Top

Information Systems Frontiers

Published in:

17-11-2017

Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance

Authors: Arunabha Mukhopadhyay, Samir Chatterjee, Kallol K. Bagchi, Peteer J. Kirs, Girja K. Shukla

Published in: Information Systems Frontiers | Issue 5/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Malicious external attackers commonly use cyber threats (such as virus attacks, denial-of-service (DoS) attacks, financial fraud, system penetration, and theft of proprietary information), while internal attackers resort to unauthorized access to compromise the confidentiality, integrity, and availability (CIA) of the data of individuals, organizations, and nations. This results in an opportunity cost, a loss of market capitalization, and a loss of brand equity for organizations. Organizations and nations spend a substantial portion of their information technology (IT) budgets on IT security (such as perimeter and core security technologies). Yet, security breaches are common. In this paper, we propose a cyber-risk assessment and mitigation (CRAM) framework to (i) estimate the probability of an attack using generalized linear models (GLM), namely logit and probit, and validate the same using Computer Security Institute–Federal Bureau of Investigation (CSI–FBI) time series data, (ii) predict security technology required to reduce the probability of attack to a given level in the next year, (iii) use gamma and exponential distribution to best approximate the average loss data for each malicious attack, (iv) calculate the expected loss due to cyber-attacks using collective risk modeling, (v) compute the net premium to be charged by cyber insurers to indemnify losses from a cyber-attack, and (vi) propose either cyber insurance or self-insurance, or self-protection, as a strategy for organizations to minimize losses.

previous article DPRel: A Meta-Path Based Relevance Measure for Mining Heterogeneous Networks

next article Don’t Disturb Me! Understanding the Impact of Interruptions on Knowledge Work: an Exploratory Neuroimaging Study

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security, 26(3), 219–228.CrossRef

Austin, R.D., Darby, C.R.A. (2003). The myth of secure computing. Harvard Business Review on Point Enhanced Edition.

Baer, W. S., & Parkinson, A. (2007). Cyber insurance in IT security management. IEEE Security and Privacy, 5(3), 50–56.CrossRef

Bagchi, K., & Udo, G. (2003). An Analysis of the growth of the computer and internet security breaches. Communications of the AIS, 12, 684–700.

Bandyopadhyay, T., Mookerjee, V. (2017). A model to analyze the challenge of using cyber insurance. Information Systems Frontiers, 1–25. https://doi.org/10.1007/s10796-017-9737-3.

Bandyopadhyay, T., Mookerjee, V. S., & Rao, R. C. (2009). Why it managers don't go for cyber-insurance products. Communications of the ACM, 52(11), 68–73.CrossRef

Baskerville, R. L. (1993). Information systems security design methods: implication for information systems development. ACM Computing Surveys, 25(4), 375–414.CrossRef

Baskerville, R. L. (2008). Strategic information security risk management. In W. D. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security, policy, processes and practices (pp. 112–122). Routledge: M E Sharpe.

McCann, E. (2014). Breach alert: Hackers swipe data of 4.5M. http://www.healthcareitnews.com/news/breach-alert-hackers-swipe-data-45m. Accessed 7 Nov 2007

Bell, E. D. (1974). Secure computer systems: A refinement of the mathematical model. Bedford: NTIS U.S. Department of Commerce, Mitre Corporation.

Biba, J. K. (1977). Integrity considerations for secure computer systems. MTR-3153, The Mitre Corporation, April 1977.

Biswas B., Mukhopadhyay A. (2017). Phishing detection and loss computation hybrid model: A machine-learning approach. ISACA Journal, 1, 22–29

Biswas B., Pal S., Mukhopadhyay A. (2016). AVICS-Eco framework: An approach to attack prediction and vulnerability assessment in a cyber Ecosystem. Proceedings of the 22nd Americas Conference on Information Systems. San Diego: Association for Information Systems.

Biswas, B., Mukhopadhyay, A., Dhillon, G. (2017). GARCH-based risk assessment and mean-variance-based risk mitigation framework for software vulnerabilities. In Proceedings of 23rd Americas Conference on Information Systems. Association for Information Systems.

Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the workshop on New security paradigms (NSPW '01) (pp. 97–104). New York: ACM.

Böhme, R. (2005). Cyber-insurance revisited. Harvard: Workshop on the Economics of Information Security (WEIS).

Böhme, R., Kataria, G. (2006). Models and measures for correlation in cyber-insurance. UK: Workshop on the Economics of Information Security (WEIS) University of Cambridge, 2006, June.

Böhme, R., Schwartz, G. (2010). Modeling cyber-insurance: Towards a unifying framework. Harvard: Workshop on the Economics of Information Security (WEIS), 2010, June.

