Cyber insurance and Security-as-a-Service provisioning in cloud computing

In a 2014 report by McAfee it was estimated that financial losses due to cyber risks were between USD 300 billion and USD 1 trillion a year.

The Identity Theft Resource Center’s 2016 data breach category summary found that as of November, there were 873 recorded breaches in the US with over 29 million records exposed. With the number of cyber attacks growing, successful attacks are now a question of ‘when’, not ‘if’. Yet, the Monetary Authority of Singapore observed that cyber insurance adoption for small and medium-sized enterprises (SMEs) is less than 10% in Asia, despite 42% of the world’s Internet users living in the region. 90% of all cyber insurance is purchased by US companies, whilst in the UK, only 2% of companies have specialist cyber insurance. The market, therefore, has considerable room for further growth, with PricewaterhouseCoopers (PwC) estimating that annual premiums could grow USD 5 billion by 2018 and exceed USD 7.5 billion by 2020.

Outsourcing computation to the cloud is now common practice, and it is not surprising that the Security-as-a-Service (SECaaS) paradigm has arisen to counter the growing level of cyber threats. Thus, an application may guard against attacks by provisioning security services from providers such as McAfee and Trend Micro. These services may take various forms, such as secure data storage, identity and access management (IAM), and intrusion detection services to screen incoming traffic.  These services can be provisioned in a similar manner to other cloud services, either through advance subscription or dynamically through on-demand options. SECaaS allows customers to reduce their security overheads while maintaining a high level of protection.

As computing services are increasingly cloud-based, corporations are investing in cloud-based security measures. The Security-as-a-Service (SECaaS) paradigm allows customers to outsource security to the cloud, through the payment of a subscription fee. However, no security system is bulletproof, and even one successful attack can result in the loss of data and revenue worth millions of dollars. To guard against this eventuality, customers may also purchase cyber insurance to receive recompense in the case of loss. To achieve cost effectiveness, it is necessary to balance provisioning of security and insurance, even when future costs and risks are uncertain. To this end, we introduce a stochastic optimisation model to optimally provision security and insurance services in the cloud. Since the model we design is a mixed integer problem, we also introduce a partial Lagrange multiplier algorithm that takes advantage of the total unimodularity property to find the solution in polynomial time. We also apply sensitivity analysis to find the exact tolerance of decision variables to parameter changes.

We show the effectiveness of these techniques using numerical results based on real attack data to demonstrate a realistic testing environment and find that security and insurance are interdependent.

Read the full article here.