Keywords

1 Introduction

One of the biggest challenges organisations face is the protection of their valuable assets against cyber attacks. Symantec report [1] reveals that more than 7.1 billion identities had been exposed due to data breaches within the last eight years. Although most organisations believe in their security, around 30% of them are breached in reality (according to the annual Cisco report (2017)[2]). Thus, there is always a residual risk which cannot be eliminated with technical means.

The residual risk could be either accepted or insured, i.e., transferred to another party (so-called insurer) in return for a premium, a fee an organisation (called insured) pays to an insurer in return for risk coverage. Since cyber insurance was introduced, the market has been growing [3,4,5], although slower than predicted because of a number of challenges this young market faces.

Availability of cyber insurance market makes organisations to decide whether to buy cyber insurance or invest in self-protection. Some researchers adapted models from general insurance for analysis of various properties of cyber insurance market and security levels of organisations and society, in general. In particular, many authors tried to answer whether cyber insurance is an incentive for security investments or it is not [6, 10, 11, 13, 15]. However, some of these authors [11, 13, 15] consider a continuous investment model (any investment in self-protection reduces the probability of an incident). On the other hand, an organisation invests in self-protection by implementing various countermeasures, i.e., discretely. Other researchers, i.e., [6, 12], use an oversimplified discrete model of security investment, which simply assigns low or high level of security depending on whether investments exceed some threshold. Such model is not realistic either, as it does not allow improving security (i.e., reducing the probability of attack) if the threshold is not crossed. Moreover, both these models do not explain how the probability of attack could be computed and do not provide a way to establish the link with the available countermeasures for installation. Thus, these models cannot help to decide how to improve their cyber security.

In this paper, we provide an approach for optimal distribution of investments between cyber insurance and self-protection. The key difference of our approach with others is the discrete model of cyber security investments, explicitly taking into account the contribution of the security controls which are or can be implemented. Such an approach will help organisations to make the decisions on which countermeasures to install, keeping in mind that the rest of residual risk will be covered by cyber insurance. We consider a competitive cyber insurance market where insurers are non-profitable and assume a generic utility function without either information asymmetry or security interdependence.

The remainder of the paper unfolds as follows. In Sect. 2, we provide the basic formalisation to clarify the problem statement. We further analyse the problem and propose our solution in Sect. 3. Section 4 contains an example of application of our solution. We follow with a literature review (5) and then draw our conclusion (6).

2 Problem Specification

Consider an organisation which would like to devise the most efficient strategy for security investments, combining risk mitigation and risk transfer. Risk mitigation requires specification of additional security controls for self-protection and cyber insurance needs the decision on the amount of insurance coverage (indemnity) to be bought. The goal of this paper is to combine these options efficiently.

Table 1. Notations adopted in this work
Full size table

Let W be some amount of wealth an agent expects to possess after some period of time, assuming that initial wealth is \( W^0 \) (see Table 1). Let TR be a set of size \(n_{t}\) (\(n_{t}\in \mathbb {N^+}\)) of all possible threats. Let \(pr^{q}(x)\in [0;1]\) be the probability of a threat \(tr_{q}\in TR\) occurrence if the organisation invests x in self-protection. Naturally, we expect this probability to decrease with increase of investments (\(\forall x_1<x_2~(pr^{q}(x_{1})\ge pr^{q}(x_{2})\)). Let \(\bar{pr}(x)=\langle pr^{1}(x),pr^{2}(x),...,pr^{n_{t}}(x) \rangle \) be a vector of such probabilities for all threats. In the future, we always use a bar for vectors. All vectors in our paper are of size \(n_{t}\). We also use superscripts for denoting a member of a vector, e.g., \(pr^{q}(x)\), and subscripts for a more precise specification of a variable. We also use two vector operations in the paper. Hadamard product of two vectors \(\bar{a}\) and \(\bar{b}\), denoted as \(\bar{a}\cdot \bar{b}\), is a vector \(\bar{c}=\langle a^{1}*b^{1},a^{2}*b^{2},...,a^{n_{t}}*b^{n_{t}}\rangle \). We also use the same symbol \(\cdot \) for a multiplication of a vector by a scalar. Usual matrix multiplication of two vectors \(\bar{a}\) and \(\bar{b}\) is denoted as \(\bar{a}\times \bar{b}\) and is a scalar value equal to \(\sum _{q=1}^{n_t}a^{q}*b^{q}\).

