An evidence based Initial Coin Offering insurance to make crowdsale more protectable against hacking.
This chapter will first present a principal-agent game-theoretic model to capture the interactions between one insurer and one user. The insurer is deemed as the principal who does not have incomplete information about user's security policies. The user, which refers to the infrastructure operator or the customer, implements his local protection and pays a premium to the insurer. The insurer designs an incentive compatible insurance mechanism that includes the premium and the coverage policy, while the user determines whether to participate in the insurance and his effort to defend against attacks. The chapter will also focus on an attack-aware cyber insurance model by introducing the adversarial behaviors into the framework. The behavior of an attacker determines the type of cyber threats, e.g. denial of service (DoS) attacks, data breaches, phishing and spoofing. The distinction of threat types plays a role in determining the type of losses and the coverage policies. The data breaches can lead to not only financial losses but also damage of the reputations. The coverage may only cover certain agreed percentage of the financial losses.READ FULL TEXT VIEW PDF
An evidence based Initial Coin Offering insurance to make crowdsale more protectable against hacking.
Projects, speaking engagements, career accomplishments, etc.
Critical Infrastructures are increasingly dependent on the information and communication technologies (ICTs) to sense, transmit, and fuse data for real-time operations and control of the infrastructures. The heavy integration of the ICTs has also brought many potential threat that can cause data privacy breaches, availability of the services, and the cascading damages. The vulnerabilities in the ICT can arise not only from unintentional misconfiguration and mismanagement of the protocols and devices but also from the intentional injection of the malware, spread of the worms, and the cyber attacks. Recent cyber attacks on Iranian nuclear power plants and the Ukraine power grid have also shown that the attacks are becoming increasingly sophisticated. For example, advanced persistent threats (APTs), such as Stuxnet, Flame, and Duqu, can exploit zero-day vulnerabilities, leverage human errors and insider threats, and move stealthily in the network before launching a successful attack. These attacks are often difficult to detect and prevent as they have access to a sufficient amount of resources and are capable of staying in the victim’s system for years.
Hence, cyber risks for infrastructures are of growing concerns. The cyber risk will not only create cyber incidents including identity theft, cyber extortion, and network disruption, but also can lead to the malfunction of the entire infrastructure and its key services to users and customers. It becomes a critical issue for operators to safeguard infrastructures from the intentional and unintentional actions that would inflict damage on the system. Conventional countermeasures include installing intrusion detections, blacklisting malicious hosts, filtering/blocking traffic into the network. However, these methods cannot guarantee perfect security and can be evaded by sophisticated adversaries despite the advances in technologies. Therefore, cyber risks are inevitable and it is essential to find other means to mitigate the risks and impact.
Cyber insurance is an important tool in risk management to transfer risks. Complement to the technological solutions to cybersecurity, cyber insurance can mitigate the loss of the targeted system and increase the resiliency of the victim by enabling quick financial and system recovery from cyber incidents. Such scheme is particularly helpful to small and medium size infrastructure systems that cannot afford a significant investment in cyber protection. The market of cyber insurance is still in its infancy. U.S. penetration level of the insured is less than 15%. Promisingly, the market is growing fast at a 30% annual growth rate since 2011. The key challenge with cyber insurance lies in the difficulty to assess different types of cyber risks and impact of the cyber incidents that are launched by resourceful adversaries who are stealthy and purposeful. The design of cyber insurance also needs to take into account moral hazards and adverse selection problems. The insured tend to lack in incentives to improve their security measures to safeguard against attacks. As the nodes in the cyber space are increasingly connected, the unprotected cyber risks can propagate to other uninsured nodes. With asymmetric information of the insured, the insurer also has tendency to increase the premium rates for higher risks, making the cyber insurance less affordable to end users.
In this chapter, we aim to provide a baseline framework to understand the interactions among the players in the cyber insurance market and leverage it to design optimal cyber insurance for the infrastructure services. One key application of the framework is to provide assurance to the infrastructure managers and users and transfer their risks when the attack on power grid fails to provide electric power to a food processing plant, when cloud servers break down and fail to provide airline customer check-in information, and when the trains collide due to the communication systems fail. In the examples above, it is clear that the cyber insurance play a key role in mitigating the cyber risks that interconnect the communications and information systems of an infrastructure with their physical impact on the infrastructure or linked infrastructures. The interdependencies among the infrastructures and their operators and users can propagate the cyber risks and exacerbate the damages on the critical infrastructures. To this end, the understanding of the cyber insurance of interconnected players is the key to the holistic understanding of the risk management of interdependent infrastructures.
