#### Abstract

In this paper, we assume the security level of a system is a quantifiable metric and apply the insurance company ruin theory in assessing the defense failure frequencies. The current security level of an information system can be viewed as the initial insurer surplus; defense investment can be viewed as premium income resulting in an increase in the security level; cyberattack arrivals follow a Poisson process, and the impact of attacks is modeled as losses on the security level. The occurrence of cyber breach is modeled as a ruin event. We use this framework to determine optimal investment in cyber security that minimizes the total cyber costs. We show by numerical examples that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer.

#### 1. Introduction

Cyber risk has become a hot topic given the ever-increasing cyber breaches and resulting losses of data and business disruptions. Cyber risk differs from traditional insurance risks in that they are very much driven by human behaviours in terms of attacks and defenses. What quantitative tools can actuaries imply to offer insights in measuring and managing cyber risks? In this paper, we apply traditional ruin theory in an innovative way to assess the stochastic changes in the level of cyber security and derived interesting insights from this theoretical framework.

Traditional actuarial ruin theory was developed in modeling of insurance capital solvency, whereas the level of capital is influenced by two opposing forces: the upward drift driven by a stream of insurance premium income and the random downward jump driven by insurance claims. During our literature review for cyber risk analysis (mostly from the computer science literature), we noticed that in many of the quantitative models, the security level of a system could be assumed as a quantifiable amount, which is primarily affected by the amount of investment in security development. In addition, it is commonly assumed that the probability and the loss severity of a defense failure (a cyber breach) depend on the security development and the damage control scheme.

In this paper, we assume the security level of a system is a quantifiable metric and apply the ruin theoretic framework in assessing the defense failure frequencies. We assume that the security level of a system changes over time due to attack and defense. The security level is then modeled by a modified surplus process: the current security level of an information system can be viewed as the initial surplus; defense investment resulting in an increase in the security level can be viewed as the premium income; the cyberattack arrivals are modeled as a Poisson process, and the impact of attacks is modeled as losses on the security level using an assumed loss distribution. A cyberattack succeeds (or the defense fails) when ruin occurs. In other words, we apply the risk process to model the frequency of the cyber failure. Once the defense failed, an independent financial loss amount is incurred depending on the nature of data being breached. Our goal of this paper is to provide a framework for analyzing the economical relationship between IT security investment and the associated cyber breach losses and to use this framework to make optimal IT security investment decisions.

In Section 2, we provide a detailed description of the model. We then derive the formula for the distribution of defense failure frequency, which is a function depending on security investments and attack arrivals. Assuming the distribution of the loss severity from a cyber breach is known, we show that the optimal investment amount can be solved by minimizing the expected total cyber costs. In Section 3, we use numerical calculations to provide insights on the changes in expected total cyber costs and the optimal amount of cyber investment, under different assumptions of loss severity, attack arrival as well as time horizon. We also provide a literature review on cyber risk modeling in Section 4 and comment on future research in Section 5.

To our knowledge, this paper is the first attempt to model cyber risk by applying the ruin theory in the literature. The goal of this paper is not to propose a new actuarial model for cyber losses (in terms of frequency and severity distributions), but instead, we apply the ruin theoretical framework to the level of cyber security over the course of time, under opposing forces of attackers and defenders. We then use the framework to draw insights about optimal allocation of cyber security budget.

#### 2. Surplus Process for the Cyber Security Level over Time

##### 2.1. Surplus Processes in the Classical Ruin Theory

We first review the classical insurance surplus process defined bywhere is the initial surplus, is a constant rate of premium income per unit time, is a counting process for the number of claims, and is a sequence of i.i.d. random variables representing individual claim amounts with probability density function (p.d.f.) and cumulative distribution function (c.d.f.) . Let be the time that surplus first falls below 0 given initial surplus , and the ultimate ruin probability is defined as . Under the classical risk model, it is common to assume to ensure is not 1. Define to be the defective density function of and , as the Laplace transform of . The conditional density of is denoted as .

