Abstract
An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption, to ensure minimal security breach. Nonetheless, a new virus or a clever hacker can easily compromise these deterrents, resulting in losses to the tune of millions of dollars annually. To minimize the financial loss, we propose that online businesses should invest in e-risk insurance products as a complementary alternative, above the network security appliances. In this work, we develop a Copula aided Bayesian Belief Network (CBBN) model, to assist insurance companies to design e-insurance products. The CBBN model does an e-vulnerability assessment (e-VA) and e-risk quantification (e-RQ). We first draw a casual diagram (BBN) stating the probable reason for security failure in an organization. We assume the marginal distributions for each of the nodes of the diagram. Using the CBBN model we compute the joint probability of the constituent nodes of the BBN. Next the conditional probability of each of the occurrences of the malicious event is arrived at. We then assume a loss distribution, and using the principles of collective risk modeling, we arrive at the expected severity of the attack. The e-risk insurance companies compute the premium, by charging an extra (i.e., overloading and contingency loading), over the expected severity of attack.
TopIntroduction
E-risk is defined as the possibility of a malicious electronic event, whose occurrence causes loss to e-business. These consists of (i) comprise of network security components (such as firewall, proxy servers, anti virus), (ii) the compromise of the organization web server, and incorrect or indecent material posted on the web site (commonly called graffiti), (iii) service providers (i.e., Application Service Provider (ASP) or Internet Service Provider (ISP)) failing, (iv) identity theft (i.e., confidential customer information is hacked from an organizational database; example, pin numbers of credit cards from a bank), (v) attacks by disgruntled employees, (vi) cyber-extortion, (vii) Denial of Service (DoS) by making malicious calls to the router, (viii) attack by wireless devices (such as PDAs, mobile phones etc). CSI/FBI 2004 report (Gordon, Loeb, Lucyshyn & Richardson, 2004) states that the most vital e-risk in USA is virus attack (loss of $55 Million). It is followed by DoS attack (loss of $26 Million), and theft of proprietary information (loss of $11 Million).
Organizations spend millions annually for deployment of sophisticated technical defenses (such as encryption, access control and firewalls) (Gordon, & Loeb, 2002) and intrusion detection systems to guard against malicious attacks. CSI/FBI report (Gordon et al., 2004) states most organizations in USA have deterrents such as (i) antivirus software (99%), (ii) firewalls (98%), (iii) proxy servers (71%), and (iv) intrusion detection systems (68%). Yet security breaches are very common.
Anderson (2001) opines that the chance of a clever hacker breaking into the system is much higher than the chance that the CTO would detect it. This can be sustained with the following example. Assume there are n vulnerabilities in an organizational network. In a given period of time, the hacker needs to find only one as opposed to the CTO who has to be aware of all the n vulnerabilities to protect the system from malicious attacks. Thus, it is a win–win situation always for the intruder. Schneier (2001) notes, that a new virus can easily comprise the perimeter security devices, as there is no signature available in the anti-virus engine to track it down. The CSI/FBI report (Gordon et al., 2004) corroborates this fact, as loss due to virus attack in USA alone was $55 Million in 2004.
To supplement the existing security measures and to reduce the monetary loss, an effective alternative mechanism is insuring (Gordon, Loeb, & Sohail, 2003; Grzebiel, 2002; Mukhopadhay, Chatterjee, Saha, Mohanti 2005a; Mukhopadhyay, Chatterjee, Saha, Mohanti, Chakrabarti and Podder, 2005b, 2005c; Mukhopadhyay, Chatterjee, Saha, Mohanti, and Sadhukhan,2006 ; Mukhopadhyay 2007, Mukhopadhay, Chatterjee, Saha, Mohanti, Roy and Sadhukhan,2007a; Mukhopadhay, Chakrabari Saha, Mohanti 2007b) against these risks. This would help reduce the financial burden on the organizations, as the insurance company would indemnify the loss. In effect, the organizations risk is being passed on to another party at the cost of a premium. This reduces the companies concern about “self insuring” (i.e., keeping aside huge amount for contingency purposes). This, in turn, is a good corporate strategy, as huge amounts are not locked away for contingency provisions and security breaches.
Key Terms in this Chapter
Collective Risk Model: It assumes that the loss frequency and loss amount of an e-risk are both stochastic variables. The expected loss or claim severity is the product of claim size and claim amount.
Actuarial Approach: Identifies the loss frequency and the loss amounts distribution using past data.
Process Approach: It models chain of activities that comprise an operation or transaction and finding out the exact risk for each process.
BBN Graph: It is made up of nodes and arcs. Nodes are random variables. The arcs indicate causal relationship between the variables. Each node has a probability table associated with it. The root node(s) have only marginal probability associated with it, while the child nodes have conditional probabilities tables associated with it.
E-Risk: Defined as the possibility of a malicious electronic event, whose occurrence causes loss to e-business. These consists of (i) comprise of perimeter network security components, (ii) graffiti, (iii) Application Service Provider or Internet Service Provider failing, (iv) identity theft, (v) attacks by disgruntled employees, (vi) cyber-extortion, (vii) Denial of Service, (viii) attack by wireless devices.
Copula: Joint distribution of random variables can be expressed as a function of marginal distributions. It also takes into account correlation amongst the marginal distributions.
Operational Risk: It arises due to failure of process, people, systems or external events. Basel II mandates that operational risk is quantified and a capital allocation done for it.
Bayesian Belief Network (BBN): A graphical relationship between causal variables. BBNs enable reasoning under uncertainty and combine the advantages of an intuitive visual representation with a sound mathematical basis of Bayesian probability.
Premium: It is the product of the expected loss times the loading factor (i.e.,, profit and overhead charges) plus contingency loading times the variance of the loss.
Factor Approach: Aims to determine a mathematical equation that relates the level of operational risk for institution or business or process to a set of factors.