Optimal security conﬁguration for cyber insurance (cid:63)

. Losses due to cyber security incidents could be very signiﬁ-cant for organisations. This fact forces managers to consider cyber security risks at the highest management level. Cyber risks are usually either mitigated by technical means (countermeasures) or transferred to another party (i.e., insured). Both options require signiﬁcant investments and organisations face the problem of optimal distribution of cyber security budget between these risk treatment options. In this paper, we propose an approach for optimal distribution of investments between self-protection and cyber insurance. The key diﬀerence of our paper with respect to others in the ﬁeld is that our model helps to identify the required security controls, rather than implicitly assuming a relation between security investments, security conﬁguration and expected probability of attack. Our approach exploits a discrete model of investment in self-protection, which is more challenging for analysis but is more realistic and convenient for application. Also, our model considers several threats and allows threats to occur more than once.


Introduction
One of the biggest challenges organisations face is protection of their valuable assets against cyber attacks. Symantec report [1] reveals that more than 7.1 billion identities had been exposed due to data breaches within the last 8 years. Although most organisations believe in their security, around 30% of them are breached in reality (according to the annual Cisco report (2017)[2]). Thus, there is always residual risk which cannot be eliminated with technical means.
The residual risk could be either accepted or insured, i.e., transferred to another party (so-called, insurer) in return for a premium, a fee an organisation (called, insured) pays to an insurer in return for risk coverage. Since cyber insurance was introduced, the market has been growing [4,3,5], although slower than predicted because of a number of challenges this young market faces.
Availability of cyber insurance market makes organisations to decide whether to buy cyber insurance or invest more in self-protection. Various researchers adapted models from general insurance for analysis of various properties of cyber insurance market and security levels of organisations and society, in general. In particular, many authors tried to answer whether cyber insurance is an incentive for security investments or it is not [6,14,16,12,11]. However, some of these authors [14,16,12] consider a continuous investment model (any investments in self-protection reduces the probability of an incident). On the other hand, an organisation invests in self-protection by implementing various countermeasures, i.e., discretely 3 . Other researchers, i.e., [6,13], use an oversimplified discrete model of security investment, which simply assigns low or high level of security depending on whether investments exceed some threshold. Such model is not realistic either, as it does not allow improving security (i.e., reducing the probability of attack) if the threshold is not crossed. Moreover, both these models do not explain how the probability of attack could be computed and do not provide a way to establish the link with the countermeasures available for installation. Thus, these models cannot help the organisations to decide how to improve their cyber security.
In this paper, we provide an approach for optimal distribution of investments between cyber insurance and self-protection. The key difference of our approach with others is in the discrete model of cyber security investments, explicitly taking into account the contribution of the security controls which are or can be implemented. Such an approach will help the organisations to make the decisions on which countermeasures to install, keeping in mind that the rest of residual risk will be covered by cyber insurance. We consider a competitive cyber insurance market where insurers are non-profitable and assume a generic utility function without either information asymmetry or security interdependence.
The remainder of the paper is unfolded as follows. In Section 2, we provide the basic formalisation to clarify the problem statement. We further analyse the problem and propose our solution in Section 3. Section 4 contains an example of application of our solution. Related Work (5) and Conclusion (6) conclude our paper.

