EAGER: Theory and Practice of Risk-Informed Cyber Insurance Policies: Risk Dependency, Risk Aggregation, and Active Threat Landscape

EAGER：风险知情网络保险政策的理论与实践：风险依赖性、风险聚合和主动威胁格局

• 批准号: 1939006
• 负责人: Mingyan Liu
• 金额: $ 20万
• 依托单位: Regents of the University of Michigan - Ann Arbor
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1939006&HistoricalAwards=false
• 关键词: EAGER; Theory; Practice; Risk; Informed

This project aims to tackle some of the most significant challenges facing the design and adoption of risk-informed cyber insurance policies; these challenges include cyber risk interdependence, correlated risk and value-at-risk, and a fast-changing threat landscape. The research has the potential to bring about a paradigm shift in the design of cyber insurance policies so that they are used as effective economic and incentive mechanisms consistent with cyber risk realities; in doing so it also introduces new ways of thinking about cybersecurity in a holistic, risk management context. Consequently, the research has a direct impact on the current practice by cyber insurance carriers and thus the potential to dramatically change the status quo. It has broader impacts on public policy and incentive mechanism design aimed at encouraging the adoption of better cybersecurity frameworks.The research agenda focuses on challenges including risk interdependence, correlated risk and value-at-risk, and a fast-changing threat landscape, and is organized into four thrust areas. The first is on risk-informed insurance policies, which is focused on establishing a solid theoretical foundation for a new family of cyber insurance policies by using contract theory and the modeling of dependent risks. The second is on the modeling of correlated risk and risk aggregation, aimed at quantifying the aggregated risk of a portfolio of insurance policies, by using the notion of conditional value-at-risk (CVaR) developed in the financial engineering field. The third is on the development of a set of stress test benchmarks, with the goal of standardizing how insurance policies should be evaluated in terms of their risk exposure. The fourth is on technology transition and adoption efforts, which includes the education of insurance practitioners, building partnerships and identifying early adopters of our methods as pilots. The research has the potential to bring about a paradigm shift in the design of cyber insurance policies so that they are used as effective economic and incentive mechanisms matched with cyber risk realities, and in introducing new ways of thinking about cybersecurity in a holistic, risk management context.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该项目旨在解决设计和采用风险知情的网络保险政策所面临的一些最重大的挑战;这些挑战包括网络风险的相互依赖性，相关风险和风险价值，以及快速变化的威胁环境。这项研究有可能带来网络保险政策设计的范式转变，使其成为符合网络风险现实的有效经济和激励机制;在这样做的过程中，它还引入了在整体风险管理背景下思考网络安全的新方法。 因此，这项研究对网络保险运营商的现行做法产生了直接影响，从而有可能极大地改变现状。它对公共政策和旨在鼓励采用更好的网络安全框架的激励机制设计产生了更广泛的影响。研究议程侧重于风险相互依存、相关风险和风险价值以及快速变化的威胁格局等挑战，并分为四个重点领域。第一个是风险知情的保险政策，这是重点建立一个坚实的理论基础，一个新的家庭网络保险政策，通过使用合同理论和相关风险的建模。第二个是关于相关风险和风险聚集的建模，旨在通过使用在金融工程领域发展的条件风险价值（CVaR）的概念来量化保单组合的聚集风险。第三个是制定一套压力测试基准，目的是使评估保险单风险的方法标准化。第四个是技术过渡和采用工作，其中包括保险从业人员的教育，建立伙伴关系，并确定我们的方法作为试点的早期采用者。这项研究有可能带来网络保险政策设计的范式转变，使其成为与网络风险现实相匹配的有效经济和激励机制，并引入全面思考网络安全的新方式，该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的智力价值和更广泛的影响审查标准。

项目成果

Will Catastrophic Cyber-Risk Aggregation Thrive in the IoT Age? A Cautionary Economics Tale for (Re-)Insurers and Likes

灾难性网络风险聚合会在物联网时代蓬勃发展吗？

• DOI: 10.1145/3446635
• 发表时间: 2021
• 期刊: ACM Transactions on Management Information Systems
• 影响因子: 2.5
• 作者: Pal, Ranjan;Huang, Ziyuan;Lototsky, Sergey;Yin, Xinlong;Liu, Mingyan;Crowcroft, Jon;Sastry, Nishanth;De, Swades;Nag, Bodhibrata
• 通讯作者: Nag, Bodhibrata

Preference-Based Privacy Markets

基于偏好的隐私市场

• DOI: 10.1109/access.2020.3014882
• 发表时间: 2020
• 期刊: IEEE Access
• 影响因子: 3.9
• 作者: Pal, Ranjan;Crowcroft, Jon;Wang, Yixuan;Li, Yong;De, Swades;Tarkoma, Sasu;Liu, Mingyan;Nag, Bodhibrata;Kumar, Abhishek;Hui, Pan
• 通讯作者: Hui, Pan

Aggregate Cyber-Risk Management in the IoT Age: Cautionary Statistics for (Re)Insurers and Likes

物联网时代的总体网络风险管理：（再）保险公司和类似机构的警示统计数据

• DOI: 10.1109/jiot.2020.3039254
• 发表时间: 2021
• 期刊: IEEE Internet of Things Journal
• 影响因子: 10.6
• 作者: Pal, Ranjan;Huang, Ziyuan;Yin, Xinlong;Lototsky, Sergey;De, Swades;Tarkoma, Sasu;Liu, Mingyan;Crowcroft, Jon;Sastry, Nishanth
• 通讯作者: Sastry, Nishanth

Deterrence, Backup, or Insurance: A Game-Theoretic Analysis of Ransomware

威慑、备份或保险：勒索软件的博弈论分析

• 发表时间: 2021
• 期刊: The Annual Workshop on the Economics of Information Security (WEIS
• 作者: Yin, Tongxin;Sarabi, Armin;Liu, Mingyan
• 通讯作者: Liu, Mingyan