Let \(\bar{F}=\langle F^{1},F^{1},...,F^{n_{t}} \rangle \) be a vector of an expected amount of breaches for some period if no countermeasures are installed. Then, with investment x, the expected amount of breaches is a vector: \(\bar{F}\cdot \bar{pr}(x)\); and, if we know a single loss expectancy for every single threat occurrence \(\bar{L}=\langle L^{1},L^{1},...,L^{n_{t}} \rangle \), we are able to compute the overall expected loss for the considered period, i.e., risk:

$$\begin{aligned} risk(x) = (\bar{F}\cdot \bar{pr}(x))\times \bar{L}. \end{aligned}$$
(1)

Since the organisation is allowed to buy insurance, it pays a premium P in order to cover some part of its losses in case of an incident (called indemnity \(\bar{I}\), \(\forall q,~I^{q}\le L^{q}\)). In this paper, we use a simple cyber insurance market model [6, 13, 16], called competitive market, which demands the premium to be equal to the expected losses of the insurer (as the market has so many insurers that no one is able to propose a better contract): \(P(x)=(\bar{F}\cdot \bar{pr}(x))\times \bar{I}\).

In the current literature on cyber insurance, e.g., [13], \(pr^{q}(x)\) is simply assumed to exist and does not define how the required security level could be reached. In practice, organisations spend their money in portions buying new controls or implementing security practices. Let K be a set of available countermeasures and \(K_{i}\subseteq K\) be a subset of these countermeasures which the organisation decides to apply. \(K_{i}\) is to be determined by the available amount of self-investments x (See Sect. 3.2), and we re-write \(pr^{q}(x)\) as \(pr^{q}(K_{i}|x)\) to explicitly indicate the dependency of the probability of survival on \(K_{i}\).

Finally, similar to other economic models [4, 13, 16, 23], we reason with the utility of possessing certain amount of wealth U(W), rather than with the wealth W itself. The utility function is assumed to be continuous, non-decreasing, concave, and twice differential (i.e., \(U'(W)>0\) and \(U''(W)<0\)). Let \(\bar{z}=\langle z^{1},z^{2},...,z^{n_{t}}\rangle \) be a random vector of numbers of threat occurrences (one per threat) and \(pr(\bar{z}|K_{i},x)\) be the probability that the company will face \(\bar{z}\) incidents in the considered period of time under the condition that investments in self-protection are x and implemented countermeasures are \(K_{i}\). Also, \(\bar{F}\cdot \bar{pr}(K_{i}|x)=\sum _{\forall \bar{z}}pr(\bar{z}|K_{i},x)\cdot \bar{z}\). The expected wealth is the amount left after subtraction from the initial wealth the premium, the self-investment, and the loss:

$$\begin{aligned}&W(\bar{z},x,\bar{I}, K_{i})=W^0-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-x-\bar{z}\times (\bar{L}-\bar{I}), \end{aligned}$$
(2)
$$\begin{aligned}&U(\bar{z},x,\bar{I}, K_{i})=U(W^0-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-x+\bar{z}\times (\bar{L}-\bar{I})).\\&where~ \bar{I}-\bar{L}=\langle I^{1}-L^{1},I^{2}-L^{2},...,I^{n_{t}}-L^{n_{t}}\rangle . \nonumber \end{aligned}$$
(3)

Finally, the expected utility is equal to:

$$\begin{aligned} E[U]&=\sum _{\forall \bar{z}}pr(\bar{z}|K_{i},x)U(W^0-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-x+\bar{z}\times (\bar{I}-\bar{L})), \end{aligned}$$
(4)

The goal of the organisation, is to maximise E[U] by selecting x, \(\bar{I}\) and \(K_{i}\).

$$\begin{aligned}&\max \limits _{x, \bar{I}, K_{i}}~\sum _{\forall \bar{z}}pr(\bar{z}|K_{i},x)U(W^0-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-x+\bar{z}\times (\bar{I}-\bar{L})). \end{aligned}$$
(5)

3 Utility Maximisation

3.1 Indemnity

Consider Eq. 4 and apply Jensen’s inequality for a concave function (for any concave function \(\phi (t)\) \(E[\phi (t)]\le \phi (E[t])\)):

$$\begin{aligned}&\sum _{\forall \bar{z}}pr(\bar{z}|K_{i},x)U(W^0-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-x+\bar{z}\times (\bar{I}-\bar{L})) \le \\&U(\sum _{\forall \bar{z}}pr(\bar{z}|K_{i},x)\left[ W^0-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-x+\bar{z}\times (\bar{I}-\bar{L})\right] ) = \\&U(\left[ \sum _{\forall \bar{z}} pr(\bar{z}|K_{i},x)\right] (W^0-x)-\left[ \sum _{\forall \bar{z}} pr(\bar{z}|K_{i},x)\right] \left[ (\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}\right] + \\&\left[ \sum _{\forall \bar{z}} pr(\bar{z}|K_{i},x)\cdot \bar{z}\right] \times \bar{I}-\left[ \sum _{\forall \bar{z}} pr(\bar{z}|K_{i},x)\cdot \bar{z}\right] \times \bar{L}). \end{aligned}$$