Problem Specification
Consider an organisation which would like to devise the most efficient strategy for security investments against potential risks by combining risk mitigation and risk transfer. Risk mitigation requires specification of additional security controls for self-protection and cyber insurance option needs the decision on the amount of insurance coverage (indemnity) to be bought.
The goal of this paper is to combine these options efficiently without considering risk acceptance or risk avoidance options. Therefore, we do not consider self-insurance for residual risks [7] (one way to manage risk acceptance) and simply ensure that our benefits are higher than losses (taking such a simplistic approach for risk avoidance).
Let W be the amount of wealth an agent expects to possess after some period of time, and W 0 be the initial wealth of an agent. Let also x be the amount of investments the organisation is going to put in its self-protection. This is the value we would like to set with our method. Let T be a set of threats relevant for the considered organisation. Let |T | be a standard operation returning the number of set members n t ∈ N + ∪ 0: |T | = n t .
Let pr q (x) ∈ [0; 1] be the probability of a threat t q ∈ T succeed to occur if the company invests x in self-protection. Naturally, we expect this probability to decrease with increase of investments (∀x 1 < x2 (pr q (x 1 ) ≥ pr q (x 2 )). Letpr(x) = pr 1 (x), pr 2 (x), ..., pr nt (x) be a vector of such probabilities for all threats. In the future, we always use a bar for vectors. All vectors in our paper are of size |T | = n t . We also use superscripts for denoting a member of a vector, e.g., pr q (x), and subscripts for a more precise specification of a variable. We also use two vector operations in the paper. Hadamard product of two vectors a andb, denoted asā ·b, is a vectorc = a 1 * b 1 , a 2 * b 2 , ..., a nt * b nt . We also use the same symbol · for a multiplication of a vector by a scalar. Usual matrix multiplication of two vectorsā andb is denoted asā ×b and is a scalar value equal to nt q=1 a q * b q . LetF = F 1 , F 1 , ..., F nt be a vector of expected amount of breaches for some period if no countermeasures are installed. Then, with investment x, the expected amount of breaches is a vector:F ·pr(x); and, if we know a single loss expectancy for every single threat occurrenceL = L 1 , L 1 , ..., L nt , we are able to compute the overall expected loss for the considered period, i.e., risk: Since the organisation is allowed to buy insurance, it pays a premium P in order to cover some part of its losses in case of an incident (called indemnityĪ, ∀q, I q ≤ L q ). In this paper, we use a simple cyber insurance market model [14,6,17], called competitive market, which demands the premium to be equal to the expected losses of the insurer: P (x) = (F ·pr(x)) ×Ī.
In the current literature on cyber insurance, e.g., [14], pr q (x) is simply assumed to exist and does not define how the required security level could be reached. In practice, organisations spend their money in portions buying new controls or implementing security practices. Let K be a set of available countermeasures and K i ⊆ K be a subset of these countermeasures which the organisation decides to apply. K i is to be determined by the available amount of self-investments x (See Section 3.2), and we re-write pr q (x) as pr q (K i |x) to explicitly indicate the dependency of the probability of survival on K i .
Finally, similar to other economic models [24,17,4,14], we reason with the utility of possessing certain amount of wealth U (W ), rather than with the wealth W itself. The utility function is assumed to be continuous, non-decreasing, concave, and twice differential (i.e., U (W ) > 0 and U (W ) < 0). Letz = z 1 , z 2 , ..., z nt be a random vector of numbers of threat occurrences (one per threat) and pr(z||K i , x) be the probability that the company will facez incidents in the considered period of time under the condition that investments in selfprotection are x and implemented countermeasures are K i . Also,F ·pr(K i |x) = ∀z pr(z|K i , x) ·z. Then, the utility (U (z, x, I, K i )) in such case is equal to: (2) Finally, the expected utility is equal to: The goal of the organisation, is to maximise 3 Utility maximisation

Indemnity
Consider Equation 3 and apply Jensen's inequality for a concave function (for any concave function In other words, Equation 3 is maximal ifĪ =L.

Security controls
AsĪ =L, the our maximisation problem (Equation 4) could be rewritten as: Since the utility function is non-decreasing, we need to maximise its argument, or simply minimise the following part (called as expenditure in the sequel): Since, K i affects onlyF ·pr(K i |x)) ×L and U () is concave, in order to maximise U () we need to select K i in such a way to minimise this component and we have to ensure that we do this with investments less or equal to x. Let π q (k) ∈ [0; 1] be the probability that a threat q passes through (survives) the countermeasure k ∈ K i ; countermeasure k completely eliminates threat q if π q (k) = 0, and is entirely powerless against the threat if π q (k) = 1. Letπ(k) be a vector of all probabilities of survival if the countermeasure k is installed. If several countermeasures K i are installed, the overall probability of survival can be computed as 4 :p where ∀k∈Ki stands for the Hadamard product. Every countermeasure has its cost, denoted as function c and is assumed to provide a finite non-negative integer value c : K → N + . Naturally, the cost of a subset of countermeasures K ⊆ K (c(K )) can be computed as: Now, we are able to connectpr(K i |x) andpr(x). The most efficient money distribution (minimal U ()) is if K i minimises the premium: The sub-problem of finding the optimal set of countermeasures (K * i , for which we say thatpr(K * i |x) =pr(x)) reminds 0-1 multi-objective Knapsack problem [8], but instead of summing of values per objectives, we multiply them, and, thus, look for the minimal overall value 5 .