Bolot, J., & LeLarge, M. (2008). Cyber insurance as an incentive for internet security. Hanover: Workshop on the Economics of Information Security (WEIS).

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.CrossRef

Bureau of Justice Assistance. (2009). 2009 internet crime report. Washington, D.C: U.S. Department of Justice.

Calandro, J., Matrejek, E., Pollard, N. (2014). Managing cyber risks with insurance: key factors to consider when evaluating how cyber insurance can enhance your security program. Price Water House Publication number BS-14-0534-A.0614. Available at http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-managing-cyber-risks-with-insurance.pdf.

Campbell, K., Gordon, L. A., & Loeb, M. P. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market. Journal of Computer Security, 11, 431–448.CrossRef

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of Internet security breach announcements on market value: capital market reaction for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69–105.CrossRef

Cavusoglu, H., Cavusoglu, H., & Zhang, J. (2008). Security patch management: share the burden or share the damage? Management Science, 54(4), 657–670.CrossRef

CCTA. (1991). SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. London: Central Computer and Telecommunications Agency, IT Security and Privacy Group, Her Majesty’s Government.

Clark, D., Wilson, D. (1988). Evolution of a model for computer integrity. 11th National Computer Security Conference, Postscript to Proceedings, NIST/NCSC (pp. 14–27). October 1998.

Cleman, T. R., & Reilly, T. (1999). Correlations and copulas for decision and risk analysis. Management Science, 45(2), 28–224.

Courtney, R. (1977). Security risk assessment in electronic data processing (pp. 97–104). Arlington: AFIPS.

Cutler, D. M., & Zeckhauser, R. (2003). Extending the theory to meet the practice of insurance. Brookings-Wharton Papers on Financial Services (pp. 1–53). Washington, DC: Brookings Institution Press.

Das, S., Mukhopadhyay, A., & Anand, M. (2012). The stock Market response to public announcement of information security breach on a firm: an Exploratory study using firm and attack characteristics. Journal of Information Privacy and Security JIPS, 7(4), 27–55.

Das, S., Mukhopadhyay, A., Shukla, G. K. (2013). i-HOPE framework for predicting cyber breaches: a logit approach. Proceedings of the 46th Hawaii International Conference on System Sciences (HICSS) (pp. 3008–3017). Hawaii: IEEE. https://doi.org/10.1109/HICSS.2013.256.

Dash, E. (2011). City data theft points up a nagging problem. New York Times, June 9, 2011.

Dhillon, G., & Backhouse, J. (2000). Information system security management in the new millennium. Communications of the ACM, 43(7), 125–127.CrossRef

Dhillon, G., & Moores, S. (2001). Computer crimes: theorizing about the enemy within. Computers & Security, 20(8), 715–723.CrossRef

Dhillon, G., & Torkzadeh, G. (2006). Value focused assessment of information system security in organizations. Information Systems Journal, 16(3), 293–314.CrossRef

Di, R., Hillairet, M., Picard, M., Rifaut, A., Bernard, C., Hagen, D., Maar, P., & Reinard, D. (2007). Operational risk management in financial institutions: process assessment in concordance with Basel II. Software Process: Improvement and Practice, 12(4), 321–330.CrossRef

Dutta, K., & Perry, J. (2011). A tale of tails: an empirical analysis of loss distribution models for estimating operational risk capital. Working paper No.06–13, Federal Reserve Bank of Boston.

Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16(3), 399–416.CrossRef

FBI. (2009). High-tech heist: 2,100 ATMs worldwide hit at once. Available at: http://www.fbi.gov/news/stories/2009/november/atm_111609.

Finkle, J. Freifeld, K. (2014). http://www.reuters.com/article/2014/04/03/us-experian-databreach-idUSBREA321SL20140403. April 2014.

Geer Jr., D., Hoo, K. S., & Jaquith, A. (2003). Information security: why the future belongs to the quants. IEEE Security and Privacy, 99(4), 24–32. https://doi.org/10.1109/MSECP.2003.1219053

Gordon, L. A., & Loeb, M. P. (2002). Return on information security investments, myths vs realities. Strategic Finance, 84(5), 26–31.

Gordon, L. A., Loeb, M. P., & Sohai, T. L. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81–85.CrossRef

Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R. (2009). CSI/FBI computer crime and security survey. GoCSI.com.

Gorman, S. (2012). Alert on hacker power play: U.S. official signals growing concern over anonymous group's capabilities. http://online.wsj.com/article_email/SB10001424052970204059804577229390105521090-lMyQjAxMTAyMDIwMDEyNDAyWj.html.

Grzebiela, T. (2002). Insurability of electronic commerce risks. Proceedings of the Hawaii International Conference on System Sciences, 35, USA.