##### 2.2. Cyber Security Level Model Description

Gordon and Loeb [1] defined a vulnerability term , as the probability that an attack being successful. The observation is that the vulnerability of a security system is not static over time and it depends on the maintenance effort of the system administrator through time.

Denote as the vulnerability level of a security system at time . In addition, we define the strength level of a security system at time as , where and , is a function that satisfies the following properties:(1), i.e., the higher the is, the lower the vulnerability of the security system.(2)When , , i.e., when the strength level is 0, the probability of an attack being successful is 1.(3)When , , i.e., when the strength level is extremely high, the probability of an attack being successful tends to 0. Here we assume that the security system cannot be completely protected; however, the system administrator manages it. There is always a probability of being breached.

One type of function that satisfies the above properties is where , i.e., , where is a parameter that transforms the strength level measurement to a probability measurement .

We now apply some of the surplus process ideas to model the security strength level process of a firm’s information system. Assume that process represents the security strength at any time of the system and that represents the system’s current security level.

Let denote the monetary (e.g., dollar) investment in security to protect the system. The result of such investment will create changes in security strength level over time. For simplicity in our model, we assume that the investment is constant at per unit of time and that the change in is at per unit of time, where is a differentiable function with and .

We assume that when , i.e., there is absolutely no effort in place on system maintenance, the process will have a natural downward drift. We assume this downward drift to be a constant until hits 0. This is justified by common observations in security system management: if the system does not perform regular updates, scans, and inspections, the system becomes more and more vulnerable over time.

Let be the amount of investment that is needed to counter affect the downward drift , and that the per unit time change in caused by such investment is 0. If , then the per unit time change in becomes .

Mathematically, the above assumption can be summarized as the following conditions that need to be satisfied by function : , for , and for . The increase in the security level is justified by continuous effort on fixing known vulnerabilities, strengthening authentication and encryption, etc. References on over hundreds of defense methods can be found in Cohen [2].

The counting process represents the number of attempted attacks during time . When an attempted attack arrives at time , we assume that the probability of that attack being successful is equal to . However, whether the attempted attack is successful or not, we assume that the strength level of the system after the attempted attack will be damaged by a random variable . During an attack event, the hacker may gain some information about the system mechanism and authentication methods and that a certain level of security strength is lost. This is modeled by losses in security level when attack arrives.

So far our security level process follows the fundamental works of a classical insurance surplus process. To further accommodate the modeling of cyber risks, we make two modifications on the process. First modification is that once ruin occurs, the surplus level returns to 0 immediately and the process continues. This implies that the security level does not remain at ruin state but restarts from 0 whenever a failure occurred. A realization of such process is shown in Figure 1. The reason for this is that it seems unrealistic to assume that the security level can remain negative. Even when a breach event occurs, the system engineers will continue to strengthen the system security over time by fixing exploited vulnerabilities and bugs.

Another modification is a loosening on the assumption for such that the probability of ruin/breach event is not strictly less than 1 under our framework. More discussion on this modification can be found in Appendix A.

Table 1 provides a comparison between surplus process definitions under traditional ruin theory versus our cyber security framework. In reality, the cyber environment is characterized as an arms race between attackers and defenders. Perpetrators are actively searching for weak points and new methods and tools (e.g., malware) for attacking. The results of attackers are quantified by which emerges over time. Defenders must vigilantly monitor and constantly invest in cyber security in terms of time, knowledge, and measures. The defense spending of amount gives as the continuous security development rate. Our focus is on the time dimension of the arms race between attackers and defenders. In this paper, we investigate how company spending in beefing up cyber security level can help maintain/achieve a desirable security level.

Let the counting process of the number of ruin events between time be , with initial surplus , under the modified surplus process. Let to be the time of ruin event and to be the probability density function of . Define , we can then derive the probability function for . For , we have that

Note that this also includes the probability that ruin never occurs and that by definition . For ,

Under our cyber risk model, we use as the counting process for breach events. Furthermore, let be independent and identically distributed random variables representing the severity of financial loss due to a security breach. We assume that depends on the nature of data breached and is independent of and . The total financial loss due to defense failure between time is then .

