

¼

Z

Lmax

Lmin

e
kdx df ð xÞddx

so that pm ¼

 Z Lmax  1 dln e
kdx df ð xÞddx : k Lmin

Thus, we obtain a particularly simple form for the maximum cost the organisation is willing to undertake in terms of the characteristic function of the probability density of the possible financial losses that may be caused by security incidents. 5.2. The intertemporal case We are now ready to proceed to the more realistic intertemporal case. According to the model presented in Section 3, the system in time t may be in state i, i=0,1,. . .,N with probability P 0i (0,t). Let us assume that in state i the organisation suffers a financial loss of the amount L i . Since we assume a time structure into the model we need to introduce the idea of discounting. According to that, a loss of the amount L i which occurs at time t has value at time 0 equal to L i d e
rd t where r is the discount factor. One may consider the discount factor as some kind of interest rate. In this case, L i d e
rd t is the amount of money put in the bank at time t=0 that will provide the amount L i at time t. In this intertemporal setup we need to define the utility function in a slightly different manner, using the so-called intertemporal utility function. If T is the final time horizon of the model the expected intertemporal utility function is Uint ¼ E

Z



T

e


rdt

dU ðw
Xt Þddt

o

where by X t we denote the loss occurring at time t, and U is some type of utility function of the type discussed above. The term e
rd t models the time impatience displayed by the organisation. The Markov model presented above allows us to characterize the random variable X. In particular we have that X t (x)=L i if S(t,x)=i (that is if the realisation of the system is such that at time t the state of the system is i). If i=0 then L 0=0. The random variable X t takes the values L i with probability P i (t):=P 0i (0,t). We may now calculate the risk premium in the same manner as above but using the intertemporal utility

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

function U int instead of the time independent utility function. Using the same considerations as above, but now in the intertemporal setup we find that the risk premium is given by the solution of the equation  N Z T X U ðw
pÞ ¼ e
rdt dU ðw
Li ÞdPi ddt : i¼0

o

The right hand side of the above equation can be readily calculated and so the equation becomes U ðw
pÞ ¼ F ðr; T Þd

N X l0i dU ðw
Li Þ l0 i¼1

þ F0 ðr; T ÞdU ðwÞ

531

have proposed a rational way for valuating the security investment. Our current research work focuses on extending the model so as to waive the assumption that all nonfully operational states of the information system are absorbing states. In other words, the extended model will be capable of handling cases where there is a transition from some state i (ip0) to the fully operational state 0. Another extension will be that all the assets of the information system will be modelled, instead of a single asset that is currently supported, thus enabling us to account for interdependencies of security incidents or/and security measures on different assets and consequently to have a more accurate estimate of the insurance premium.

where

d rde
ðl0 þrÞdT
ðl0 þrÞde
rdT þl0 rd ðl0 þ rÞ

1 d 1
e
ðl0 þrÞdT : F0 ðr; T Þ ¼ l0 þ r 1

F ðr;T Þ¼

This equation provides the cost of security measures an organisation may undertake. Explicit solutions of this equation may be obtained in the same manner as for the time independent case. The case where no discounting is present (r=0) is treated similarly, but one must be careful in the calculation of the prefactors F(0,T) and F 0(0,T). A straightforward calculation of the integrals involved in the definition of these prefactors yields 

1
e
l0 dT l0  1 F0 ð0; T Þ ¼ d 1
e
l0 dT l0

F ð0; T Þ ¼



T


6. Conclusions In this paper we have proposed a Markov model describing the transitions of an information system from the fully operational state in states of non-fully operational status, as a result of a security incident that damages an asset of the information system, using the transition intensity approach. This model has been utilised for estimating the premium of the insurance contract against the expected losses that will result from potential security incidents. Using the same model we