Guarrao, S. (1987). Principles and procedures of the LRAM approach to information systems risk analysis and management. Computers & Security, 6(6), 493–504.CrossRef

Harmantzis, C.F. (2003). Operational risk management. ORMS Today, 30(1).

Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks: the growing threat (pp. 1–27). USA: Insurance Information Institute.

Herath, H., Herath, T. (2011). Copula based actuarial model for pricing cyber, insurance policies insurance markets and companies: analyses and actuarial computations, 2.

Hoffman, J. et al. (1978). SECURATE—security evaluation and analysis using fuzzy metrics (pp. 531–540). Proceedings of the AFIPS National Conference Proceedings, Arlingtion

Hossack, B. I., Pollard, J., & Zehnwirth, B. (1983). Introduction to statistics with applications to general insurance. Cambridge: Cambridge University Press.

Identity Theft Center. (2007). http://www.idtheftcenter.org/. Last consulted 5–6-2007.

Jensen, F. V. (1996). Introduction to Bayesian networks. Secaucus: Springer-Verlag New York, Inc.

Jueneman, R.R. (1989). Integrity controls for military and commercial applications CSC professional. Report CSC/PR-89/3001.

Kahane, Y., Neumann, S., & Taperio, S. C. (1988). Computer backup pools, disaster recovery, and default risk. Communications of the ACM, 31(1), 78–83.CrossRef

Kahneman, D., & Tversky, A. (1979). Prospect theory: an analysis of decision under risk. Economterica, 47(2), 263–292.CrossRef

Keily, G. (2014). eBay suffers massive security breach, all users must change their passwords. http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/.

Kesan, J. P., & Majuca, R. (2005). Cyberinsurance as a market-based solution to the problem of cybersecurity: A case study. Harvard: Fourth Workshop on the Economics of Information Security (WEIS).

Kesan, J.P., Ruperto, P.M., Willam, J.Y. (2004). The economic case for cyber insurance. Working Paper Series No. Paper No. LE04–004, Illinois Law and Economics.

Kunreuther, H. (1997). Managing catastrophic risks through insurance and mitigation. Proceedings of the 5th Alexander Howden Conference on Financial Risk Management for Natural Catastrophes, August 24–26, 1997.

Majuca, P., Yurcik, W., Kesan, J.P. (2005). The evolution of cyber insurance. Available at: http://arxiv.org/ftp/cs/papers/0601/0601020.pdf.

Mann, S. (1998). Netcrime: more change in the organization of thieving. British Journal of Criminology, 38, 201–229.CrossRef

McLeod, D. (2015). Increased cyber losses means more litigation over claim. Business Insurance. Available at http://www.businessinsurance.com/article/20150222/NEWS06/303019999/1248.

Meland, P. H., Inger, A. T., & Solhaug, B. (2015). Mitigating risk with cyber insurance. IEEE Security and Privacy, 6, 38–43.CrossRef

Miccolis, J., Shaw, S.( 2000). Enterprise Risk Management: An Analytic Approach. New York:Tillinghast – Towers Perrin

Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565–584.CrossRef

Moore, R. (2005). Cybercrime: Investigating high-technology computer crime. Cleveland: Anderson Publishing.

Mukhopadhyay, A. Chakrabarti, B. B., Saha, D., Mahanti, A. (2007a). e-Risk management through self-insurance: an option model. Proceedings of the Hawaii International Conference on System Sciences, 40. Washington, DC: IEEE Computer Society.

Mukhopadhyay, A., Chatterjee, S., Roy, R., Saha, D., Mahanti, A., Sadhukhan S. K. (2007b). Insuring big losses due to security breaches through insurance: A business model 2014. Proceedings of the 47th Hawaii International Conference on System Sciences. Hawaii: IEEE. https://doi.org/10.1109/HICSS.2007.280

Mukhopadhyay, A., Das, S., Sadhukhan, S. K. (2013a). Vulnerable path determination in mobile ad-hoc networks using Markov Model. Proceedings of the 19th Conference Amercias Conference on Information Systems (AMCIS).

Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukan, S. K. (2013b). Cyber-Risk Decision Models: To Insure IT or Not?. Decision Support Systems, 56(1), 11–26.

McCullagh, P., & Nelder, J. A. (1989). Generalized linear models, 2nd edition. London: Chapman & HaI/~CRC.CrossRef

New York Times. (2007). Digital fears emerge after data siege in Estonia. May 29, 2007.

New York Times. (2008). Before the gunfire, cyber -attacks twitter. August 12, 2008.

Newman, J. (2013). Adobe security breach worse than originally thought. http://www.pcworld.com/article/2059002/adobe-security-breach-worse-than-originallythought.html.

