-
PhD Defense - Ranjan Pal
Tue, May 27, 2014 @ 10:00 AM - 12:00 PM
Thomas Lord Department of Computer Science
University Calendar
Thesis Title: Improving Network Security Through Insurance: A Tale of Cyber-Insurance Markets
PhD Candidate: Ranjan Pal
Date: 27th May, 2014
Location: GFS 112
Time: 10am
Committee - Leana Golubchik (Chair), Konstantinos Psounis (Co-Chair), Minlan Yu, Viktor Prasanna (Outside Member)
Abstract:
In recent years, security researchers have well established the fact that technical security solutions alone will not result in a robust cyberspace due to several issues jointly related to the economics and technology of computer security. In this regard some of them proposed cyber-insurance as a suitable risk management technique that has the potential to jointly align with the various incentives of security vendors (e.g., Symantec, Microsoft, etc.), cyber-insurers (e.g., security vendors, ISPs, cloud providers, etc.), regulatory agencies (e.g., government), and network users (individuals and organizations), in turn paving the way for robust cyber-security. In this work, we theoretically investigate the following important question: can cyber-insurance really improve the security in a network? To answer our question we adopt a market-based approach. We analyze regulated monopolistic and competitive cyber-insurance markets in our work, where the market elements consist of risk-averse cyber-insurers, risk-averse network users, a regulatory agency, and security vendors (SVs). Our analysis proves that technical solutions will alone not result in optimal network security, and leads to two important results: (i) without contract discrimination amongst users, there always exists a unique market equilibrium for both market types, but the equilibrium is inefficient and does not improve network security, and (ii) in monopoly markets, contract discrimination amongst users results in a unique market equilibrium that is efficient and results in improvement of network security - however, the cyber-insurer can make zero expected profit. The latter fact is often sufficient to de-incentivize the formation or practical realization of successful and stable cyber-insurance markets.
To alleviate the insurerââ¬â¢s problem of potentially making zero profits, we suggest two mechanisms: (a) the SV could enter into a business relationship with the insurer and lock the latterââ¬â¢s clients in using security products manufactured by the SV. In return for the increased sale of its products, the SV could split the average profit per consumer with the insurer, and (b) the SV could itself be the insurer and account for logical/social network information of its clients to price them. In this regard, we study homogenous, heterogeneous, and binary pricing mechanisms designed via a common Stackelberg pricing game framework. The binary pricing game turns out to be NP-hard, for which we develop an efficient randomized approximation algorithm that achieves insurer profits up to 0.878 of the optimal solution. Our game analysis combined with simulation results on practical networking topologies illustrate increased maximum profits for the insurer (SV) at market equilibrium and always generate strictly positive profits for the latter, when compared to current SV pricing mechanisms in practice. In addition, the state of improved network security remains intact.
Location: Grace Ford Salvatori Hall Of Letters, Arts & Sciences (GFS) - 112
Audiences: Everyone Is Invited
Contact: Lizsl De Leon
