Risk Management Using Cyber-Threat Information Sharing and Cyber-Insurance

  title={Risk Management Using Cyber-Threat Information Sharing and Cyber-Insurance},
  author={Deepak K. Tosh and Sachin S. Shetty and Shamik Sengupta and Jay P. Kesan and Charles A. Kamhoua},
Critical infrastructure systems spanning from transportation to nuclear operations are vulnerable to cyber attacks. Cyber-insurance and cyber-threat information sharing are two prominent mechanisms to defend cybersecurity issues proactively. However, standardization and realization of these choices have many bottlenecks. In this paper, we discuss the benefits and importance of cybersecurity information sharing and cyber-insurance in the current cyber-warfare situation. We model a standard game… 

Incentive Contract for Cybersecurity Information Sharing Considering Monitoring Signals

  • Yunxue YangGuohua JiZ. YangShengjun Xue
  • Computer Science
    2019 International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)
  • 2019
It is shown that by introducing monitoring signals, the insurer can collect more information about the effortlevel of the insured, and encourage the insured to share cybersecurity information based on the information sharing output and monitoring signals of the effort level, which can not only reduce the blindness of incentive to the insured in the process of cybersecurity information sharing, but also reduce moral hazard.

Optimal Cyber Insurance Policy Design for Dynamic Risk Management and Mitigation

A dynamic moral-hazard type of principal-agent model incorporated with Markov decision processes is presented which is used to capture the dynamics and correlations of the cyber-risks as well as the user's decisions on the local protections.

Security game for cyber physical systems

The extensive use of information and communication technologies in cyber physical systems (CPSs) make them vulnerable to cyber-attacks, and a game-theoretic paradigm with different parameters predicts the interactions between the attacker and the system is used.

Optimal Cyber-Insurance Contract Design for Dynamic Risk Management and Mitigation

A dynamic moral-hazard type of principal–agent model incorporated with Markov decision processes is presented, which is used to capture the dynamics and correlations of the cyber risks as well as the user’s decisions on the protections.

A Web Platform for Integrated Vulnerability Assessment and Cyber Risk Management

CYRVM’s main novelties are the combination of an online Vulnerability Assessment tool within a Risk Analysis framework following the NIST 800-30 Risk Management guidelines and the integration of predictive solutions able to suggest to the user the risk rating and classification.

Information Sharing in Cybersecurity: A Review

In this survey, we review the cybersecurity information-sharing literature, categorizing the identified papers based on their main focus and methodological approaches implemented to the cybersecurity

Barriers and Incentives to Cybersecurity Threat Information Sharing in Developing Countries: A Case Study of Saudi Arabia

A case study is described to identify the barriers and incentives for implementing threat information sharing in a developing country: Saudi Arabia, showing that socio-cultural barriers and technological incentives for sharing threat information are important factors.

An exploratory study of organizational cyber resilience, its precursors and outcomes

Organizations that suffered cyber attacks had the following cyber resilience characteristics: a relatively low level of cyber resilience reflected in the low frequency of cybersecurity roles, low reliance on cybersecurity frameworks, and relatively low strength of prevention, detection, and recovery controls.

Organisational Cyber Resilience and its Influence on Cyber Attack Outcomes: An Exploratory Study of 1,145 Publicised Attacks

A working instrument of measuring organizational cyber resilience characteristics on public data is formulated and the relationship between these characteristics with organizations’ exposure factors and cyber attack outcomes is analyzed, revealing that among all exposure factors, the organization’s sector is most consistently associated with the development of cyber resilient characteristics despite the literature’'s focus on critical industry.

Systematically Understanding Cybersecurity Economics: A Survey

This review shows that most of the cybersecurity economics models are transitioning from unrealistic, unverifiable, or highly simplified fundamental premises toward dynamic, stochastic, and generalizable models.



Cyber-Threats Information Sharing in Cloud Computing: A Game Theoretic Approach

This paper will use game theory to investigate when multiple self-interested firms can invest in vulnerability discovery and share their cyber-threat information and apply this algorithm to a public cloud computing platform as one of the fastest growing segments of the cyberspace.

Establishing evolutionary game models for CYBer security information EXchange (CYBEX)

Cyber-Investment and Cyber-Information Exchange Decision Modeling

  • Deepak K. ToshM. MolloyS. SenguptaC. KamhouaK. Kwiat
  • Economics, Computer Science
    2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems
  • 2015
A non-cooperative game between N-firms is formulated to analyze the participating firms' decisions about the information sharing and security investments, and the probability of successful cyber attack is analyzed using the famous dose-response immunity model.

Game Theoretic Modeling to Enforce Security Information Sharing among Firms

Numerical results verify that the proposed model promotes such sharing, which helps to relieve the firms' total security technology investment too and ensures and self-enforces the firms to share their breach information truthfully for maximization of its gross utility.

Modeling Cyber-Insurance: Towards a Unifying Framework

A survey of existing models reveals a discrepancy between informal arguments in favor of cyber-insurance as a tool to align incentives for better network security, and analytical results questioning the viability of a market for cyber-Insurance.

Towards improved cyber security information sharing

CDXI provides a knowledge management tool for the cyber security domain whose objectives are to facilitate information sharing, enable automation, and facilitate the generation, refinement and vetting of data through burden-sharing collaboration or outsourcing.

An evolutionary game-theoretic framework for cyber-threat information sharing

A non-cooperative cybersecurity information sharing game that can guide firms to independently decide whether to “participate in CYBEX and share” or not is formulated and a distributed learning heuristic to attain the evolutionary stable strategy (ESS) under various conditions is presented.

CYBEX: the cybersecurity information exchange framework (x.1500)

A specification overview, use cases, and the current status of CYBEX is provided, which describes how cybersecurity information is exchanged between cybersecurity entities on a global scale and how the exchange is assured.