Ogut, H., & Menon, N. (2005). Cyber insurance and IT security investment: Impact of interdependent risk. Harvard: Fourth Workshop on the Economics of Information Security (WEIS).

Öğüt, H., Raghunathan, S., & Menon, N. (2011). Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis, 31(3), 497–512.CrossRef

Ozier, W. (1989). Risk quantification problems and Bayesian decision support system solutions. Information Age, 11(4), 229–234.

Reid, R. C., & Stephen, A. F. (2001). Extending the risk analysis model to include market-insurance. Computers & Security, 20(4), 331–339.CrossRef

Rejda, G. E. (2010). Principles of risk management and insurance (10th ed.). London: Pearson Publication.

Richardson, R. (2007). CSI computer crime and security survey (pp. 1–28). San Francisco: Computer Security Institute Inc..

Robertson, J. (2014). China’s hack of 4.5 million U.S medical records? This chart will make you sick. http://www.bloomberg.com/news/2014-08-21/china-s-hack-of-4-5-million-u-s-medical-records-this-chart-will-make-you-sick.html. August 2014.

Roumani, Y., Nwankpa, J. K., & Rouman, Y. F. (2015). Time series modeling of vulnerabilities. Computers & Security, 51, 32–40.CrossRef

Ruohone, J., Hyrynsalmi, S., & Leppänen, V. (2015). The sigmoidal growth of operating system security vulnerabilities: an empirical revisit. Computers & Security, 55, 1–20.CrossRef

Salmela, H. (2008). Analyzing business losses caused by information systems risk: a business process analysis approach. Journal of Information Technology, 23(3), 185–202.

Schneier, B. (2000). The insurance takeover. Information Security.

Schroeder, D. (2014). Cyber insurance: just one component of risk management. The Wall-Street Journal, May 27 2014. Available at http:/blogs.wsj.com/cio/2014/03/27/cyber-insurance-just-onecomponent-of-risk-management/.

Shedden, P., Smith, W. R., Ahmad, A. (2010). Information security risk assessments: towards a business practice perspective. Edith Cowan University Research Online, http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1097&context=ism.

Shetty, N., Schwartz, G., Felegyhazi, M., & Walrand, J. (2009). Competitive cyber-insurance and internet security. London: Workshop on the Economics of Information Security (WEIS).

Smith, E., & Eloff, J. H. P. (2002). A prototype for assessing information technology risks in health care. Computers & Security, 21(2), 266–284.CrossRef

Smith, S.T., & Lim, J.J. (1984). An automated method for assessing the effectiveness of computer security safeguards. In Computer Security A Global Challenge (pp. 321–328). Amsterdam: North-Holland Publishing Co..

Smithson, S., Song, P. (2004). Quantifying operational risk. Risk, 57–59.

Solms, V. (2005). Information security governance - compliance management vs operational management. Computers & Security, 24(6), 443–447.CrossRef

Tavani, H. (2007). Ethics and technology: Ethical issues in an age of information and communication technology. Hoboken: John Wiley.

TechFlash. (2009). Walmart, Amazon.com hit with denial of service attack. December 24, 2009. Available at: http://www.techflash.com/seattle/2009/12/walmart_amazoncom_hit_with_denial_of_service_atack.html.

Times of India. (2013). http://timesofindia.indiatimes.com/tech/tech-news/Cybercrimes-cost-India-4-billion-in-2013-Symantec/articleshow/24551193.cms. Accessed 7 Nov 2017

Straub, W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision-making. MIS Quarterly, 22(4), 441–469.CrossRef

Yurcik, W. (2002). Cyber insurance: A market solution to the internet security market failure. Berkeley: Workshop on the Economics of Information Security (WEIS).

Title: Cyber Risk Assessment and Mitigation (CRAM) Framework Using Logit and Probit Models for Cyber Insurance
Authors: Arunabha Mukhopadhyay
Samir Chatterjee
Kallol K. Bagchi
Peteer J. Kirs
Girja K. Shukla
Publication date: 17-11-2017
Publisher: Springer US
Published in: Information Systems Frontiers / Issue 5/2019
Print ISSN: 1387-3326
Electronic ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-017-9808-5

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 5/2019

Don’t Disturb Me! Understanding the Impact of Interruptions on Knowledge Work: an Exploratory Neuroimaging Study

Examining Consumers’ Behavioral Intention in O2O Commerce from a Relational Perspective: an Exploratory Study

DPRel: A Meta-Path Based Relevance Measure for Mining Heterogeneous Networks

A Novel Group Ownership Delegate Protocol for RFID Systems

Formal Model of Business Processes Integrated with Business Rules

An Empirical Review of the Connection Between Model Viewer Characteristics and the Comprehension of Conceptual Process Models

Premium Partner