Computer Science Technical Report Archive

USC Computer Science Technical Reports, no. 917 (2010)

(USC DC Other)

USC Computer Science Technical Reports, no. 917 (2010)

PDF

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content In this project, we aim to characterize non cyber-insurable losses and the role these losses have on the user behavior to buy insurance on cyber-insurable losses. In general, there may be an ISP willing to insure a loss of a user that arises due to worm, virus, or botnet propagation,butnotthesamelossthatarisesduetosystemreliabilityorhardware/software related failures. As anexample, theremightbe ahard-diskcrash due to a securityattackon a machine, whereas the same crash could also happen due to a bad hard-disk manufacture. Non-insurable losses could also be considered as special cases of insurable losses that are so smallthatthedeductibleontheinsuredproductisgreaterthanthelossandasaresultthere isno reimbursementbytheinsurance company. However, froma user perspective, it is quite susceptible to both types of losses. Assuming that we can distinguish between the two types of losses, we plan to address the following questions in our project. Our questions form the basis of the study on the user mindset to buying certain amounts of cyber-insurance under therealisticconditionthatusersmightincuruninsurablelossesthatresultfromnon-security attacks. ² In the presence of non cyber-insurable losses and full overage at fair and unfair pre- miums, do risk averse users accept full cyber-insurance or are they more satis¯ed with co-insurance, where each user bears a certain liability for its own losses that occur due to security attacks. ² How does the demand amongst risk-averse users for cyber-insurance vary when risks dueto non cyber-insurable losses increase. By the term `demand', weimply the degree of cyber-insurance a user desires, i.e., full insurance or co-insurance. In regard to increase in risk due to non insurable losses, we consider three traditional settings most common to economic literature, 1) risk increase in a ¯rst order stochastic dominant sense, 2) risk increase in a second order stochastic dominant sense, and 3) risk increase in a Rothschild-Stiglitz sense. ² How does the demand amongst risk-averse users for cyber-insurance vary when insur- able losses less than the deductible act as a special case of non-insurable losses, and the insurance is priced in both, a fair as well as in an unfair manner. In addition to the above questions, we also plan to propose models to capture correlation amongst entities in the Internet. Correlation gives us a measure of risk interdependence when interdependence amongst Internet entities cannot be computed exactly. 1 Model We have the following equation regarding the ¯nal wealth of a Internet user. W =W 0 +V ¡L 1 ¡L 2 +µ(I(L 1 )¡P); where W is random ¯nal wealth of a user, W 0 is its non-random initial wealth, V is the total value of the object subject to loss as a result of a security attack or a non-security attack. L 1 is a random variable denoting loss due to security attacks, L 2 is the random variable denoting loss due to non security-attacks. I(L 1 ) is the cyber-insurance function that decides the amount of coverage to be provided in the event of a security-related loss, where 0· I(L 1 )· L 1 . We assume that both L 1 and L 2 lie in the interval [0;V]. P is the premium charged to users in insurable losses and is de¯ned as P = (1+¸)E(I(L 1 )). ¸ is the loading factor and is zero for fair premiums