Since \(\sum _{\forall \bar{z}} pr(\bar{z}|K_{i},x)=1\) and \(\bar{F}\cdot \bar{pr}(K_{i}|x)=\sum _{\forall \bar{z}}pr(\bar{z}|K_{i},x)\cdot \bar{z}\), we get:

$$\begin{aligned}&U(W^0-x -\left[ (\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}\right] + (\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{I}-(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{L})= \\&U(W^0-x -(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{L}). \end{aligned}$$

The last part (\(U(W^0-x -(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{L})\)) is the expected utility if \(\bar{I}=\bar{L}\). In other words, Eq. 4 is maximal if \(\bar{I}=\bar{L}\).

3.2 Security Controls

As \(\bar{I}=\bar{L}\), our maximisation problem (Eq. 5) could be reduced to:

$$\begin{aligned} \max \limits _{x, K_{i}}U(W^0-x -(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{L}). \end{aligned}$$
(6)

Since the utility function is non-decreasing, we need to maximise its argument, or simply minimise the following part (called as expenditure in the sequel):

$$\begin{aligned} \min \limits _{x, K_{i}} (x +(\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{L}). \end{aligned}$$
(7)

Since, \(K_{i}\) affects only \((\bar{F}\cdot \bar{pr}(K_{i}|x))\times \bar{L}\) and U() is concave, in order to maximise U() we need to select \(K_{i}\) in such a way to minimise this component and we have to ensure that we do this with investments less or equal to x.

Let \( \pi ^{q}(k) \in [0;1]\) be the probability that a threat q passes through (survives) countermeasure \( k \in K_{i} \); countermeasure k completely eliminates threat q if \(\pi ^{q}(k) = 0\), and is entirely powerless against the threat if \( \pi ^{q}(k) = 1 \). Let \(\bar{\pi }(k)\) be a vector of all probabilities of survival if countermeasure k is installed, then the overall probability of survival can be computed asFootnote 1:

$$\begin{aligned} \bar{\pi }({K_{i}}) = \prod _{\forall k\in K_{i}} \bar{\pi }(k), \end{aligned}$$
(8)

where \(\prod _{\forall k\in K_{i}}\) stands for the Hadamard product.

Every countermeasure has its cost, denoted as function c and is assumed to provide a finite non-negative integer value \(c:K\mapsto \mathbb {N}^{+}\). Naturally, the cost of installed countermeasures \(K_{i}\subseteq K\) (\(c({K_{i}})\)) can be computed as:

$$\begin{aligned} c({K_{i}}) = \sum _{\forall k\in K_{i}} c(k). \end{aligned}$$
(9)

Now, we are able to connect \(\bar{\pi }({K_{i}}|x)\) and \(\bar{pr}(x)\). The most efficient money distribution (minimal expenditure) is if \(K_{i}\) minimises the premium:

$$\begin{aligned} \min \limits _{\forall K_{i}\subset K} (\bar{F}\cdot \left[ \prod _{\forall k\in K_{i}} \bar{\pi }(k)\right] )\times \bar{L}~~~and~~~ \sum _{\forall k\in K_{i}} c(k) \le x . \end{aligned}$$
(10)

The sub-problem of finding the optimal set of countermeasures \(K_{i}^{*}\), for which we say that \(\bar{\pi }({K^{*}_{i}}|x)=\bar{pr}(x)\) reminds 0–1 multi-objective Knapsack problem [7], but instead of summing of values per objectives, we multiply them, and, thus, look for the minimal overall value.

3.3 Security Investments

Finally, we may return to the main problem, i.e., how to find the right amount of investments in self-protection. From Eq. 7 investments must be as low as possible, but they also must be high enough to keep the insurance premium low. Moreover, the solution for Eq. 7 depends on solving the 0–1 multi-objective knapsack problem Eq. 10.

We propose a solution that is based on the dynamic programming algorithm for solving 0–1 multi-objective knapsack problem [7]. We assume that the cost of countermeasures could be seen as positive integer values (or, can be seen as \(\forall k\in K~(c(k)=C*m_{k})\), where C and \(m_{k}\) are positive natural values, and C is the greatest common divisor for countermeasures’ costs). Let all elements of K be enumerated with \(j=1,...,n_{K}\) (where \(n_{K}\) is the size of K). For every amount of investments x we consider (accept or reject) the first j countermeasures. For those accepted \(K_{i}\), we compute the overall probability of threat’s survival \(\bar{pr}(K_{i}|x)\) (see Eq. 8). The overall probability of survival for every \(K_{i}\) is stored in a corresponding cell T[j][x] of an auxiliary matrix T.