References [1] R. Anderson, Why information security is hard–An economic perspective, 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, 2001. [2] H. Cavusoglu, B. Mishra, S. Raghunathan, A model for evaluating IT security investments, Communications of the ACM 47 (7) (2004) 87 – 92. [3] H. Cavusoglu, B. Mishra, S. Raghunathan, The effect of internet security breach announcements on shareholder wealth: capital market reactions for breached firms and internet security developers, International Journal of Electronic Commerce 9 (4) (2004) 69 – 105. [4] Commission of the European Communities. Risk analysis methods database, INFOSEC Programme, Project S2014, 1993. [5] J. Eloff, L. Labuschagne, K. Badenhorst, A comparative framework for risk analysis methods, Computers and Security 12 (6) (1993) 597 – 603. [6] L. Gordon, M. Loeb, The economics of information security investment, ACM Transactions on Information and System Security 5 (4) (2002) 438 – 457. [7] L. Gordon, M. Loeb, T. Sohail, A framework for using insurance for cyber-risk management, Communications of the ACM 46 (3) (2003 (March)) 81 – 86. [8] S. Haberman, E. Pitacco, Actuarial models for disability insurance, Chapman and Hall, 1999. [9] ISO/IEC/JTC1, bInformation technology–security techniques—Guidelines for the management of IT securityQ, GMITS, ISO/IEC DTR13335, 1996. [10] Moitra S., Konda S., bThe survivability of network systems: An empirical analysisQ, Carnegie Mellon Software Engineering Institute, Technical Report, CMU/SEI-200-TR-021. [11] H.R. Varian, Microeconomic analysis, Norton & Company, 1992. [12] Varian H.R., bSystems reliability and free ridingQ Working Paper, 2004.

532

C. Lambrinoudakis et al. / Computer Standards & Interfaces 27 (2005) 521–532

Costas LAMBRINOUDAKIS was born in Greece in 1963. He holds a B.Sc. (Electrical and Electronic Engineering) degree from the University of Salford (UK), an M.Sc. (Control Systems) and a Ph.D. (Computer Science) degree form the University of London (UK). Currently he is an Assistant Professor at the Department of Information and Communication Systems of the University of the Aegean. His current research interests include: Information Systems Security, Smart Cards and Computer Architectures. He is an author of several refereed papers in international scientific journals and conference proceedings. He has participated in many national and EU funded R and D Projects. He has served on program and organizing committees of national and international conferences on Informatics and he is a reviewer for several scientific journals. Stefanos GRITZALIS was born in Greece in 1961. He holds a BSc in Physics, an MSc in Electronic Automation, and a PhD in Informatics all from the University of Athens, Greece. Currently he is an Associate Professor at the Department of Information and Communication Systems Engineering, University of the Aegean, Greece, and Assistant Director of the Info-Sec-Lab. He has been involved in more than thirty national and CEC funded R and D projects in the areas of Information and Communication Systems. His published scientific work includes six books (in Greek) on Information and Communication Technologies topics, and more than seventy journal and national and international conference papers. The focus of these publications is on Information and Communication Systems Security. He has served on program and organizing committees of national and international conferences on Informatics and is a reviewer for several scientific journals. Peter HATZOPOULOS was born in Greece in 1967. He holds a BSc in Mathematics from University of Crete, an MSc and a PhD from the City University of London, UK. Currently he is a Lecturer at the Department of Statistics and Actuarial Science, University of the Aegean, Greece. He has been involved in a national and EC funded projects in the areas of Life and General Insurance. His published scientific work involves Life Insurance and Actuarial Statistical topics.

Athanasios YANNACOPOULOS was born in Greece in 1968. He holds a BSc in Physics from the University of Athens and a PhD in Dynamical Systems from the University of Warwick. He has worked as a Research Fellow in the Universities of Leeds and Warwick and was lecturer in Applied Mathematics at the School of Mathematics and Statistics, University of Birmingham. Since 2002 he is with the University of the Aegean, where he currently is Associate Professor at the Department of Statistics and Actuarial Science. His research interests and published work are in random and deterministic dynamical systems, stochastic processes and applied stochastic analysis. Sokratis K. KATSIKAS was born in Greece in 1960. He received the Diploma in Electrical Engineering degree from the University of Patras, Greece, the M.Sc. in Electrical and Computer Engineering from the University of Massachusetts at Amherst, USA, and the Ph.D. in Computer Engineering from the University of Patras, Greece. He now is Professor at the Department of Information and Communication Systems Engineering and Rector of the University of the Aegean, Greece. He has authored or co-authored more than 140 technical papers and conference presentations in his areas of research interest, which include information and communication systems security, estimation theory, adaptive control, and artificial intelligence. He has served on steering, program and organizing committees of international conferences on informatics and is a reviewer for several scientific journals.