This chapter will first present a principal-agent game-theoretic model to capture the interactions between one insurer and one user. The insurer is deemed as the principal who does not have incomplete information about user’s security policies. The user, which refers to the infrastructure operator or the customer, implements his local protection and pays a premium to the insurer. The insurer designs an incentive compatible insurance mechanism that includes the premium and the coverage policy, while the user determines whether to participate in the insurance and his effort to defend against attacks. The chapter will also focus on an attack-aware cyber insurance model by introducing the adversarial behaviors into the framework. The behavior of an attacker determines the type of cyber threats, e.g. denial of service (DoS) attacks, data breaches, phishing and spoofing. The distinction of threat types plays a role in determining the type of losses and the coverage policies. The data breaches can lead to not only financial losses but also damage of the reputations. The coverage may only cover certain agreed percentage of the financial losses.
The challenges of cyber security are not only technical issues but also economic and policy issues . Recently, the use of cyber insurance to enhance the level of security in cyber-physical systems has been studied [14, 15]. While these works deal with externality effects of cyber security in networks, few of them take into account in the model the cyber attack from a malicious adversary to distinguish from classical insurance models. In , the authors have considered direct and indirect losses, respectively due to cyber attacks and indirect infections from other nodes in the network. However, the cyber attacks are taken as random inputs rather than a strategic adversary. The moral hazard model in economics literature [9, 10] deal with hidden actions from an agent, and aims to address the question: How does a principal design the agent’s wage contract to maximize his effort? This framework is related to insurance markets and has been used to model cyber insurance  as a solution for mitigating losses from cyber attacks. In addition, in , the authors have studied a security investment problem in a network with externality effect. Each node determines his security investment level and competes with a strategic attacker. Their model does not focus on the insurance policies and hidden-action framework. In this work, we enrich the moral-hazard type of economic frameworks by incorporating attack models, and provide a holistic viewpoint towards cyber insurance and a systematic approach to design insurance policies. The network effect on security decision process has been studied in . The authors have considered a variation of the linear influence networks model in which each node represents a network company and directed links model the positive or negative influence between neighbor nodes.
In this section, we introduce a principal-agent model for cyber insurance that involve users and insurers.
Users here can refer to an infrastructure operator that manages cyber networks that face threats from an attacker, making users vulnerable to data breaches, task failures, and severe financial losses. The objective of the users is to find an efficient way to mitigate the loss due to the cyber attacks. To this end, there are two main approaches. One is to deploy local protections, such as firewalls and intrusion detection systems (IDSs) [21, 4], frequent change of passwords, timely software patching and proactive moving target defenses . These defense mechanisms can reduce the success rate of the attacks, but cannot guarantee perfect network security for users. There are still chances for the users to be hacked by the attackers. The other approach is to adopt cyber-insurance. The users pay a premium fee so that the loss due to cyber attacks can be compensated by the insurer. This mechanism provides an additional layer of mitigation to reduce the loss further that the technical solutions of the first approach cannot prevent. To capture the two options in our framework, we allow users to decide their protection levels as well as their rational choice of participation in the insurance program.
Attackers are the adversaries who launch cyber-attacks, such as node capture attacks and denial of services (DoS) attacks , to acquire private data from users or cause disruptions of the network services. Hence, the objective of the attacker is to find an efficient attack strategy to inflict as much damage to the users as possible. We use attack levels to represent different attack strategies to capture various types of attacks of different levels of severity. A higher attack level is more costly to launch, but it will create more severe damage. Since the loss of the users not only depends on the attack strategies but also insurance policies. The optimal strategy of the attacker will also be influenced by the coverage levels of an insurance policy.
An insurer is a person or company that underwrites an insurance risk by providing users an incentive compatible cyber-insurance policy that includes a premium and the level of coverage. The premium is a subscription fee that is paid by the users to participate in the insurance program while the coverage level is the proportion of loss that will be compensated by the insurer as a consequence of successful cyber attacks. The insurers have two objectives. One is to make a profit from providing the insurance, and the other one is to reduce the average losses of the users, which is also directly related to the cost of the insurer. An insurer’s problem is to determine the subscription fee and the coverage levels of the insurance. Note that the average losses depend on both users’ local protection levels and attackers’ attack levels. Moreover, the rational users will only enroll in the insurance when the average reduction in the cost is higher than or equal to the premium he paid to the insurer.
The objectives of users, attackers, and insurers, and the effects of their actions are all intertwined. We use a 3-player game to capture the complex interactions among the three parties. The conflicting objectives of a user and an attacker can be captured by a local game at each node in which the user determines a defense strategy while the adversary chooses an attack strategy. The outcome of the local interactions at each node determines its cyber risk and the cyber insurance is used as an additional method to further reduce the loss due to the cyber risk. The insurers are the leaders or principals in the framework who design insurance policies for the users while the users can be viewed as followers or agents who determine their defense strategies under a given insurance policy.