and greater than zero for unfair premiums. µ²[0;1] is de¯ned as the level of cyber-insurance opted for by a user. For example, a value of µ = 0:6, implies that the user opts for insurance coverage of 60% of its losses and the rest 40% it considers as its own liability. This concept is termed as `co-insurance' and is common in insurance policies. We assume that on the same object, there is either a loss due to security attacks or a loss due to non-security attacks. Both types of losses cannot in°ict on an object simultaneously. We de¯ne the expected utility of ¯nal wealth of an Internet user as E(W)=A+B+C +D; (1) where A= Z Z 0<L 1 ·V;L 2 =0 u(W 0 +V ¡L 1 ¡L 2 +µ(I(L 1 )¡P))¢g(L 1 ;L 2 )dL 1 ¢dL 2 ; B = Z Z 0<L 2 ·V;L 1 =0 u(W 0 +V ¡L 1 ¡L 2 +µ(I(L 1 )¡P))¢g(L 1 ;L 2 )dL 1 ¢dL 2 ; C = Z Z 0<L 1 ;0<L 2 u(W 0 +V ¡L 1 ¡L 2 +µ(I(L 1 )¡P))¢g(L 1 ;L 2 )dL 1 ¢dL 2 ; and D =¯¢u(W 0 +V ¡µ¢P) We de¯ne the joint density probability density function of L 1 and L 2 as g(L 1 ;L 2 )= 8 > < > : ®¢f 1 (L 1 ) 0<L 1 ·V;L 2 =0 (1¡®¡¯)¢f 2 (L 2 ) 0<L 2 ·V;L 1 =0 0 0<L 1 ·V;0<L 2 ·V (2) where® 1 istheprobabilityoflossoccurringduetoasecurityattack,and ¯ istheprobability of attack due to both, a security as well as a non security attack. u is a twice continuously di®erentiable risk-averse concave utility function of the user. 1 We plan to estimate ® using correlation models. Based on the joint probability distribution function g(), Equation 1 can be re-written as E(W)=A1+B1+C1; (3) where A1= Z V 0 u(W 0 +V ¡L 1 +µ(I(L 1 )¡P))®¢f 1 (L 1 )dL 1 ; B1= Z V 0 u(W 0 +V ¡L 2 ¡µ(P))(1¡®¡¯)¢f 2 (L 2 )dL 2 ; and C1=¯¢u(W 0 +V ¡µ¢P) Now taking the ¯rst derivative of E(W) w.r.t. µ, and equating it to zero, we get the ¯rst order condition as dE(W) dµ =A2+B2+C2=0; (4) where A2= Z V 0 u 0 (W 0 +V ¡L 1 +µ(I L 1 ¡P))(I(L 1 )¡P)®¢f 1 (L 1 )dL 1 ; B2= Z V 0 u 0 (W 0 +V ¡L 2 ¡µ(P))(¡P)(1¡®¡¯)¢f 2 (L 2 )dL 2 ; and C2=¯¢u 0 (W 0 +V ¡µ¢P)(¡P) Now substituting I(L 1 ) = L 1 ( indicating full coverage) and µ = 1 (indicating no co- insurance) into the ¯rst order condition, we get dE(W) dµ =A3+B3+C3=0; (5) where A3= Z V 0 u 0 (W 0 +V ¡P)(L 1 ¡P)®¢f 1 (L 1 )dL 1 ; B3= Z V 0 u 0 (W 0 +V ¡L 2 ¡P)(¡P)(1¡®¡¯)¢f 2 (L 2 )dL 2 ; and C3=¯¢u 0 (W 0 +V ¡P)(¡P) Re-arranging the integrals we get A3=u 0 (W 0 +V ¡P)¢® Z V 0 (L 1 ¡P)f 1 (L 1 )dL 1 ; and B3=(¡P)(1¡®¡¯) Z V 0 u 0 (W 0 +V ¡L 2 ¡P)f 2 (L 2 )dL 2 ; Now using the fact that E(I(L 1 ))=®¢ R V 0 L 1 ¢f 1 (L 1 )dL 1 =P (fair premiums), we have the following equation dE(W) dµ =A4+B4; (6) where A4=u 0 (W 0 +V ¡P)(1¡®¡¯)P and B4=(¡P)(1¡®¡¯) Z V 0 u 0 (W 0 +V ¡L 2 ¡P)f 2 (L 2 )dL 2 ; Since a user has a risk-averse utility function, we have u 0 (W 0 +V ¡L 2 ¡P)>u 0 (W 0 +V ¡ P)8L 2 > 0. Thus, dE(W) dµ < 0 at µ = 1. This indicates that the optimal value of µ is less than 1 for fair insurance premiums. On the other hand, even if we consider unfair premiums with a load factor ¸> 0, we get dE(W) dµ < 0. Therefore in this case also the optimal value of theta is less than 1. Thus, we have the following theorem, the proof of which follows from analysis above. Theorem 1. Internet users always choose less than full insurance, i.e., adopt co-insurance policies, when non-insurable losses exist, irrespective of whether the cyber-insurance premi- ums are fair or unfair. Theorem 2a. When non-insurable losses are increased in a ¯rst order stochastic dominant sense, the demand for cyber-insurance amongst all risk-averse Internet users decreases. Proof. Again consider the ¯rst order condition dE(W) dµ =A2+B2+C2=0; (7) where A2= Z V 0 u 0 (W 0 +V ¡L 1 +µ(I L 1 ¡P))(I(L 1 )¡P)®¢f 1 (L 1 )dL 1 ; B2= Z V 0 u 0 (W 0 +V ¡L 2 ¡µ(P))(¡P)(1¡®¡¯)¢f 2 (L 2 )dL 2 ; and C2=¯¢u 0 (W 0 +V ¡µ¢P)(¡P) We observe that when L 2 is increased in a ¯rst order stochastic dominant sense and f 1 (L 1 and ¯ remain unchanged, the premium for insurance does not change. An increase in L 2 in the ¯rst order stochastic dominant sense increases the magnitude of R V 0 u 0 (W 0 +V ¡L 2 ¡ µ(P))(¡P)(1¡®¡¯)¢f 2 (L 2 )dL 2 , wheneveru 0 (W 0 +V¡L 2 ¡µ(P))isincreasinginL 2 . This happenswhenu(W)isconcave, whichistheexactlythecaseinourde¯nitionof u. Thus, an increase in L 2 in a ¯rst order stochastic dominant sense leads to the ¯rst order expression, dE(W) dµ , to become increasingly negative and results in reductions in µ, implying the lowering of demand for cyber-insurance. Theorem 2b. When non-insurable losses are increased in a Rothschild-Stiglitz sense, the demand for cyber-insurance amongst all prudent 2 Internet users decreases. Proof. We again consider the ¯rst order condition dE(W) dµ =A2+B2+C2=0; (8) where A2= Z V 0 u 0 (W 0 +V ¡L 1 +µ(I L 1 ¡P))(I(L 1 )¡P)®¢f 1 (L 1 )dL 1 ; B2= Z V 0 u 0 (W 0 +V ¡L 2 ¡µ(P))(¡P)(1¡®¡¯)¢f 2 (L 2 )dL 2 ; and C2=¯¢u 0 (W 0 +V ¡µ¢P)(¡P) When L 2 is increased in a Rothschild-Stiglitz sense, we need to observe the e®ect of the change of f 2 (L 2 ) on R V 0 u 0 (W 0 +V ¡L 2 ¡µ(P))(¡P)(1¡®¡¯)¢f 2 (L 2 )dL 2 , which is de- termined by the concavity/convexity nature of u 0 (W 0 +V ¡L 2 ¡µ(P)) w.r.t L 2 . Since the Internetusersareprudent, wehave u 000 (W)>0implyingthatu 0 (W 0 +V¡L 2 ¡µ(P))iscon- vex in L 2 . Thus, the Rothschild-Stiglitz increases in L 2 results in the ¯rst order expression to be increasingly negative, thus lowering the demand for cyber-insurance amongst Internet users. Theorem 3. When the risk due to non-insurable losses increases in either the ¯rst or- der stochastic dominant sense or the Rothschild-Stiglitz sense, the expected utility of ¯nal wealth for any cyber-insurance contract falls when compared to the alternative of no cyber- insurance for both, risk averse Internet users (in case of ¯rst order stochastic dominance sense) as well as prudent Internet users (in case of risk increase in the Rothschild-Stiglitz sense). Proof. The expected utility of any cyber-insurance contract is given by the following E(W)=A1+B1+C1; (9) where A1= Z V 0 u(W 0 +V ¡L 1 +µ(I(L 1 )¡P))®¢f 1 (L 1 )dL 1 ; B1= Z V 0 u(W 0 +V ¡L 2 ¡µ(P))(1¡®¡¯)¢f 2 (L 2 )dL 2 ; 2 A special category of risk averse users. and C1=¯¢u(W 0 +V ¡µ¢P) When µ =0 (the case for no cyber-insurance), E(W) reduces to E(W)=A1 0 +B1 0 +C1 0 ; (10) where A1 0 = Z V 0 u(W 0 +V ¡L 1 )®¢f 1 (L 1 )dL 1 ; B1 0 = Z V 0 u(W 0 +V ¡L 2 )(1¡®¡¯)¢f 2 (L 2 )dL 2 ; and C1 0 =¯¢u(W 0 +V) Increases in L 2 a®ect only the second terms in each of these utility expressions. Thus, we needtoconsiderthechangeinthesecondordertermsinthetwoutilityexpressionstoobserve the impact of the increase in L 2 . The di®erence in the second order terms is given as Z V 0 u(W 0 +V¡L 2 ¡µ(P))(1¡®¡¯)¢f 2 (L 2 )dL 2 ¡ Z V 0 u(W 0 +V¡L 2 )(1¡®¡¯)¢f 2 (L 2 )dL 2 ; which evaluates to Z V 0 [u(W 0 +V ¡L 2 ¡µ(P))¡u(W 0 +V ¡L 2 )](1¡®¡¯)¢f 2 (L 2 )dL 2 ; where [u(W 0 +V ¡L 2 ¡µ(P))¡u(W 0 +V ¡L 2 )] is decreasing in L 2 under risk aversion and concave under user prudence. Thus, increases in L 2 in the ¯rst order stochastic domi- nant sense or in the Rothschild-Stiglitz sense reduces the expected utility of cyber-insurance relative to no cyber-insurance.