Since for our problem we cannot store only the optimal value at every intermediate step (as it is done for a simple 0–1 knapsack problem), we remember (in a matrix cell T[j][x]) all non-dominant probability vectors, i.e., vectors which potentially could lead to the optimal solution. In the most simple case, we may see selection of non-dominant vectors as those which cannot be rejected using the Pareto optimality criteria (i.e., \(\forall \bar{t_{1}},\bar{t_{2}} \in T[j][x]~(\exists q~(t_{1}^{q}>t_{2}^{q}))\)). As it was shown by Bazgan et al. [7] other dominance relations could be applied to speed up the algorithm. Since, this is not crucial for our paper, we refer the interesting reader to the original paper of the authors for a more detailed discussion on the non-dominant relations, which can be applied to our problem.

In short, the core part of the solution for 0–1 multi-objective knapsack problem could be seen as the following recursive algorithm:

  1. 1.

    \( T[0][x] = 1 \);

  2. 2.

    \( T[j][x] = T[j - 1][x] \) if \( c(k_j) > x \) (the new item is more expensive than the current cost limit);

  3. 3.

    \(\left. \begin{array}{r} T_{add}= \bigcup \limits _{\forall \bar{t} \in T[j-1][ x-c(k_j)]}\bar{t}\cdot \bar{\pi }(k_j)\\ T[j][x] = non-dominant(T[j-1][x] \cup T_{add}) \end{array} \right\} \) if \(c(k_j) \le x\).

Naturally, every last cell in a column \(T[n_{k}][x]\) returns the overall probability of survival for x investments and all \(n_{k}\) countermeasures taken into account. It is required only to find the \(K_{i}\) which causes the minimal total expenditure, using the vectors from \(T[n_{k}][x]\) as \(\bar{pr}(K_{i}|x)\) and applying Eq. 7.

To get the final solution for optimal investments \(x^{*}\), i.e., \(T[n_{K}][x^*]\), we need to know \(x^*\). It is important to note that the core part of the recursive algorithm does not require the knowledge of maximal investments in order to count values for any intermediate x. In other words, we may start the algorithm with \(x=0\) and continue as much as we need or until we find our solution (also extending matrix T for new x to check). Now, our goal is to find the way to minimise the amount of required iterations and ensure that the solution to Equation 7 will be found.

Let \(P^{*}(x)\) be the optimal insurance premium if x amount of money invested in self-protection. According to Eq. 10:

$$\begin{aligned} P^{*}(x)=\min \limits _{\forall \bar{t} \in T[n_{t}][x]} ( (\bar{F}\cdot \bar{t})\times \bar{L}). \end{aligned}$$
(11)

Then, we can simplify Eq. 7 as:

$$\begin{aligned} \min \limits _{\forall x}(P^{*}(x) + x). \end{aligned}$$
(12)

Consider some amount of investments \(x_{r}\in [0,W^0]\) to be evaluated at step \(r\in [0;W^0/C]\). We are interested only in the following future steps p:

$$\begin{aligned}&x_{r} +P^{*}(x_{r})>x_{r+p} +P^{*}(x_{r+p});\end{aligned}$$
(13)
$$\begin{aligned}&x_{r+p}<P^{*}(x_{r})+x_{r} - P^{*}_{min}; \end{aligned}$$
(14)
$$\begin{aligned}&P^{*}_{min}=(\bar{F}\cdot \left[ \prod _{\forall k\in K} \bar{\pi }(k)\right] )\times \bar{L}. \end{aligned}$$
(15)

Out of these two relations we can derive the following observations. First, Eq. 13 shows that we should select the optimal value by iterating sequential comparison of the current best value (i.e., up to step r) with the next ones (\(p>0\)). Equation 14 tells us the maximal steps we should look forward, since no more efficient total expenditure is possible for the steps higher than this limit. Finally, we also may find the first limit, which is: \(x^{limit}_{0}=P^{*}(0)-P^{*}_{min}\), where \(P^{*}_{min}\) is the minimal possible premium/risk, computed with all possible countermeasures \(K_{i}=K\) installed.

