Abstract

In a networked system, the risk of security compromises depends not only on each node’s security, but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes we should expect to lose, on average, for a given network topology, after certain types of incidents. Meanwhile the pricing of insurance contracts for risks related to information technology (better known as cyber-insurance) requires determining additional information, for example, the maximum number of nodes we should expect to lose within a 99.5% confidence interval. Previous modeling research in network security has not addressed these types of questions, while research on cyber-insurance pricing for networked systems has not taken into account the network’s topology. Our goal is to bridge that gap, by providing a mathematical basis for the assessment of systematic risk in networked systems. We define a loss-number distribution to be a probability distribution on the total number of compromised nodes within a network following the occurrence of a given incident; and we provide a number of modeling results that aim to be useful for cyber-insurers in this context. We prove NP-hardness for the general case of computing the loss-number distribution for an arbitrary network topology, but obtain simplified computable formulas for the special cases of star topologies, ER-random topologies, and uniform topologies. We also provide a simulation algorithm that approximates the loss-number distribution for an arbitrary network topology and that appears to converge efficiently for many common classes of topologies. Scale-free network topologies have a degree distribution that follows a power law, and are commonly found in real-world networks. We provide an example of a scale-free network in which a cyber-insurance pricing mechanism that relies naively on incidence reporting data will fail to accurately predict the true risk level of the entire system. We offer an alternative mechanism that yields an accurate forecast by taking into account the network topology, thus highlighting the lack/importance of topological data in security incident reporting. Our results constitute important steps towards the understanding of systematic risk, and help to contribute to the emergence of a viable cyber-insurance market.