Arunabha Mukhopadhyay

Cyber-risk decision models

Security breaches adversely impact profit margins, market capitalization and brand image of an organization. Global organizations resort to the use of technological devices to reduce the frequency of a security breach. To minimize the impact of financial losses from security breaches, we advocate the use of cyber-insurance products. This paper proposes models to help firms decide on the utility of cyber-insurance products and to what extent they can use them. In this paper, we propose a Copula-aided Bayesian Belief Network (CBBN) for cyber-vulnerability assessment (C-VA), and expected loss computation. Taking these as an input and using the concepts of collective risk modeling theory, we also compute the premium that a cyber risk insurer can charge to indemnify cyber losses. Further, to assist cyber risk insurers and to effectively design products, we propose a utility based preferential pricing (UBPP) model. UBPP takes into account risk profiles and wealth of the prospective insured firm before proposing the premium. Display Omitted Proposed Cyber risk insurance products to minimize the impact of financial loss of security breach.Cyber risk insurance products complement security technology.Our proposed Copula aided Bayesian Belief networks model helps to asses cyber risk.Collective risk & Utility Theory used to computes premium for Cyber risk insurance products.Cyber risks mode for to decide to opt for cyber insurance or not for organizations.

e-Risk Management with Insurance: A Framework Using Copula Aided Bayesian Belief Networks

e-business organizations are heavily dependent on distributed 24X7 robust information computing systems, for their daily operations. To secure distributed online transactions, they spend millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature and encryption. Nonetheless, a new virus or a clever hacker can easily compromise these deterrents, resulting in losses to the tune of millions of dollars annually. To cope up with the problem, in this work we propose to further enhance their security management by investing in e-risk insurance products as a viable alternative to reduce these individual financial losses. We develop a framework, based on copula aided Bayesian Belief Network (BBN) model, to quantify the risk associated with online business transactions, arising out of a security breach, and thereby help in designing e-insurance products. We have simulated marginal data for each BBN nodes. The Copula model helps in arriving at the joint probability distributions from these marginal data. From the joint distribution data, we arrive at the conditional distribution tables for each node. This is input to the Bayesian Belief Network model. The output is frequency of occurrence of an e-risk event. Frequency of loss multiplied with the expected loss amount, provides the risk premium to be charged by insurance companies.

Stock Market Response to Information Security Breach: A Study Using Firm and Attack Characteristics

Abstract The recent global surge in information security breaches emphasizes the importance of their impact determination for proper risk assessment. In this paper we used event study to compute the cumulative abnormal response (CAR) of the stock market to publicly announced breaches on a sample of Indian and US firms. We also used linear regression and moderation analysis to identify the factors that affect CAR individually and in combination with each other. From regression analysis, firm type, firm size and Damage Potency of the attack emerged as factors that individually impacted CAR. Further, moderation analysis revealed that Denial of Service attacks on e-commerce companies and information theft attacks on BFSI companies generated significantly negative CAR. We also observed that if a subsidiary company is breached, then the parents stock market performance is not significantly negatively impacted. However, if a vendor suffers a breach, then the client is significantly negatively affected in the stock market.

i-HOPE Framework for Predicting Cyber Breaches: A Logit Approach

In light of the recent surge in cyber security breaches globally, Information Security Management Systems (ISMS) for organizations is of utmost importance. In this paper, we used the CSI-FBI survey questionnaires from 1997 to 2010 and ISO/IEC27001 standard to propose an i-HOPE framework to predict the likelihood of a cyber breach. Generalized Linear Model i.e. Logit approach and CSI-FBI questionnaire data was used to compute and validate our proposed model. Using our i-HOPE framework we conclude that (i) specific security technologies (Firewalls, IDSs, Biometrics, firewalls), can deter only specific types of attacks (ii) reporting of cyber breaches to law enforcing bodies does not deter cyber attacks (iii) increase in percentage of (a) IT budget allocated to security and (b) outsourcing of IT security function decreases the likelihood of an attack.

