UNIVERSITY PARK, Pa. — From big box retailers like Target to online businesses like Zappos, recent history has illustrated that major companies are susceptible to data security breaches. Many of those breaches result from vulnerabilities in software products, prompting companies of various sizes to purchase cyber-insurance to minimize the fallout from cyber-incidents and to engage in improved overall risk management practices. Researchers at Penn State and University of California (UC) Berkeley are now proposing a paradigm shift for cyber-insurance in which insurance providers would take a proactive role in improving software security.
“There is too little movement to make software security better,” said Jens Grossklags, an assistant professor at Penn State’s College of Information Sciences and Technology (IST). “We propose a pathway that no one else has considered.”
Grossklags and his colleague, Aron Laszka, a postdoctoral researcher at UC Berkeley, explain their approach in the article, “Should Cyber-Insurance Providers Invest in Software Security?” They presented the paper at the 20th European Symposium on Research in Computer Security, which was held in September in Vienna, Austria.
Last week, their research was also awarded a special merit at the Science of Risk Prize by Lloyd’s, a specialist insurance market, to highlight its potentially great value to the insurance industry. The prize offers an opportunity for researchers to translate original work for a business audience. For insurers, the prize generates insights into some of the most challenging risk management problems they encounter.
Companies worldwide lose an estimated $1 trillion per year due to cyber-attacks and data losses, according to an article in Bloomberg BNA. Many of those incidents are due to vulnerabilities in software systems, said Grossklags and Laszka, since the quality of software has a major impact on the security of most parts of an organization’s information systems. Moreover, popular software products influence the security of many organizations at the same time, leading to non-diversifiable risk. Consequently, a single type of attack — such as one triggered by a specific malware — could wreak major havoc on multiple companies.
Security breaches were brought out into the open in 2003, Grossklags said, when the first security breach notification law became effective. According to the National Conference of State Legislatures, 47 states have now enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. These mandates for notifications have also motivated companies to seek outside help for cyber-security incidents and their mitigation.
To mitigate cybersecurity threats, the researchers said, some organizations have taken steps to improve the security of software that is critical to their operations. For example, several large companies are now running software and web vulnerability rewards programs to limit the risks related to their own businesses. However, they added, those efforts cannot fully address the diverse array of security risks encountered in practice. As an alternative, companies may wish to purchase cyber-insurance to transfer risks related to the consequences of potentially insecure software.
However, according to Grossklags and Laszka, cyber-insurance needs to be able to address two main classes of risks: diversifiable and non-diversifiable. Diversifiable risk is more individual in nature, Grossklags said, and arises from vulnerabilities that pertain to a particular company. For example, the possibility of insider attacks, hardware failures, weak passwords and human mistakes all contribute to the diversifiable risk of a company. In contrast, non-diversifiable risks are often associated with popular software products among a cyber-insurer’s client base. Since cyber-attacks arising from flaws in widely used software can affect many companies at the same time, the researchers said, insurance companies face much broader risks and potentially more extreme payouts from non-diversifiable risks than diversifiable risks.
So far, insurance providers may incentivize companies to invest in security by offering premium reductions, Grossklags said, but such security investments typically focus on diversifiable risks. Grossklags and Laszka propose a paradigm change for insurance in which the insurer, rather than asking companies to individually invest in security in exchange for lower premiums, directs the surplus from the resulting higher premiums into making widely used software products more secure. Measures facilitated by the insurer could include targeted direct investments in software companies, vulnerability reward programs which benefit the software used by its customers, and the hiring of external developer teams for popular open-source software.
The insurance industry holds significant market power and is therefore in a prime position to influence the software industry, the researchers said. Since the insurance companies write policies for businesses, they have access to privileged information and are also among the first to be contacted by clients that are affected by cyber-attacks. Government agencies, on the other hand, according to Laszka, are in a weaker position since they would first have to convince businesses to disclose security-relevant data.
Grossklags and Laszka said they plan to explore the viability of their approach in competitive insurance markets when multiple insurers have to make decisions about which software products to improve. They also plan to combine their theoretical results with actual data on security incidents and software vulnerabilities.
“The main benefit of this research is to demonstrate this actually makes sense,” Grossklags said. “It’s a win-win for everyone involved.”