Security investments
Finally, we may return to the main problem, i.e., how to find the right amount of investments in self-protection. From Equation 6 investments must be as low as possible, but they also must be high enough to keep the insurance premium low. Moreover, the solution for Equation 6 depends on solving the 0-1 multi-objective knapsack problem Equation 9.
We propose a solution that is based on the dynamic programming algorithm for solving 0-1 multi-objective knapsack problem [8]. We assume that the cost of countermeasures could be seen as positive integer values (or, can be seen as ∀k ∈ K (c(k) = C * m k ), where C and m k are positive natural values, and C is the greatest common divisor for countermeasures' costs). Let all elements of K be enumerated with j = 1, ..., n K (where n K is the size of K). For every amount of investments x we consider (accept or reject) the first j countermeasures. For those accepted K i , we compute the overall probability of threat's survivalpr(K i |x) (see Equation 7). The overall probabilities of survival for every K i is stored in a corresponding cell T [j][x] of an auxiliary matrix T .
Since for our problem we cannot store only the optimal value at every intermediate step (as it is done for a simple 0-1 knapsack problem), we remember (in a matrix cell T [j][x]) all non-dominant probability vectors, i.e., vectors which potentially could lead to the optimal solution. In the most simple case, we may see selection of non-dominant vectors as those which cannot be rejected using the Pareto optimality criteria (i.e., ∀t 1 ,t 2 ∈ T [j][x] (∃q (t q 1 > t q 2 ))). As it was shown by Bazgan et. al, [8] other dominance relations could be applied to speed up the algorithm. Since, this is not crucial for our paper, we refer the interesting reader to the original paper of the authors for a more detailed discussion on the non-dominant relations, which can be applied to our problem.
In short, the core part of the solution for 0-1 multi-objective knapsack problem could be seen as the following recursive algorithm: Naturally, every last cell in a column T [n k ][x] returns the overall probability of survival for x investments and all n k countermeasures taken into account. It is required only to find the K i which causes the minimal total expenditure, using the vectors from T [n k ][x] aspr(K i |x) and applying Equation 6.
To get the final solution for optimal investments x * , i.e., T [n K ][x * ], we need to know x * . It is important to note that the core part of the recursive algorithm does not require the knowledge of maximal investments in order to count values for any intermediate x.
In other words, we may start the algorithm with x = 0 and continue as much as we need or until we find our solution (also extending matrix T for new x to check). Now, our goal is to find the way to minimise the amount of required iterations and ensure that the solution to Equation 6 will be found.
Let P * (x) be the optimal insurance premium if x amount of money invested in self-protection. According to Equation 9: Then, we can simplify Equation 6 as: Consider some amount of investments x r ∈ [0, W 0 ] to be evaluated at step r ∈ [0; W 0 /C]. We are interested only in the following future steps p: x r+p < P * (x r ) + x r − P * min ; Out of these two relations we can derive the following observations. First, Equation 12 shows that we should select the optimal value by iterating sequential comparison of the current best value (i.e., up to step r) with the next ones (p > 0). Equation 13 tells us the maximal steps we should look forward, since no more efficient total expenditure is possible for the steps higher than this limit. Finally, we also may find the first limit, which is: x limit 0 = P * (0) − P * min , where P * min is the minimal possible premium/risk, computed with all possible countermeasures K i = K installed.
It is also important to note, that once we find a better x, we can re-set the limit, since it will be less than the previous one. This observation can be easily proved as follows. Let x r be the previous best value (i.e., for all r + p − 1 steps) and x r+p be even better than x r , i.e.,: The limits defined at steps r and step r + p are x limit r and x limit r+p consequently: We conclude that x limit r > x limit r+p .

Algorithm for computation of optimal self-investments
Now, we are able to define an algorithm for finding the optimal amount of investments x * , which is based on the dynamic programming approach for solving 0-1 multi-objective knapsack problem. Although, we use the core part of the Algorithm 1 Selecting the best set of countermeasures 1: procedure searchForOptimalInvesments(K, c, π,F ,L, xinit, prinit, C) Require: K -a set of countermeasures 2: c : K → N -cost function 3: π : K → 2 [0;1] -survival probability per threat function 4:F -frequency vector of R + values 5:L -single loss expectency vector of N + values 6: xinit ∈ N -initial investments 7:pr init -initial overall probability of survival vector of values from [0; 1] 8: C ∈ N the greatest common divisor for countermeasure cost Ensure: lowest (F ·pr(Ki|x)) ×L + x for optimal security investment x * 9: exp ⇐ (F ·pr init ) ×L + xinit Remember the initial expenditure as optimal 10: P * min =F · ∀k∈Kπ (k) ) ×L 11: x * ⇐ 0 Optimal Investment starts with xinit 12: ∀j T [j][0] ⇐ {pr init } a dynamic matrix of optimal probabilities. Add new (and the first) column x = xinit, with just one vectorpr init 13: x ⇐ C 14: nt if (c(kj) ≤ x ) then check the cost limit 19: T x * ⇐ x Remember these investments as optimal 28: end if 29: end for 30: x ⇐ x + C 31: end while 32: return [exp, x * ] 33: end procedure well-known algorithm, we adapt it to our task: instead of receiving the limit for investments as an input, our algorithm should return it as an output, ensuring that it is the most optimal amount of investment.
In the Algorithm 1, we demonstrate the core part of our solution which: a) finds the optimal investments in self-protection x * ; b) ensures the lowest expenditure ((F ·pr(K i |x)) ×L + x).
We start with all initial variables and functions provided. Moreover, we assume that the company has already some countermeasures K init installed, spending already x init amount of money and getting the initial overall probability of survival equal topr init . Note that it is not important if the initial countermeasures K init are efficient or they are not, but these controls should not be considered in the further analysis: Lines 9-14 initialise the values for further processing. First, we store the initial expenditure and find the minimal premium P min . We also initialise the auxiliary table of probabilities T with the initial column for additional investments x = 0 (the first column) and with all cells initialised as {pr init } (Line 12). There is no need to compute values for x = 0 as no countermeasures could cost less than or equal to 0, i.e., ∀j(c(k j ) > x = 0); so, we start with x = C, where C is some fixed greatest common divisor for the cost of all controls.
We are going to increase gradually the investments unless we reach the limit set by parameter exp − P min , as Equation 13 states (line 17). For all countermeasures, we select all non-dominating overall survival probability vectors by comparing two sets: 1) a set of previously selected controls with k j ( and 2) and the best selection of controls without 19). We should note here that both compared sets contain non-dominant vectors (as ensured at the previous steps), but two vectors from different sets could be dominating and dominated.
Since we use a modified knapsack problem, we multiply values when adding new countermeasure to the selected set, rather than summing values as the classical knapsack problem does. Note that we must respect the additional selfinvestments x, so the contribution of the considered countermeasure k j is added to overall probability of survival computed for self-investment limit x−c[j]. Naturally, if the cost of the countermeasure k j (c(k j )) is higher than the additional self-investments x, we simply take the previously selected set of countermeasures and the corresponding overall probability of survival is When all countermeasures are considered for the current self-investments x, we use Equation 12 to check if the newly computed overall amount of expenditure is lower than the previous one (line 25). Here we would like to remind that a cell of matrix T contains a set of vectors, i.e., we should evaluate all of them (T [n k ][x]). If the best current expenditure is lower than the previous optimal one, we set the current value as a new lowest expenditure and as the new limit (line 26) for further computations (according to the condition in Equation 13), plus we remember the current self-investments x as optimal x * (line 27).
Algorithm 1 stops when further increase of the self-investments x becomes so inefficient that it exceeds overall best-so-far expenditure exp (line 17), i.e., the current optimal total expenditure for both insurance (P * (x * )) and selfinvestment (x * ). As a result, the algorithm returns the optimal self-investment limit x * and the optimal total expenditure. With a slightly modified standard backward algorithm it is also possible to find the most efficient set of countermeasures K * i .

Case study
As a case study, we consider an organisation with initial wealth W 0 = 100000 which decides how to distribute the available funds to reduce cyber risks. First, five main threats are identified, as well as their average frequency (F ) and single loss expectancy (L = 3000, 1800, 2800, 4000, 3800 ). So far, only the basic cyber security countermeasures are implemented (with the total initial investments (x init = 200) and initial probabilities of survivalpr init ) but an analyst has identified eight additional countermeasures which can be installed (|K| = n k = 8), their relative costs (c(k 1 ) = 480; c(k 2 ) = 240; c(k 3 ) = 120; c(k 4 ) = 80; c(k 5 ) = 200; c(k 6 ) = 120; c(k 7 ) = 280; c(k 8 ) = 200) and the probabilities of survival (π function). All input vectors are defined in Table 1.  Table 1.

Input vectors
If we apply our approach based on the dynamic programming proposed in Section 3.4, we start with initial expenditure exp equal to 5986. This expenditure will be our first limit for searching the optimal investment level. Naturally, pr(K i |x)) equals to vectorpr init in the beginning. The minimal premium is equal to P * min = 136. Table 2 contains the result for the first 21 rounds of the algorithm. In the first round, our expenditure increases by the investment increment  Table 2. Selection of best countermeasures within security investment C = 40 since there are not countermeasures of the cost below the current investment level x = 40. After the first two rounds of investment (x = 2 * C = 80), we find a possible solution, if countermeasure k 4 (with c(k 4 ) = 80) is selected (overall expenditure exp becomes 4188, which is lower than previous limit 5986). Thus, we raise the current optimal value of X * to 80. The next increment of x  Figure 1). Note that initially we planned to check the self-investment values up to 5986, but eventually stopped at x = 1280, preventing the unnecessary computational resource usage.

