Modeling the effect of spending on cyber security by using surplus process. (English) Zbl 1459.94162

Summary: In this paper, we assume the security level of a system is a quantifiable metric and apply the insurance company ruin theory in assessing the defense failure frequencies. The current security level of an information system can be viewed as the initial insurer surplus; defense investment can be viewed as premium income resulting in an increase in the security level; cyberattack arrivals follow a Poisson process, and the impact of attacks is modeled as losses on the security level. The occurrence of cyber breach is modeled as a ruin event. We use this framework to determine optimal investment in cyber security that minimizes the total cyber costs. We show by numerical examples that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer.


94A62 Authentication, digital signatures and secret sharing
91G05 Actuarial mathematics
62P05 Applications of statistics to actuarial sciences and financial mathematics
60K10 Applications of renewal theory (reliability, demand theory, etc.)
Full Text: DOI


[1] Gordon, L. A.; Loeb, M. P., The economics of information security investment, ACM Transactions on Information and System Security, 5, 4, 438-457 (2002)
[2] Cohen, F., Information system attacks: a preliminary classification scheme, Computers & Securiy, 16, 29-46 (1997a)
[3] Whitten, J. L.; Bentley, L. D., Systems Analysis and Design Methods (1998), New York, NY, USA: Irwin McGraww-Hill, New York, NY, USA · Zbl 0922.68144
[4] Cohen, F., Information system defences: a preliminary classification scheme, Computers & Securiy, 16, 94-114 (1997b)
[5] Li, X.; Parker, T.; Xu, S., A stochastic model for quantitative security analysis of networked systems, IEEE Transactions on Dependable and Secure Computing, 8, 1, 28-43 (2011)
[6] Xu, M.; Xu, S., An extended stochastic model for quantitative security analysis of networked systems, Internet Mathematics, 8, 3, 288-320 (2012) · Zbl 1257.68030
[7] Xu, M.; Da, G.; Xu, S., Cyber epidemic models with dependence, Internet Mathematics, 11, 69-92 (2015)
[8] Pastor-Satorras, R.; Castellano, C.; Mieghem, P. V.; Vespignani, A., Epidemic processes in complex networks, Reviews of Modern Physics, 87, 3, 925-979 (2015)
[9] Dillon, R. L.; Pate-Cornell, M. E., Including technical and security risks in the development of information systems: a programmatic risk management model, Systems Engineering, 8, 1, 15-28 (2008)
[10] Bohme, R.; Moore, T., The iterated weakest link: a model of adaptive security investment, Proceedings of the WEIS: 8th Workshop on the Economics of Information Security
[11] Gordon, L. A.; Loeb, M. P., Managing Cybersecurity Resources: A Cost-Benefit Analysis (2006), New York, NY, USA: McGraw-Hill, New York, NY, USA
[12] Wang, S. S., Integrated framework for information security investment and cyber insurance, Pacific-Basin Finance Journal, 57, 101173 (2019)
[13] Biener, C.; Eling, M.; Wirfs, J. H., Insurability of cyber risk: an empirical analysis, Geneva Papers on Risk and Insurance-Issues and Practice, 40, 1, 131-158 (2015)
[14] Berliner, B., Limits of Insurability of Risks (1982), Englewood Cliffs, NJ, USA: Prentice-Hall, Englewood Cliffs, NJ, USA
[15] Xu, M.; Hua, L., Cybersecurity insurance: modeling and pricing, North American Actuarial Journal, 23, 2, 220-249 (2019) · Zbl 1410.91291
[16] PwC, Managing Cyber Risks with Insurance (2014), London, UK: PwC, London, UK
[17] Romanosky, S., Examining the costs and causes of cyber incidents, Journal of Cybersecurity, 2, 2, 121-135 (2016)