Since is the amount of investment in cyber security per unit time, we denote to be the total cyber cost between and we have

The expected total cyber costs between are thenwhere the expected number of breaches before can be found as follows:

Taking the partial differentiation of with respect to , we have

Since and hence , and that , we see that there exists an such that .

Note that the expected loss represents the net premium for cyber insurance cover for losses from cyber breach. The higher the IT security spending, the lower the resulting net premium of cyber insurance. There is an optimal amount of spending that minimizes the total cost to the firm. Using equation (5), firms can decide an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer. The total cyber cost function can be generalized to allow for expense loading of insurance covers. If the insurance premium is the expected financial loss plus a loading under the expected value principle, the total cyber cost function then becomes

#### 3. Insights from the Framework

In this section, we assume a baseline scenario that follows a Poisson process with parameter , and follows an exponential distribution with parameter . The initial security level is . We also assume that the construction rate , where is the amount of investment on security development. Note that under this assumption , and for . The expected loss when breach occurs is assumed to be and the time horizon is . Some analytical results are given in Appendix B under these assumptions.

To further clarify the notation used, , , , and are numerical metrics corresponding to the security level process, whereas , , and represent the monetary amounts associated with security investments and costs of cyber breaches.

In the following examples, we change various assumptions and study the impact on the expected total cyber cost . Under each scenario, we find the optimal investment level such that the expected cyber cost is minimized given the specific time horizon.

##### 3.1. Impact of Loss Severity

In this example, we assume an alternative scenario with . Clearly in our baseline scenario where , the average severity of loss in an event of cyber breach is relatively low compared with . Figure 2 shows how expected cyber costs change with respect to changes in given the assumed .

Under our baseline scenario, where , if we invest nothing in security development such that and hence , the expected number of defense failures is 0.45. As increases, we see that firstly decreases until it reaches the minimum at with the minimized expected cyber cost at . The expected number of defense failures given is 0.26. Note that with , the corresponding . This indicates that under the given conditions above, it is actually less optimal to maintain , which is a condition needed for .

For , the minimum expected cost is with . The optimal security investment is higher compared with the previous case. Table 2 provides a summary of the results above.

Insights: in the case of higher average loss severity, it is better to invest more in security defense to reduce the expected number of breach events.

##### 3.2. Impact of Different Attack Arrivals

In this example, we look at the impact of different attack arrivals on expected cyber losses and optimal investment level . We adopt the same baseline scenario such that , and , , , and . We assume two alternative sets of parameters for attack arrivals: for the first alternative scenario (scenario 2), we assume and , which represents the case where the attack frequency is halved, but the expected impact is doubled due to more sophisticated attacks. For the second alternative scenario (scenario 3), we assume and , which represents a high-frequency but low-impact (less sophisticated) attack for the attack arrivals.

Figure 3 shows the change in the expected number of breaches given assuming different attack arrivals as above. We see that for scenario 3, decreases quickly with small increase in . A small amount of investment can reduce the expected number of breaches significantly. For scenario 2, the investment is less efficient because such that each additional unit spending of causes smaller additional and that high impact of the attacks overpowers the security improvement.

We then calculate the expected total cyber costs under the assumed three scenarios, and Figure 4 shows the changes in with respect to changes in . The optimal investment is then calculated for each scenario with corresponding results shown in Table 3.

For the baseline scenario, the optimal is with the minimum expected cyber costs at . For scenario 2, the optimal is smaller than the baseline scenario, with the minimum expected cyber costs higher at . Under this scenario, the system manager actually opts to invest less due to the comparatively inefficient cyber investment. For scenario 3, the optimal is lower than the baseline scenario but higher than scenario 2. However, we see that the optimal expected cyber costs decreased significantly from and , compared with the baseline scenario and scenario 2, respectively.

Insights: for a given expected loss amount as the product of frequency and severity, if a company’s computer system is facing more frequent but less severe attacks, it is optimal for the company to invest less amount in security improvement.