Related work
Cyber insurance is a young market which slowly matures facing a number of challenges [5,23,4]. Some of these challenges (e.g., lack of data, definition of contractual language, specification of standards for cyber insurance underwriting process) are of practical nature and mostly require insurers to gain more experience in the field. On the other hand, such challenges as correlated risks, interdependent security and information asymmetry require careful theoretical analysis in order to help the market to flourish and the society to benefit from it.
One of the central problems considered by several researchers is proving that availability of insurance incentivises agents to invest more in self-protection [6,9,14,16]. Many well-known cyber security researchers believed that this is true [25,10,11], but a thorough mathematical analysis has proved that sometimes agents may simply decide to insure the future losses rather than increase their protection [14,17], especially if interdependent security and information asymmetry take place [9,14,16,12]. Thus, researchers considered various regulatory mechanisms which can ensure high enough investments in self-protection and acceptable cyber insurance contracts: fines and rebates [9,13], liability coverage [14], non-competitive market [15]. For performing these analysis the researchers applied two types of models for modelling the relation between investments and the probability of attack: 1) a continuous model decreasing the probability with any investment [9,14,16]; and 2) a simplistic discrete model allowing two levels for the probability (high and low), depending on whether investments exceed a threshold or they do not [6,13]. In contrast to these papers, we propose a more realistic model which increases protection only when enough investments for installation of the next countermeasures are available and allows as many of such increases as required. We have shown how the probability of survival (or a probability of attack) could be computed using a set of available countermeasures, and how the investments could be distributed between the self-investment and cyber insurance. One may argue, that the continuous model is just an approximation of the reality, which skips the low-level details for the sake of simplicity of the more complex analysis. This may well be true, but then our approach could be seen as the link between the low level details and high level model, as well as the instrument for proving that such approximation is valid.
The problem of selecting the right set of countermeasures for cyber security is not new. For example, T. Sawik [19] conceptualises the selection of countermeasures based on their efficiency of blocking threats and cost of countermeasures. For doing this, he applies single-or bi-objective mixed integer program and conditional value-at-risk approach. The variety of knapsack problems [21] and their solutions are natural choices for being applied in optimisation of cyber security. For example, F. Smeraldi et. al., [18] introduced a framework which combines combinatorial optimisation with classical Knapsack Problem in order to spend security investment optimally. A. Fielder et. al., [20] investigated both game theoretic and Knapsack approaches for efficient security investment in Small and Medium Enterprises (SMEs). L. Krautsevich et. al., [22] applied the 0-1 knapsack problem to selection of the most secure web-service. In contrast to these papers, we considered the problem of minimisation of the probability of survival, adapting the problem to the 0-1 multi-objective knapsack problem. But, it is more important to note that were looking for the optimal specification of the investment limit, which is the input to classical knapsack problems. In short, we did not simply applied the knapsack problem to our scenario, but have solved a different problem (i.e., defining the optimal investment in self-protection and insurance) using the solution of the knapsack problem only as its integral part.

Conclusion
In this paper, we have proposed a viable solution for maximising the utility of an organisation by efficient distribution of investments in self-protection and cyber insurance. In contrast to the exiting models used for the definition of such distribution, we applied a discrete model of self-investments which allows selection of concrete countermeasures that efficiently protect the organisation and reduce the insurance premium. For selection of countermeasures we applied a solution based on the 0-1 multi-objective knapsack problem, but our solution goes beyond this well-known problem and looks for efficient investments (which is a prerequisite for the knapsack problems). The algorithm developed on the theoretical background ensures that only the minimal amount of evaluation cycles are executed.
Not only does our model provide a more practical approach for investment distribution and helps to select the concrete countermeasures to install, but it is also able to conduct the analysis of the planned configuration which is not 100% efficient from security point of view. Such configuration could be enforced by the global enterprise rules, Service Level Agreements or by the governmental law (e.g., GDPA). Although the enforced configuration may be not the most efficient, it still reduces the probability of threat survival and cannot be ignored in the analysis (especially, because it has its own cost).
So far, this paper mostly focuses on the modelling of investments. In contrast to other models, we did not analyse how discrete investments affect the incentive of insureds to invest in self-protection with and without insurance. We also did not include security interdependence and information asymmetry problems into our model. These future steps are required in order to make more precise (and practical) predictions about cyber insurance market behaviour.