The complexity of estimating systematic risk in networks

Benjamin Johnson; Aron Laszka; Jens Grossklags

doi:10.1109/CSF.2014.30

The complexity of estimating systematic risk in networks

Benjamin Johnson, Aron Laszka, Jens Grossklags

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

11 Scopus citations

Abstract

This risk of catastrophe from an attack is a consequence of a network's structure formed by the connected individuals, businesses and computer systems. Understanding the likelihood of extreme events, or, more generally, the probability distribution of the number of compromised nodes is an essential requirement to provide risk-mitigation or cyber-insurance. However, previous network security research has not considered features of these distributions beyond their first central moments, while previous cyber-insurance research has not considered the effect of topologies on the supply side. We provide a mathematical basis for bridging this gap: we study the complexity of computing these loss-number distributions, both generally and for special cases of common real-world networks. In the case of scale-free networks, we demonstrate that expected loss alone cannot determine the riskiness of a network, and that this riskiness cannot be naively estimated from smaller samples, which highlights the lack/importance of topological data in security incident reporting.

Original language	English (US)
Title of host publication	Proceedings - 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014
Publisher	IEEE Computer Society
Pages	325-336
Number of pages	12
ISBN (Electronic)	9781479942909
DOIs	https://doi.org/10.1109/CSF.2014.30
State	Published - Nov 13 2014
Event	27th IEEE Computer Security Foundations Symposium, CSF 2014 - Vienna, Austria Duration: Jul 19 2014 → Jul 22 2014

Publication series

Name	Proceedings of the Computer Security Foundations Workshop
Volume	2014-January
ISSN (Print)	1063-6900

Other

Other	27th IEEE Computer Security Foundations Symposium, CSF 2014
Country/Territory	Austria
City	Vienna
Period	7/19/14 → 7/22/14

All Science Journal Classification (ASJC) codes

Software

Access to Document

10.1109/CSF.2014.30

Cite this

@inproceedings{5f01dce5c17b47538e9049f501bb0680,

title = "The complexity of estimating systematic risk in networks",

abstract = "This risk of catastrophe from an attack is a consequence of a network's structure formed by the connected individuals, businesses and computer systems. Understanding the likelihood of extreme events, or, more generally, the probability distribution of the number of compromised nodes is an essential requirement to provide risk-mitigation or cyber-insurance. However, previous network security research has not considered features of these distributions beyond their first central moments, while previous cyber-insurance research has not considered the effect of topologies on the supply side. We provide a mathematical basis for bridging this gap: we study the complexity of computing these loss-number distributions, both generally and for special cases of common real-world networks. In the case of scale-free networks, we demonstrate that expected loss alone cannot determine the riskiness of a network, and that this riskiness cannot be naively estimated from smaller samples, which highlights the lack/importance of topological data in security incident reporting.",

author = "Benjamin Johnson and Aron Laszka and Jens Grossklags",

note = "Publisher Copyright: {\textcopyright} 2014 IEEE.; 27th IEEE Computer Security Foundations Symposium, CSF 2014 ; Conference date: 19-07-2014 Through 22-07-2014",

year = "2014",

month = nov,

day = "13",

doi = "10.1109/CSF.2014.30",

language = "English (US)",

series = "Proceedings of the Computer Security Foundations Workshop",

publisher = "IEEE Computer Society",

pages = "325--336",

booktitle = "Proceedings - 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014",

address = "United States",

}

Johnson, B, Laszka, A & Grossklags, J 2014, The complexity of estimating systematic risk in networks. in Proceedings - 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014., 6957120, Proceedings of the Computer Security Foundations Workshop, vol. 2014-January, IEEE Computer Society, pp. 325-336, 27th IEEE Computer Security Foundations Symposium, CSF 2014, Vienna, Austria, 7/19/14. https://doi.org/10.1109/CSF.2014.30

The complexity of estimating systematic risk in networks. / Johnson, Benjamin; Laszka, Aron; Grossklags, Jens.
Proceedings - 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014. IEEE Computer Society, 2014. p. 325-336 6957120 (Proceedings of the Computer Security Foundations Workshop; Vol. 2014-January).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - The complexity of estimating systematic risk in networks

AU - Johnson, Benjamin

AU - Laszka, Aron

AU - Grossklags, Jens

PY - 2014/11/13

Y1 - 2014/11/13

N2 - This risk of catastrophe from an attack is a consequence of a network's structure formed by the connected individuals, businesses and computer systems. Understanding the likelihood of extreme events, or, more generally, the probability distribution of the number of compromised nodes is an essential requirement to provide risk-mitigation or cyber-insurance. However, previous network security research has not considered features of these distributions beyond their first central moments, while previous cyber-insurance research has not considered the effect of topologies on the supply side. We provide a mathematical basis for bridging this gap: we study the complexity of computing these loss-number distributions, both generally and for special cases of common real-world networks. In the case of scale-free networks, we demonstrate that expected loss alone cannot determine the riskiness of a network, and that this riskiness cannot be naively estimated from smaller samples, which highlights the lack/importance of topological data in security incident reporting.

AB - This risk of catastrophe from an attack is a consequence of a network's structure formed by the connected individuals, businesses and computer systems. Understanding the likelihood of extreme events, or, more generally, the probability distribution of the number of compromised nodes is an essential requirement to provide risk-mitigation or cyber-insurance. However, previous network security research has not considered features of these distributions beyond their first central moments, while previous cyber-insurance research has not considered the effect of topologies on the supply side. We provide a mathematical basis for bridging this gap: we study the complexity of computing these loss-number distributions, both generally and for special cases of common real-world networks. In the case of scale-free networks, we demonstrate that expected loss alone cannot determine the riskiness of a network, and that this riskiness cannot be naively estimated from smaller samples, which highlights the lack/importance of topological data in security incident reporting.

UR - http://www.scopus.com/inward/record.url?scp=84939614161&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84939614161&partnerID=8YFLogxK

U2 - 10.1109/CSF.2014.30

DO - 10.1109/CSF.2014.30

M3 - Conference contribution

AN - SCOPUS:84939614161

T3 - Proceedings of the Computer Security Foundations Workshop

SP - 325

EP - 336

BT - Proceedings - 2014 IEEE 27th Computer Security Foundations Symposium, CSF 2014

PB - IEEE Computer Society

T2 - 27th IEEE Computer Security Foundations Symposium, CSF 2014

Y2 - 19 July 2014 through 22 July 2014

ER -

The complexity of estimating systematic risk in networks

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this