We first formulate the game between the user and the attacker, then we describe the insurer’s problem under the equilibrium of the user and the attacker’s game. An illustration of the cyber-insurance model is shown in Fig. 2.
Let and denote the local protection level of the user and the attack level of the attacker. On one hand, a large indicates a cautious user while a small indicates that the user is reckless. A reckless user may click on suspicious links of received spam emails, fail to patch the computer system frequently, and leave cyber footprints for an adversary to acquire system information. On the other hand, a large indicates a powerful attacker, and a small indicates a powerless attacker. The abstraction of using and captures the effectiveness of a wide range of heterogeneous defense and attack strategies without a fine-grained modeling of individual mechanisms. This will allow us to focus on the consequence of security issues and the choice of a mechanism that induces the result.
The action pair of the user and the attacker determines the risk level of the user . A larger and a smaller indicate a higher risk level of the user. We use the following risk function to denote the connections between the user’s and the attacker’s actions and the risk level of the user.
Function gives the risk level of the user with respect to the user’s local protection level and the attack’s attack level . Moreover, it is assumed to be continuous on , convex and monotonically decreasing on , and concave and monotonically increasing in .
Note that the monotonicity in indicates that a larger local protection level of user leads to a smaller risk level of user while the monotonicity in indicates that a larger attack level of attacker leads to a larger risk level of user. Since is convex on , the risk decreases smaller when the user adopts larger local protection level. Since is concave on , the risk increases faster when the attacker conducts a higher attack level. Without loss of generality, we use the following risk function,
, the economic loss of the user can be represented as a random variablemeasured in dollars, which can be expressed as , where
is a random variable with probability density functionthat captures the uncertainties in the measurement or system parameters. For example, a data breach due to the compromise of a server can be a consequence of low security level at the user end. The magnitude of the loss depends on the content and the significance of the data, and the extent of the breach. The variations in these parameters are captured by the random variable . Since the risks of being attacked cannot be perfectly eliminated, the user can transfer the remaining risks to the third party, the insurer, by paying a premium or subscription fee for a coverage of when he faces a loss of , where is the payment function that reduces the loss of the user if he is insured. Thus, the effective loss to the user becomes .
Given the attacker’s action and the insurer’s coverage function , the user aims to minimize the average effective loss by finding the optimal local protection level . Such objective can be captured by the following optimization problem
is the loss function of the user, which is increasing on. Note that the expectation is taken with respect to the statistics of . The subscription fee is not included in this optimization problem, as the fee is a constant decided by the insurer.
The loss function indicates the user’s risk propensity. A convex indicates that the user is risk-averse, i.e., the user cares more about the risk, while a concave indicates that the user is risk-taking, i.e., he cares more about the cost, rather than the risk. A linear in indicates that the user is risk-neutral. In this paper, we consider a risk-averse user, and use a typical risk-averse loss function that with , where indicates how much the user cares about the loss.
Note that the cost function in (2) can be expressed explicitly as a function of . Thus, Problem (2) can be rewritten by taking expectations with respect to the sufficient statistics of . Let be the probability density function of . Clearly, is a transformation from the density function (associated with the random variable ) under the mapping . In addition, also depends on the action pair through the risk variable . Therefore, we can write to capture the parameterization of the density function. Without loss of generality, we assume that
follows an exponential distribution, i.e.,, where is the risk level of the user. The exponential distribution has been widely used in risk and reliability analysis[17, 8, 5, 7]. Thus the density function can be written as
The average amount of loss given actions and is . For small and large , the risk level of the user tends to be large, which leads to a large average loss of the user. We further assume that the insurance policy is linear in , i.e., , where indicates the coverage level of the insurance. Hence, the effective loss is given by . The average effective loss given the insurance coverage level and the action pair is . When is large, the effective loss is small. As a result, we arrive at
The loss is finite when
Otherwise, the loss will be infinite, i.e., . In this regime, no insurance scheme can be found to mitigate the loss. Condition (4) gives a feasible set of parameters under which cyber insurance is effective and provides a fundamental limit on the level of mitigation. Note that minimizing (3) is equivalent as minimizing under the feasible equality (4). The user’s problem can be rewritten as follows:
Problem (5) captures the user’s objective to minimize average effective loss given the attack level and the insurance coverage level . On the other hand, the attacker aims to find the optimal attack level that maximizes the average loss of the user given user’s local protection level and insurer’s coverage level . Such conflicting interests of the user and the attacker constitutes a zero-sum game, which takes the following minimax or max-min form,
The first term of the objective function captures the average effective loss given insurance coverage level , the local protection level and the attack level . The second and third terms indicate the cost of the user and the attacker, respectively. is the cost parameter of the user. A larger indicates that local protection is costly. denotes the cost parameter of the attacker to conduct an attack level of . A larger indicates that a cyber-attack is costly. Note that and can be interpreted as the market price of local protections and cyber-attacks, and they are known by the insurer. The constraint indicates the feasible set of the user. Note that if , , and are not feasible, is taken to be an infinite cost. Minimizing captures the user’s objective to minimize the average effective loss with the most cost-effective local protection level. Maximizing captures the attacker’s objective to maximize the average effective loss of the user with least attack level. Note that the minimax form of (6) can be interpreted as a worst-case solution for a user who uses the best security strategies by anticipating the worst-case attack scenarios.
