What is the risk?
As global commerce becomes increasingly electronic and data-driven, major threats to businesses are now cyber in nature. Large-scale software providers unite companies and their trading relationships through a system of network connections. A cyber-attack, identifying vulnerability in software, can therefore have a catastrophic service disruption effect which cascades across linked networks, potentially amounting to billions of loss across industry.
The likelihood of a cyber-attack has major implications for risk management businesses such as cyber-insurance. This is particularly the case when risk-averse insurers are designing policies to provide coverage to clients in the aftermath of such catastrophic network events.
What is the research saying?
In a new paper, When Are Cyber Blackouts in Modern Service Networks Likely? A Network Oblivious Theory On Cyber (Re)Insurance Feasibility, Dr Nishanth Sastry, Senior Lecturer at the Department of Engineering, and a wider multi-university research team investigate the future of cyber-insurance coverage for the inter-dependent IT service sector and quantify the probability of a cyber blackout.
The team defines a cyber blackout as ‘all or a major subset of organisations within a network becoming dysfunctional during a cyber-attack’. For example, they would be unable to provide cloud connectivity, protect customer privacy, or there would be a disruption of energy services.
This is important as the cyber blackout scenario is not currently a primary consideration in cyber insurance, due to profit-minded insurance agencies being considerably risk averse. This ‘scare-effect’ is the root cause behind cyber-insurers not opening up their coverage capacities enough to boost the market to prepare for risk management in this age of modern cyber-attacks. Cyber-insurers are providing some financial assistance to policyholders in the event that they suffer an attack, but are not completely indemnifying their losses as insurers do elsewhere. Companies are left to fund most of the big losses themselves.
Dr Nishanth Sastry, Senior Lecturer in the Department of Engineering at King’s College London commented:
Nobody likes to think of ‘Black Swan’ events – catastrophes where the end-to-end delivery of some functionality completely fails. However, in today’s increasingly interconnected world, with complex supply-demand obligations among various interacting players, this is an important risk that we must prepare for. For instance, even something as simple as video streaming can involve complex interactions among several entities, including a content provider such as YouTube, BBC or Netflix, a cloud provider or content delivery network that hosts and delivers their content, and several interconnected ISPs that connect the content servers to the end users. –
Nishanth further elaborated;
Whereas a failure to watch the next cute cat video is unlikely to be a major disaster, as we move towards supporting more complex mission critical applications such as smart cities, connected cars or remote surgery, it is important to understand how failure of different interconnected and networked entities will affect the service delivery of such applications. What we show is that under a wide range of model parameters, the eventual ecosystem-wide effect of cyber blackouts can be limited and contained. Thus the downside of risk to cyber insurance providers may also be manageable–
How did the research team get results?
- The paper explores seven of the most likely cyber-attack scenarios capable of causing a cyber blackout in modern IT systems, and highlights how correlated cyber-losses could impact a portfolio of cyber-insurance policies. It also explores how organisations could suffer systemic losses from a single underlying cause
- The team conducted experiments with both real-world and synthetic data sets to study the effects of different parameters on strong and weak systemic contagion phenomena, and the effect of service network topology
- The team designed a graph-based model of service obligations (GSOM) between organisations in a service chain network. In the event of a cyber-attack, GSOM computes the vector of service valuations that clears the network, and identifies the nodes in the chain that are dysfunctional to provide service. The model analysis and simple looking outcome underlies some extremely sophisticated mathematics from the domains of lattice theory over monotonic functions and mathematical statistics.
Through GSOM, the research team were able to demonstrate that losses could be actually larger in the absence of network connectivity than in the presence of it – implying that simple network spillover effects on loss amplification have a limited impact, even under a wide range of model parameters. The increase in losses due to network connections among industries are mostly very small, though the losses themselves are not necessarily independent of the network connections.
The results obtained should encourages cyber-insurers to shed some of their risk-aversion in connection to network effects, and broaden their coverage capacities for a healthy cyber-insurance market.
Dr Ranjan Pal, University of Michigan Ann Arbor, who led the research, commented:
Our results will provide confidence to risk-averse cyber-risk managers such as insurance and re-insurance companies to expand their businesses in the modern cyber-era. This will positively contribute to a society’s economic security, psychological well-being, and global cyber-security in general, and even in extreme scenarios of catastrophic cyber-wartimes. On a more technical note, our results allow cyber-risk managers to safely infer the economic impact of cyber-attacks even in situations when they are not completely aware of the supply-chain nature of service industries, or the mathematical properties of cyber-attacks hitting a supply chain network. To the best of our knowledge, such an impactful mathematically provable result using minimal service network and cyber-attack information is absent in the literature of cyber-insurance, be it for catastrophic cyber-attacks or otherwise – our efforts are completely new and eye-opening.–
How is King’s improving global cyber security?
In 2018, King’s Cybersecurity Centre was recognised as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR) by the UK’s National Cyber Security Centre (NCSC), part of GCHQ, and the Engineering and Physical Sciences Research Council (EPSRC).
Led by Dr Jose Such, Reader in Security and Privacy at the Department of Informatics, the Centre brings together a diverse group of researchers across King’s working on the socio-technical aspects of cyber security, including academics at the Department of Informatics, the Department of Engineering, the Department of War Studies, the Department of Defence Studies, the Department of Digital Humanities, the School of Law, and the Policy Institute.
The Centre provides expertise on a broad range of areas in cyber security, and has a critical mass of researchers working on three main research themes and their interrelationship: AI Cyber Security, Formal Cyber Security, and Strategic Cyber Security.
Ranjan Pal, University of Michigan Ann Arbor, University of Cambridge
Konstantinos Psounis, University of Southern California
Jon Crowcroft, University of Cambridge
Frank Kelly, University of Cambridge
Pan Hui, Sasu Tarkoma, University of Helsinki
Abhishek Kumar, University of Helsinki
John Kelly, Aritra Chatterjee, Envelop Risk
Leana Golubchik, University of Southern California
Nishanth Sastry, King’s College London
Bodhibrata Nag, Indian Institute of Management Calcutta