National-Level Determinants of Global Music Piracy and Online Music Sales: An Exploratory Study

Piracy adversely affects online music sales. This article aims to investigate the factors that affect global music piracy directly and electronic business indirectly. These factors can be grouped into three categories: economic, legal/regulatory, and technological. On analyzing data from 68 countries, a country’s economic status and regulatory status emerge as the primary factors affecting music piracy. Technology indirectly affects music piracy by acting as a mediator between a nation’s economic status and the music piracy rate. Hence, a nation can reduce its music piracy rate and enhance e-business by devising stricter laws to safeguard intellectual property, punishing violations of information and communication technology related laws more strictly, allowing more free trade with other countries, inspiring attitudinal changes about inappropriate copying behavior through awareness campaigns, and encouraging increased and secure broadband usage.

E-Risk Management through Self Insurance: An Option Model

E-business organizations are under constant threat of their business being disrupted by hackers, viruses and a host of malicious attackers. This would lead to loses to the tune of millions. To ensure self-protection, they spend millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature and encryption. Nonetheless, a new virus or a clever hacker can easily compromise these deterrents. Organizations should resort to self e-risk insurance as a supplementary mechanism to reduce these individual financial losses. In this paper we propose two option modes for self- e-risk insurance, for hedging e-risk. The first is an exchange traded model, comprising of a long asset, long put and short call. The second is an over the counter model using a long call

Insuring Big Losses Due to Security Breaches through Insurance: A Business Model

Security breaches deter e-commerce activities. Organizations spend millions of dollars on security appliances to make online transactions more secure. Nonetheless, a new virus or a clever hacker can easily compromise these deterrents and cause losses of millions of dollars annually. To reduce the impact of such losses, e-risk insurance is a viable complement to the security devices. Currently, e-risk insurance is in its developmental stage and small claim coverage is only available. In this paper, we provide a framework, for insurance companies to duly accept large e-risk. Splitting a large risk across layers reduces the overall variance of the loss. Also in case of a contingency the loss indemnification is shared. The inputs to the proposed model are the risk transfer proportion, overloading for premium, expected return on capital and undistributed risk at each layer. The model outputs the optimal number of layers in which the risk needs to be spilt by the insurance company and the interlayer relationships

Attitude towards technology development: a cross-cultural study of India and the USA

Cultural, social influences are considered to be a major determinant of the growth of information technology (IT) and national technological infrastructure. In this article, a generic unique model is designed to capture the influences of individual-level beliefs/factors in determining citizens attitude towards technology development. Through structural equation model (SEM) analysis, an empirical test is conducted on the model using World Value Survey (WVS) data. It is found that the set of factors influencing technology development attitude is not the same for developing nations such as India and a developed nation such as the USA, although both are democracies. For example, religious values play a role in technology development attitude in India but not in the USA. In general, across developing and developed nations, for technology/IT development and associated change management, an individuals positive attitude towards democratic values and conformity toward national institutions can help.

Can IT Improve Cardiac Treatment Quality?: A Quantitative Study of Interaction between Technology and External Factors

The scope of healthcare information systems (HIS) is immense. It can not only help in providing easy access to data and taking decisions, but also ensure following standard procedures and improve quality. Prior literature have discussed on technology impact while controlling for the organizational and economic factors. However, there is a dearth of research on the effect of their interaction with technology. Moreover, overall technology impact misses the depth of application-level impact. Our work discusses the application-level impact and also empirically shows the effect of its interaction with other external factors. Our finding for 2010 show that use of HIS in nursing activities was significant in improving care quality. Disease-specific applications also have a positive effect under the influence of organizational factors. In 2013, per-capita income has significant effect on the impact of technology. Moreover our results show a considerable increase in the significance of technology and the interplay between technology and external factors in 2013 from that in 2010. Thus, our work motivates researchers to explore factors influencing the effect of technology. It directs managers to prioritize their investment on applications based on their impact on healthcare quality.

G-RAM framework for software risk assessment and mitigation strategies in organisations

Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities.,The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference.,Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time.,Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process.,The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid.,Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.