##### 3.3. Impact of Time Horizon

In previous sections, we assumed for numerical illustrations. We now look at the impact of time horizon on the changes in the optimal investment level . We assume , , , , and . Figure 5 illustrates the changes in with changes in , assuming , , and , respectively.

Intuitively, as increases, the expected total cyber cost shifts upward. Our interest lies in the changes in optimal investment amount when looking at different time horizons. Table 4 shows the optimal for , , and , respectively. We also calculate the corresponding and , which represent the expected cyber cost and expected number of breaches per time unit, respectively, given . There are a few observations from the results as follows. Firstly, as we look at longer time horizon, it is optimal to invest more in security development to reduce the total expected cyber costs. Next, the is not linearly related to as changes. This is because at the end of one year, the security level may be lower or higher than the start of the year and the optimal level of investment will change accordingly for the next year. In addition, the optimal average expected number of breaches per time unit also changes when we consider different time horizons.

Insights: the choice of time horizon has important implications when deciding the optimal security spending.

##### 3.4. Impact of Initial Security Level

In this example, we look at the impact of different initial security level . We assume , , , , and . Figure 6 illustrates the changes in with changes in , given , , and . We see that when is small, the differences in expected cyber cost are relatively large when changes. As becomes larger, the gaps between the three lines become smaller and almost remain constant for large .

In Table 5, we provide the optimal investment and corresponding expected cyber costs. When , the optimal is $2.46 with minimum expected cyber costs at $16.33. When , the optimal and the minimum expected cyber cost is $2.87.

Assume we can invest , , to instantly increase from to . We also assume that . This implies that if we want to increase from to instantly, it will cost more than develop from to during 1 unit time. If at time and , the expected total cyber cost under previous settings will be . Suppose we decide to invest such that the initial increases to instantly and the process continues. The total cyber cost under this scenario is then . From the table above, we see that . If , the firm can actually reduce the total expected cyber cost by a one-off investment to boost the initial security level from 1 to 3.

Insights: it may be worthwhile for a company to spend one-off investment from time to time to boost cyber security level to a desirable standard.

#### 4. Literature Review on Cyber Risk Modeling

In this section, we provide a brief literature review on cyber risk modeling. The computer information system (CIS) risk had always been one of the key concerns for computer engineers. In the era of digitization, big data, and global connectivity, the requirements for cyber risks management escalate and become a key element in the risk management framework. In the computer science literature, the analysis of CIS risks has been split into development risks and security risks. Rigorous analysis methods and frameworks were designed to identify and manage critical risk factors in system development [3]. For security risks, the authors in [2, 4] provided extensive lists of potential attacks, defenses, threats, and consequences. With the effort to quantitatively analyze system security, network topology and graph are used together with epidemic models and become more popular in recent years. Li et al. [5] applied a stochastic model upon a complex network graph that includes sets of nodes and sets of edges over which direct attack can be carried out in the network. A stochastic abstraction of the interactions between the attacker and the defender in the network is considered to derive the probability that a uniformly chosen node is compromised (or attacked) in the steady state. Xu and Xu [6] later extended this model by weakening some strong assumptions and provided analytical results for the desired steady-state probabilities. In 2015, Xu et al. [7] incorporated copulas in the cyber epidemic models to accommodate the dependences between the cyberattack events. Pastor-Satoras et al. [8] gave a detailed review of the vast research activity concerning cyber epidemic processes, detailing the successful theoretical approaches as well as making their limits and assumptions clear.