[18] Baldwin, A.; Cheyas, I.; Ioannidis, C.; Pym, D.; Williams, J., Contagion in cybersecurity attacks, Proceedings of the WEIS: 11th Workshop on the Economics of Information Security
[19] Spitzner, L., Honeypots: Tracking Hackers (2003), Boston, MA, USA: Addison-Wesley, Boston, MA, USA
[20] Almotairi, S.; Clark, A.; Mohay, G.; Zimmermann, J., A technique for detecting new attacks in low-interaction honeypot traffic, Proceedings of the Fourth International Conference on Internet Monitoring and Protection
[21] Zhan, Z.; Xu, M.; Xu, S., Predicting cyber attack rates with extreme values, IEEE Transactions on Information Forensics and Security, 10, 8, 1666-1677 (2015)
[22] Peng, J.; Wang, D., Uniform asymptotics for ruin probabilities in a dependent renewal risk model with stochastic return on investments, Stochastics An International Journal of Probability and Stochastic Processes, 90, 3, 432-471 (2018)
[23] Hu, X.; Zhang, L., Ruin probability in a correlated aggregate claims model with common Poisson shocks: application to reinsurance, Methodology and Computing in Applied Probability, 18, 3, 675-689 (2016) · Zbl 1349.91141
[24] Asmussen, S.; Albrecher, H., Ruin Probabilities (2010), Singapore: World Scientific, Singapore · Zbl 1247.91080
[25] Li, J.; Dickson, D. C. M.; Li, S., Some ruin problems for the MAP risk mode, Insurance: Mathematics and Economics, 65, 1-8 (2015) · Zbl 1348.91163
[26] Li, J.; Dickson, D. C. M.; Li, S., Analysis of some ruin-related quantities in a Markov-modulated risk model, Stochastic Models, 32, 3, 351-365 (2016) · Zbl 1344.60075
[27] Zhang, Z.; Yong, Y.; Yu, W., Valuing equity-linked death benefits in general exponential Levy models, Journal of Computational and Applied Mathematics, 365, 112377 (2020) · Zbl 1430.91079
[28] Cheung, E. C. K.; Feng, R., A unified analysis of claim costs up to ruin in a Markovian arrival risk model, Insurance: Mathematics and Economics, 53, 1, 98-109 (2013) · Zbl 1284.91214
[29] Yu, W.; Yong, Y.; Guang, G.; Huang, Y.; Su, W.; Cui, C., Valuing guaranteed minimum death benefits by cosine series expansion, Mathematics, 7, 9, 835 (2019)
[30] Yu, W.; Guo, P.; Wang, Q., On a periodic capital injection and barrier dividend strategy in the compound Poisson risk model, Mathematics, 8, 4, 511 (2020)
[31] Zhang, Z.; Cheung, E. C. K.; Yang, H., On the compound Poisson risk model with periodic capital injections, ASTIN Bulletin, 48, 1, 435-477 (2017) · Zbl 1390.91220
[32] Albrecher, H.; Constantinescu, C.; Palmowski, Z.; Regensburger, G.; Rosenkranz, M., Exact and asymptotic results for insurance risk models with surplus-dependent premiums, SIAM Journal on Applied Mathematics, 73, 1, p47-66 (2013) · Zbl 1264.91068
[33] Jasiulewicz, H., Probability of ruin with variable premium rate in a Markovian environment, Insurance: Mathematics and Economics, 29, 291-296 (2001) · Zbl 0999.91048
[34] Li, S.; Landriault, D.; Lemieux, C., A risk model with varying premiums: its risk management implications, Insurance: Mathematics and Economics, 60, 38-46 (2014) · Zbl 1308.91089
[35] Rong, W.; Li, W., The probability of ruin in a kind of cox risk model with variable premium rate, Scandinavian Actuarial Journal, 2, 121-132 (2004) · Zbl 1142.62096
[36] Dickson, D. C. M., Insurance Risk and Ruin (2005), Cambridge, UK: Cambridge University Press, Cambridge, UK · Zbl 1060.91078
[37] Dickson, D. C. M.; Li, S., Finite time ruin problems for the Erlang(2) risk model, Insurance: Mathematics and Economics, 46, 12-18 (2010) · Zbl 1231.91176
[38] Nie, C.; Dickson, D. C. M.; Li, S., The finite time ruin probability in a risk model with capital injections, Scandinavian Actuarial Journal, 4, 301-318 (2015) · Zbl 1398.91350
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.