Linked assets

Computer Science Technical Report Archive

Conceptually similar

PDF

USC Computer Science Technical Reports, no. 918 (2010)

PDF

USC Computer Science Technical Reports, no. 969 (2016)

PDF

USC Computer Science Technical Reports, no. 916 (2010)

PDF

USC Computer Science Technical Reports, no. 888 (2007)

PDF

USC Computer Science Technical Reports, no. 834 (2004)

PDF

USC Computer Science Technical Reports, no. 928 (2012)

PDF

USC Computer Science Technical Reports, no. 913 (2009)

PDF

USC Computer Science Technical Reports, no. 915 (2010)

PDF

USC Computer Science Technical Reports, no. 923 (2012)

PDF

USC Computer Science Technical Reports, no. 894 (2008)

PDF

USC Computer Science Technical Reports, no. 919 (2011)

PDF

USC Computer Science Technical Reports, no. 924 (2012)

PDF

USC Computer Science Technical Reports, no. 914 (2010)

PDF

USC Computer Science Technical Reports, no. 904 (2009)

PDF

USC Computer Science Technical Reports, no. 906 (2009)

PDF

USC Computer Science Technical Reports, no. 905 (2009)

PDF

USC Computer Science Technical Reports, no. 766 (2002)

PDF

USC Computer Science Technical Reports, no. 952 (2015)

PDF

USC Computer Science Technical Reports, no. 920 (2011)

PDF

USC Computer Science Technical Reports, no. 955 (2015)

Description

Ranjan Pal, Leana Golubchik, Konstantinos Psounis. "Analyzing cyber-insurance under non-insurable losses." Computer Science Technical Reports (Los Angeles, California, USA: University of Southern California. Department of Computer Science) no. 917 (2010).

Asset Metadata

Creator Golubchik, Leana (author), Pal, Ranjan (author), Psounis, Konstantinos (author)

Core Title USC Computer Science Technical Reports, no. 917 (2010)

Alternative Title Analyzing cyber-insurance under non-insurable losses (title)

Publisher Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA (publisher)

Tag OAI-PMH Harvest

Format 6 pages (extent), technical reports (aat)

Language English

Unique identifier UC16271311

Identifier 10-917 Analyzing Cyber-Insurance Under Non-Insurable Losses (filename)

Legacy Identifier usc-cstr-10-917

Format 6 pages (extent),technical reports (aat)

Rights Department of Computer Science (University of Southern California) and the author(s).

Internet Media Type application/pdf

Source 20180426-rozan-cstechreports-shoaf (batch), Computer Science Technical Report Archive (collection), University of Southern California. Department of Computer Science. Technical Reports (series)

Access Conditions The author(s) retain rights to their work according to U.S. copyright law. Electronic access is being provided by the USC Libraries, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.

Repository Name USC Viterbi School of Engineering Department of Computer Science

Repository Location Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089

Repository Email csdept@usc.edu

Inherited Values

Title Computer Science Technical Report Archive

Description Archive of computer science technical reports published by the USC Department of Computer Science from 1991 - 2017.

Coverage Temporal 1991/2017

Repository Email csdept@usc.edu

Repository Name USC Viterbi School of Engineering Department of Computer Science

Repository Location Department of Computer Science. USC Viterbi School of Engineering. Los Angeles\, CA\, 90089

Publisher Department of Computer Science,USC Viterbi School of Engineering, University of Southern California, 3650 McClintock Avenue, Los Angeles, California, 90089, USA (publisher)