Furthermore, Problem (6) yields a saddle-point equilibrium (SPE) to the insurance coverage level which can be defined as follows:
The definition indicates that if a pair satisfies (9), then it is a SPE of the game between the user and the attacker to the insurer’s insurance policy. Note that under a given insurance coverage level , must satisfy the feasible constraint (4). Thus, we aim to look for a constrained SPE of the zero-sum game with coupled constraints on the strategies of the players.
Given an insurance coverage level that satisfies
there exists a unique SPE of the zero-sum game defined in Definition 2, given by
Proposition 1 shows that the SPE of the zero-sum game between the user and the attacker is related to the insurer’s policy . Note that when is large, both the and is small, indicating that both the user and the attacker will take weak actions. Moreover, we have the following observations regarding the SPE.
When the insure provides higher coverage level , the SPE of the user tend to be smaller, i.e., the user takes a weaker local protection. Such risky behavior of the user in response to insurance is usually referred as Peltzman effect .
The SPE satisfies , i.e., the ratio of the actions of the user and the attacker is only related to and , and it is independent of the insurer’s policy . In particular, when , , i.e., the SPE becomes symmetric, as .
The user has a constant saddle-point risk level at the equilibrium, which is determined by the costs of adopting protections and launching attacks. The ratio is independent of coverage level .
At the saddle point, the average direct loss of the user is , the average effective loss of the user is , the average payment of the insurer to the user is .
Corollary 1 indicates the constant saddle-point strategy ratio of the user and the attacker, which is determined only by the cost parameters and , i.e., the market prices or costs for applying certain levels of protections and attacks, respectively. As a result, the saddle-point risk level of the user is constant, and only determined by the market as shown in Remark 2. Thus, the average direct loss is constant as shown in Corollary 2. However, when the insurance coverage level does not satisfy (10), the insurability of the user is not guaranteed, which is shown in the following proposition.
Given an insurance coverage level that , does not satisfy the feasible inequality (4), thus, the average direct of the user , and the zero-sum game defined in Definition 2 does not admit a SPE. Thus, the user is not insurable, as the insurance policy cannot mitigate his loss. The insurer will not also provide insurance to the user who is not insurable.
Under an insurable scenario, the cost parameter of the user must satisfy , and the local protection level of the user must satisfy .
The first inequality can be easily achieved from (10). From Appendix A, given the action of the user , the best action of the attacker is . By plugging into the feasible inequality (4), we can get . It is important to note that the user must pay a subscription fee to be insured. The incentive for the user to buy insurance exists when the average loss at equilibrium under the insurance is lower than the loss incurred without insurance. If the amount of the payment from the insurer is low, then the user tends not to be insured. In addition, if the payment is low, then the risk for the insurer will be high and the user may behave recklessly in the cyber-space.
The insurer announces the insurance policy , where indicates the coverage level, indicates the subscription, and then the user’s and the attacker’s conflicting interests formulates a zero-sum game, which yields a unique solution as shown in Proposition 1, with the corresponding equilibrium loss as shown in Corollary 2. Note that is the gross profit of the insurer as he charges it from the user first, but when the user faces a loss , the insurer must pay to the user. The operating profit of the insurer can be captured as . The insurer cannot directly observe the actions of the user and the attacker. However, with the knowledge of the market, i.e., the cost parameters of the user and the attacker , the insurer aims to minimize the average effective loss of the user while maximizing his operating profit.
