<i>How Hard Is Cyber-risk Management in IT/OT Systems?</i> A Theory to Classify and Conquer Hardness of Insuring ICSs-Reference-Cited by-同舟云学术

How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs

Published:2022-10-31 Issue:4 Volume:6 Page:1-31
ISSN:2378-962X
Container-title:ACM Transactions on Cyber-Physical Systems
language:en
Short-container-title:ACM Trans. Cyber-Phys. Syst.

Author:

Pal Ranjan¹^ORCID,Liu Peihan²^ORCID,Lu Taoan³^ORCID,Hua Ed⁴^ORCID

Affiliation:

1. Massachusetts Institute of Technology, USA

2. Harvard University, USA

3. Carnegie Mellon University, USA

4. MITRE Corporation, USA

Abstract

Third-party residual cyber-risk management (RCRM) services (e.g., insurance, re-insurance) are getting increasingly popular (currently, a multi-billion-dollar annual market) with C-suites managing industrial control systems (ICSs) based upon IoT-driven cyber-physical IT and OT technology. Apart from mitigating and diversifying losses from (major) cyber-threats RCRM services positively contribute to improved cyber-security as an added societal benefit. However, it is also well known that RCRM markets (RCRM for ICSs being a mere subset) are relatively nascent and sparse. There is a huge (approximately 10-fold) supply-demand gap in an environment where (a) annual cyber-losses range in trillions of USD, and (b) CRM markets (residual or otherwise) are annually worth only up to 0.25 trillion USD. The main reason for this wide gap is the age-old information asymmetry (IA) bottleneck between the demand and supply sides of the third-party RCRM market, which is significantly amplified in modern cyber-space settings. This setting primarily comprises interdependent and intra-networked ICSs (and/or traditional IT systems) from diverse application sectors inter-networked with each other in a service supply-chain environment. In this article, we are the first to prove that optimal cyber-risk diversification (integral to RCRM) under IA is computationally intractable, i.e., NP-hard, for such (systemic) inter-networked societies. Here, the term “optimal diversification” implies the best way a residual and profit-minded cyber-risk manager can form a portfolio of client coverage contracts. We follow this up with the design and analysis of a computational policy that alleviates this intractability challenge for the social good. Here, the social good can be ensured through denser RCRM markets that in principle improve cyber-security. Our work formally establishes (a) the reason why it has been very difficult in practice (without suitable policy intervention) to densify IA-affected RCRM markets despite their high demand in modern CPS/ICS/IoT societies; and (b) the efficacy of our computational policy to mitigate IA issues between the supply and demand sides of an RCRM market in such societies.

Publisher

Association for Computing Machinery (ACM)

Subject

Artificial Intelligence,Control and Optimization,Computer Networks and Communications,Hardware and Architecture,Human-Computer Interaction

Link

https://dl.acm.org/doi/pdf/10.1145/3568399

Reference79 articles.

1. Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures;Ahmed Ali;Decis. Supp. Syst.,2021

2. George A. Akerlof. 1978. The market for “lemons”: Quality uncertainty and the market mechanism. In Uncertainty in Economics. Elsevier, 235–251.

3. Information security: Where computer science, economics and psychology meet;Anderson Ross;Philos. Trans. Roy. Societ. A: Math., Phys. Eng. Sci.,2009

4. Benny Applebaum, Boaz Barak, and Avi Wigderson. 2010. Public-key cryptography from different assumptions. In 42nd ACM Symposium on Theory of Computing. 171–180.

5. Optimal policy for software vulnerability disclosure;Arora Ashish;Manag. Sci.,2008