Litcius/Paper detail

Aggregate Cyber-Risk Management in the IoT Age: <i>Cautionary Statistics for (Re)Insurers and Likes</i>

Ranjan Pal, Ziyuan Huang, Xinlong Yin, Sergey Lototsky, Swades De, Sasu Tarkoma, Mingyan Liu, Jon Crowcroft, Nishanth Sastry

2020IEEE Internet of Things Journal15 citationsDOIOpen Access PDF

Abstract

IoT-driven smart societies are modern service-networked ecosystems, whose proper functioning is hugely based on the success of supply chain relationships. Robust security is still a big challenge in such ecosystems, catalyzed primarily by naive cyber-security practices (e.g., setting default IoT device passwords) on behalf of the ecosystem managers, i.e., users and organizations. This has recently led to some catastrophic malware-driven DDoS and ransomware attacks (e.g., the Mirai and WannaCry attacks). Consequently, markets for commercial third-party cyber-risk management (CRM) services (e.g., cyber-insurance) are steadily but sluggishly gaining traction with the rapid increase of IoT deployment in society, and provides a channel for ecosystem managers to transfer residual cyber-risk post attack events. Current empirical studies have shown that such residual cyber-risks affecting smart societies are often heavy-tailed in nature and exhibit tail dependencies. This is both, a major concern for a profit-minded CRM firm that might normally need to cover multiple such dependent cyber-risks from different sectors (e.g., manufacturing and energy) in a service-networked ecosystem, and a good intuition behind the sluggish market growth of CRM products. In this article, we provide: 1) a rigorous general theory to elicit conditions on (tail-dependent) heavy-tailed cyber-risk distributions under which a risk management firm might find it (non)sustainable to provide aggregate cyber-risk coverage services for smart societies and 2) a real-data-driven numerical study to validate claims made in theory assuming boundedly rational cyber-risk managers, alongside providing ideas to boost markets that aggregate dependent cyber-risks with heavy-tails. To the best of our knowledge, this is the only complete general theory till date on the feasibility of aggregate CRM.

Topics & Concepts

Computer scienceDenial-of-service attackComputer securitySoftware deploymentIndustrial organizationInternet of ThingsRisk analysis (engineering)BusinessProfit (economics)Supply chain managementRisk managementRansomwareAggregate (composite)Supply chainIntuitionChannel (broadcasting)Cloud computingBig dataDominance (genetics)Operations researchResidualEmpirical researchMicroeconomicsInformation technology managementCover (algebra)The InternetProduct (mathematics)Information and Cyber SecurityRisk and Portfolio OptimizationSupply Chain Resilience and Risk Management
Aggregate Cyber-Risk Management in the IoT Age: <i>Cautionary Statistics for (Re)Insurers and Likes</i> | Litcius