Another stream of research focused on economic models of security investments. For example, Gordon and Loeb [1] studied the optimal protection of information, which varies with the information set’s vulnerability. Dillon and Pate-Cornell [9] developed a theoretical framework that uses a utility function to explicitly examine the tradeoffs between minimization of the probability of an IS project’s failure and maximization of the expected benefits from its performance. Bohme and Moore [10] developed a dynamic model to reflect the interaction between a defender and an attacker and showed how the defender’s knowledge about prospective attacks and the sunk costs incurred when upgrading defenses reactively affects the optimal security investment strategy. Many more literature studies can be found in Gordon and Loeb [11] and Wang [12]. In response to the escalating demands from companies to seek better cyber risk management, the market for insurance has emerged and evolved in recent years to provide covers on cyber-related losses. However, the industry has seen a slower pace in market expansion than anticipated due to a number of challenges. The first question is the insurability of cyber risks. Biener et al. [13] focused extensively on this matter by applying Berliner’s [14] insurability framework together with empirical analysis. The first insurability criterion is the randomness of the loss occurrence and the conclusion is that it is problematic due to a number of reasons. Their paper also showed that the average loss in different industries differs due to different awareness levels and therefore different resources devoted to self-protection, and the nature of the asset being protected, for example, whether the data include sensitive personal information. The higher the expected loss, the more valuable the breached information must be and the higher the gain for the attacker. Higher frequency for attacks may be correlated to high potential loss. As a result, it may be optimal for a potential victim to spend more on security development, such that the expected total cyber cost is minimized.

Unlike traditional insured risks where the losses emerge from random events, the majority of known cyber loss events are usually consequences of failure in IS defense against intentional attacks. The losses from these attacks are quite profound, for example, the theft and leakage of SONY’s internal data in 2014 caused an estimated USD 35 million loss. It is commonly believed that the company’s investment on security development plays a key role in reducing the possibility of such loss [10]. Xu and Hua [15] developed a framework to model and price cyber security risk. Due to the constantly evolving technologies of both the attackers and defenders, the attempt to estimate the likelihood and severity of a cyber loss becomes even more challenging. Another obstacle for cyber insurance is the lack of historical loss data attributed to cyber losses that can be used to estimate probabilities of loss and calculate loss values [16]. The data scarcity problem has been addressed by the industry and there have been many attempts to pool relevant data for analytical purposes. Romanosky [17] used a unique dataset of over 12,000 cyber incidents recorded over the years 2004 and 2015 in the USA and examined the costs and causes of cyber incidents. It later went on to discuss the amount of capital a firm should spend on IT security.

Alternatively, one can possibly obtain data other than insurance losses for the purpose of studying cyber risks. Organizations usually have many sources of information about attacks that may be incident upon their networks [18]. One important source is firewall logs. Most, if not all, corporate networks will run a firewall that limits the traffic in and out of the corporate intranet according to some set of rules. Firewalls also log the network activity that they see, particularly the network traffic that is being dropped. Security teams examine firewall logs to get an indication of what attacks are occurring. The log files may show particular IP addresses that are running scans or particular network ports that are being attacked. A network intrusion detection system may be able to monitor and record abnormalities observed for future analysis of attack rates. Alternatively, some research studies focused on analyzing the honeypot-captured cyberattacks to better understand the attack behaviours, for example, Spitzner [19], Almotairi et al. [20], and Zhan et al. [21].

#### 5. Conclusion and Future Research

In this paper, we assume the security level of a system is a quantifiable metric and apply the ruin theoretic framework in assessing the defense failure frequencies. We assume that the security level of a system changes over time due to attack and defense. The security level is then modeled by a modified surplus process: the current security level of an information system can be viewed as the initial surplus; defense investment resulting in an increase in the security level can be viewed as the premium income; the cyberattack arrivals are modeled as a Poisson process; and the impact of attacks is modeled as losses on the security level using an assumed loss distribution. A cyberattack succeeds (or the defense fails) when ruin occurs. In other words, we apply the risk process to model the frequency of the cyber failure. Once the defense failed, an independent financial loss amount is incurred depending on the nature of data being breached.

To our knowledge, this is the first attempt in the literature to apply the ruin theory on IT security investments and risk modeling. Instead of modeling cyber incidence directly, we assume that attacks can occur but unsuccessful if higher security level (strong defense) is in place. We also assume that the security level erodes even if unsuccessful attack happened. This is based on our assumption that the dark web (or cyber criminals) is capable of learning from their past attempts, which leads to a decrease in security level without active upgrading on the defense side. This paper is not meant to propose a new actuarial model for cyber risks, but instead using an actuarial ruin theory framework to gain insights about optimal allocation of cyber security budget.