Recall Corollary 2, the average effective loss of the user at saddle-point is , which is monotonically decreasing on . When the user is under full coverage, the average loss with the payment is . When the user does not subscribe to an insurance, the average direct loss is . Thus, the user has no incentive to insure if the cost under fully coverage is higher than that under no insurance, i.e., . Moreover, for , the user will choose to insure if the average loss under the given coverage level is lower than under no insurance, i.e., . Therefore, we arrive at the following conditions.
The subscription fee must satisfy , so that the user prefer to subscribe the insurance.
For the subscription fee , the user will subscribe the insurance if the coverage level satisfies .
Inequalities in Condition 1 and Condition 2 are known as individual rationality (IR-) constraint and incentive compatibility (IC-) constraint, respectively. The user will enroll only when (IR-) and (IC-) constraints are satisfied. Note that when is large and is small, i.e., the saddle-point risk level is high, is large and is small, i.e., when the cost of the user to put local protections is large, and the cost of the attacker to conduct cyber-attack is small, the price of the subscription fee is large, but the minimum coverage is low. Note that is monotonically increasing on , moreover, when , , i.e., the user will accept any coverage level when there is no charge for the insurance premium. When , , i.e., the user only accept a full coverage when the subscription fee is the maximum.
The insurer charges a subscription fee from the user, i.e., the insurer has a gross profit of . However, the insurer also pays the user an average amount of from Corollary 2. Thus, the average operating profit of the insurer is , which must be larger than or equal to so that the insurer will provide the insurance. Thus, we have the following condition.
The insurer will provide the insurance if .
Recall Proposition 2, the insurer will provide the insurance when the user is insurable, i.e., inequality (10) must be satisfied. Thus, we reach the following proposition that indicates the feasible coverage level.
The coverage level is feasible, i.e., the user is insurable, when .
Condition 3 and Condition 4 indicate the individual rationality constraint (IR-) and the feasibility constraint (F-) of the insurer, respectively. With the (IR-) and (IC-) constraints for the user and the (IR-) and (F-) constraints for the insurer, the insurer’s objective to minimize the average effective loss of the user and maximize the operating profit can be captured using the following optimization problem:
Note that the first term of the objective function is the average effective loss of the user under the coverage , as the insurer also aims to reduce the loss of the user from the attacker. Minimizing the second term of the objective function captures the insurer’s objective of making profit. Note that parameter indicates the trade-off of a safer user and a larger profit of the insurer.
Let be the action set for the insurer, and be the action sets for the user and the attacker given the insurance coverage level, the strategy pair is called a bi-level game Nash equilibrium (BGNE) of the bi-level game in Case 1 defined by the triple , if solves Problem (12) with the BGNE objective function , and the strategy pair is the SPE of the zero-sum game defined in Definition 2 with the SPE objective function under the insurance policy .
Note that the insurer’s Problem (12
) is a linear programming problem as the objective function and all the constraints are linear inand . Instead of solving this problem, we first observe that (IR-) and (IC-) together indicate that the insurance policy and must satisfy
Equality (13) indicates the following observations:
Zero Operating Profit Principle: The insurer’s operating profit is always , as .
Linear Insurance Policy Principle: The insure can only provide the insurance policy and that satisfies (13), so that the user subscribes to the insurance and the insurer provides the insurance.
Corollary 3 reveals a zero operating profit principle and a linear insurance policy principle for the insurer. These principles hold in Case 2 and 3 as well. With (13), the linear insurance policy indicates that the ratio of the subscription and the coverage level only depends on the saddle-point risk , which is determined by the costs seen in Remark 2. It provides a fundamental principle for designing the insurance policy.
With (13), the optimal insurance for the insurer can be summarized using the following proposition.
The optimal insurance policy for the insurer is
Proposition 4 shows that a full coverage level and a maximum subscription fee are the optimal insurance policy of the insurer. Together with Proposition 1, we have the following proposition of the BGNE of the bi-level game in Case 1.
The bi-level game of Case 1 admits a unique BGNE solution . At the equilibrium, the insurer provides a full coverage for the user and charges a maximum subscription fee from the user. The user and attacker have no incentives to take actions at the equilibrium as the cost would be too high. The equilibrium also demonstrates that cyber insurance will effectively mitigate the loss.
The analysis of the bi-level structure of the game informs the optimal insurance policies to transfer risks from one node to the insurer. The framework can also be extended to a scheme over interdependent infrastructures as illustrated in Fig. 3. The cyber risks at one node can propagate to other nodes when there are cyber, physical, human, and social interdependencies. The insurance of one node can play a important role in well-being of the entire system. We can anticipate that the insurance problem should take into account network effects. This research can also be further extended to investigate the impact of dynamic evolutions of the risks on the mechanism of insurance and the protection behaviors of the agents.