How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs

ACM Transactions on Cyber-Physical Systems (TCPS) Pub Date : 2022-10-18 DOI:10.1145/3568399

R. Pal, Peihan Liu, Taoan Lu, Edward Y. Hua

{"title":"How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs","authors":"R. Pal, Peihan Liu, Taoan Lu, Edward Y. Hua","doi":"10.1145/3568399","DOIUrl":null,"url":null,"abstract":"Third-party residual cyber-risk management (RCRM) services (e.g., insurance, re-insurance) are getting increasingly popular (currently, a multi-billion-dollar annual market) with C-suites managing industrial control systems (ICSs) based upon IoT-driven cyber-physical IT and OT technology. Apart from mitigating and diversifying losses from (major) cyber-threats RCRM services positively contribute to improved cyber-security as an added societal benefit. However, it is also well known that RCRM markets (RCRM for ICSs being a mere subset) are relatively nascent and sparse. There is a huge (approximately 10-fold) supply-demand gap in an environment where (a) annual cyber-losses range in trillions of USD, and (b) CRM markets (residual or otherwise) are annually worth only up to 0.25 trillion USD. The main reason for this wide gap is the age-old information asymmetry (IA) bottleneck between the demand and supply sides of the third-party RCRM market, which is significantly amplified in modern cyber-space settings. This setting primarily comprises interdependent and intra-networked ICSs (and/or traditional IT systems) from diverse application sectors inter-networked with each other in a service supply-chain environment. In this article, we are the first to prove that optimal cyber-risk diversification (integral to RCRM) under IA is computationally intractable, i.e., NP-hard, for such (systemic) inter-networked societies. Here, the term “optimal diversification” implies the best way a residual and profit-minded cyber-risk manager can form a portfolio of client coverage contracts. We follow this up with the design and analysis of a computational policy that alleviates this intractability challenge for the social good. Here, the social good can be ensured through denser RCRM markets that in principle improve cyber-security. Our work formally establishes (a) the reason why it has been very difficult in practice (without suitable policy intervention) to densify IA-affected RCRM markets despite their high demand in modern CPS/ICS/IoT societies; and (b) the efficacy of our computational policy to mitigate IA issues between the supply and demand sides of an RCRM market in such societies.","PeriodicalId":380257,"journal":{"name":"ACM Transactions on Cyber-Physical Systems (TCPS)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Cyber-Physical Systems (TCPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3568399","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Third-party residual cyber-risk management (RCRM) services (e.g., insurance, re-insurance) are getting increasingly popular (currently, a multi-billion-dollar annual market) with C-suites managing industrial control systems (ICSs) based upon IoT-driven cyber-physical IT and OT technology. Apart from mitigating and diversifying losses from (major) cyber-threats RCRM services positively contribute to improved cyber-security as an added societal benefit. However, it is also well known that RCRM markets (RCRM for ICSs being a mere subset) are relatively nascent and sparse. There is a huge (approximately 10-fold) supply-demand gap in an environment where (a) annual cyber-losses range in trillions of USD, and (b) CRM markets (residual or otherwise) are annually worth only up to 0.25 trillion USD. The main reason for this wide gap is the age-old information asymmetry (IA) bottleneck between the demand and supply sides of the third-party RCRM market, which is significantly amplified in modern cyber-space settings. This setting primarily comprises interdependent and intra-networked ICSs (and/or traditional IT systems) from diverse application sectors inter-networked with each other in a service supply-chain environment. In this article, we are the first to prove that optimal cyber-risk diversification (integral to RCRM) under IA is computationally intractable, i.e., NP-hard, for such (systemic) inter-networked societies. Here, the term “optimal diversification” implies the best way a residual and profit-minded cyber-risk manager can form a portfolio of client coverage contracts. We follow this up with the design and analysis of a computational policy that alleviates this intractability challenge for the social good. Here, the social good can be ensured through denser RCRM markets that in principle improve cyber-security. Our work formally establishes (a) the reason why it has been very difficult in practice (without suitable policy intervention) to densify IA-affected RCRM markets despite their high demand in modern CPS/ICS/IoT societies; and (b) the efficacy of our computational policy to mitigate IA issues between the supply and demand sides of an RCRM market in such societies.

查看原文本刊更多论文

IT/OT系统的网络风险管理有多难?国际社会保险分类与克服困难的理论研究

第三方剩余网络风险管理(RCRM)服务(如保险、再保险)正变得越来越受欢迎(目前，每年有数十亿美元的市场)，c套件管理基于物联网驱动的网络物理IT和OT技术的工业控制系统(ics)。除了减轻和多样化(主要)网络威胁造成的损失外，RCRM服务还积极促进了网络安全的改善，为社会带来了额外的效益。然而，众所周知，RCRM市场(用于集成电路系统的RCRM只是一个子集)是相对新生的和稀疏的。在一个(a)每年网络损失高达数万亿美元的环境中，存在巨大的(大约10倍的)供需缺口，(b) CRM市场(剩余或其他)每年的价值仅为0.25万亿美元。造成这种巨大差距的主要原因是第三方RCRM市场的供需双方之间存在着由来已久的信息不对称(IA)瓶颈，这种瓶颈在现代网络空间环境中被显著放大。此设置主要包括来自不同应用部门的相互依赖和内部联网的ics(和/或传统IT系统)，它们在服务供应链环境中相互联网。在本文中，我们首次证明了IA下的最优网络风险分散(RCRM的积分)在计算上是难以处理的，即对于这样的(系统性)互联网络社会来说，np困难。在这里，“最优多样化”一词指的是残余的、以利润为导向的网络风险经理形成客户覆盖合同组合的最佳方式。接下来，我们设计和分析了一种计算策略，以减轻这种棘手的挑战，造福社会。在这里，可以通过更密集的RCRM市场来确保社会利益，原则上可以提高网络安全。我们的工作正式确立了(a)尽管现代CPS/ICS/IoT社会对受ia影响的RCRM市场有很高的需求，但在实践中(如果没有适当的政策干预)很难强化这些市场的原因;以及(b)我们的计算政策在缓解此类社会中RCRM市场供需双方之间的IA问题方面的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Cyber-Physical Systems (TCPS)

自引率

0.00%

发文量