One important insight derived from this theoretical framework is that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer. This has an implication in insurance product design: insurers may consider offer a combination of IT risk management services and risk transfer. The IT risk management services can be jointly offered with or outsourced to IT security firms. The security level is modeled as a numerical level in this paper. In practice, one can develop extensive IT risk assessment framework to produce numeric ratings. However, this is beyond the scope of this paper. When modeling the security level, we used simple models for attack frequencies (Poisson arrivals) and severity (exponentially distributed), as well as the security construction rate (constant) which may be over simplifications of what the reality represents. However, our aim for this paper is to use a theoretical framework to derive insights on cyber security budgeting. A few possibilities to alter these assumptions for future research are listed as follows:(1)The attacks may be modeled as nonhomogeneous Poisson process. IT security level could potentially also influence the attack behaviour. The attack frequencies might be high for a period of time and low if several attempts were unsuccessful. Alternatively, one can consider using a dependent risk process model to reflect some actual dependencies between attack frequencies and severity, and such model has been studied in the studies of Peng and Wang [22] and Hu and Zhang [23]. On the other hand, some more complicated risk models can be used to model the cyber risk, such as Markov-modulated risk model, Levy risk model, and MAP risk model. Many references can be found in the studies of Asmussen and Albrecher [24], Li et al. [25], Li et al. [26], Zhang et al. [27], Cheung and Feng [28], Yu et al. [29], etc.(2)Instead of continuous observation of the process, the security officer may wish to adopt a periodic check-up strategy and place occasional boost-ups for the security level. This strategy can then be seen as a risk process that is periodically observed with some occasional capital injections (see Yu et al. [30] and Zhang et al. [31]).(3)We assumed that the surplus level returns to 0 immediately after breach. Further research may alter this assumption since it may require some time to clear the virus or repair the equipment.(4)Empirical calibration of model parameters using actual data.

#### Appendix

#### A. The Security Development Rate

For the purpose of applying the surplus process to model the cyber security level, we made a loosening on the assumption for . Under classical risk theory, it is typical to assume to ensure that ultimate ruin probability is not 1. Under our cyber risk model, it may be unrealistic to assume the same for the security construction rate. Unlike the premium rates that are mainly determined by insurers, the system engineers are usually restrained by available resources and technology and may not have as much control over . Also, it may be more appropriate to assume that given the same amount of investment, should be lower when is large and higher when is low. This is due to the constraints on existing technologies and the higher the is, the more difficult it is to strengthen it using existing methods. This will then correspond to a level-dependent risk process. Without newly developed technologies, ultimately as . Under this argument, the ruin probability will be 1 [24]. Some ruin theory discussions on surplus-dependent premiums can be found in Albrecher et al. [32]. Other relevant papers involving discussions on varying premiums may be found in Jasiulewicz [33], Li et al. [34], and Rong and Li [35]. However, most of these papers discussed ruin-related problem assuming . In this paper, we assume to be a function of the security investment but does not depend on the surplus level. As a result, the ultimate ruin probability is 1 for some values of .

#### B. Some Analytical Results

In this section, we derive some analytical results assuming that follows a Poisson process with parameter , and . It is a well-known result [36] that the Laplace transform of is found as follows:where is a root of the characteristic equation:

Note that the derivation was done under the assumption that , but equation (B.1) is not affected if we relax this assumption. This is because , and that the derivation of and does not depend on the condition that . Dickson and Li [37] showed that the defective/proper density of satisfies the following equation:where is the -fold convolution of . From Nie et al. [38], we havewhereis the generalized hypergeometric function and is Pochhammer’s symbol. Under the framework proposed in Section 2.2, we can derive the Laplace transform of as follows:

The defective/proper density function of is then

Note that for , and equation (B.7) becomes a proper density function. For , we have and that the conditional density function of becomes .

#### Data Availability

No real data were used in this manuscript.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

Jingchao Li acknowledges the support from the National Natural Science Foundation of China (project no. 11601344), Shenzhen Peacock Program (project no. 000417), and Natural Science Foundation of Guangdong Province (project no. 2020A1515010372).