It is also important to note, that once we find a better x, we can re-set the limit, since it will be less than the previous one. This observation can be easily proved as follows. Let \(x_{r}\) be the previous best value (i.e., for all \(r+p-1\) steps) and \(x_{r+p}\) be even better than \(x_{r}\), i.e.,:

$$\begin{aligned} P^{*}(x_{r}) + x_{r}>P^{*}(x_{r+p}) + x_{r+p}. \end{aligned}$$
(16)

The limits defined at steps r and step \(r+p\) are \(x^{limit}_{r}\) and \(x^{limit}_{r+p}\) consequently:

$$\begin{aligned} P^{*}(x_{r}) + x_{r}- P^{*}_{min}=x^{limit}_{r}~;~~ P^{*}(x_{r+p}) + x_{r+p}- P^{*}_{min}=x^{limit}_{r+p}. \end{aligned}$$
(17)

We conclude that \(x^{limit}_{r}>x^{limit}_{r+p}\).

3.4 Algorithm for Computation of Optimal Self-investments

Now, we are able to define an algorithm for finding the optimal amount of investments \(x^*\), which is based on the dynamic programming approach for solving 0–1 multi-objective knapsack problem. Although, we use the core part of the well-known algorithm, we adapt it to our task: instead of receiving the limit for investments as an input, our algorithm should return it as an output, ensuring that it is the most optimal amount of investment.

figure a

In the Algorithm 1, we demonstrate the core part of our solution which: (a) finds the optimal investments in self-protection \(x^*\); (b) ensures the lowest expenditure (\((\bar{F}\cdot \bar{pr}(K_{i}^{*}|x^{*}))\times \bar{L}+x^{*}\)).

We start with all initial variables and functions provided. Moreover, we assume that the company has already some countermeasures \(K_{init}\) installed, spending already \(x_{init}\) amount of money and getting the initial overall probability of survival equal to \(\bar{pr}_{init}\). Note that it is not important if the initial countermeasures \(K_{init}\) are efficient or they are not, but these controls should not be considered in the further analysis: \(K_{init}\cap K = \emptyset \).

Lines 9–14 initialise the values for further processing. First, we store the initial expenditure and find the minimal premium \(P_{min}\). We also initialise the auxiliary table of probabilities T with the initial column for additional investments \(x=0\) (the first column) and with all cells initialised as \(\{\bar{pr}_{init}\}\) (Line 12). There is no need to compute values for \(x=0\) as no countermeasures could cost less than or equal to 0, i.e., \(\forall j (c(k_j)>x=0)\); so, we start with \(x=C\), where C is some fixed greatest common divisor for the cost of all controls.

We are going to increase gradually the investments unless we reach the limit set by parameter \(exp-P_{min}\), as Eq. 14 states (line 15). For all countermeasures (line 17), we select all non-dominating overall survival probability vectors by comparing two sets: (1) a set of previously selected controls with \(k_{j}\) (\(\bigcup \limits _{\forall l} \bar{\pi }(k_j) \cdot T[j-1][x-c(k_j)][l]\)), (2) and the best selection of controls without \(k_{j}\) (\(T[j-1][x]\))(line 19). We should note here that both compared sets contain non-dominant vectors (as ensured at the previous steps), but two vectors from different sets could be dominating and dominated.

Since we use a modified knapsack problem, we multiply values when adding new countermeasure to the selected set, rather than summing values as the classical knapsack problem does. Note that we must respect the additional self-investments x, so the contribution of the considered countermeasure \(k_j\) is added to overall probability of survival computed for self-investment limit \(x-c(k_j)\). Naturally, if the cost of the countermeasure \(k_j\) (\(c(k_j)\)) is higher than the additional self-investments x (line 18), we simply take the previously selected set of countermeasures and the corresponding overall probability of survival is \(T[j-1][x]\) (line 21).

When all countermeasures are considered for the current self-investments x, we use Eq. 13 to check if the newly computed overall amount of expenditure is lower than the previous one (line 25). Here we would like to remind that a cell of matrix T contains a set of vectors, i.e., we should evaluate all of them (\(T[n_{k}][x]\)). If the best current expenditure is lower than the previous optimal one, we set the current value as a new lowest expenditure and as the new limit (line 26) for further computations (according to the condition in Eq. 14), plus we remember the current self-investments x as optimal \(x^*\) (line 27).

Algorithm 1 stops when further increase of the self-investments x becomes so inefficient that it exceeds overall best-so-far expenditure exp (line 15), i.e., the current optimal total expenditure for both insurance (\(P^{*}(x^{*})\)) and self-investment (\(x^*\)). As a result, the algorithm returns the optimal self-investment limit \(x^*\) and the optimal total expenditure. With a slightly modified standard backward algorithm it is also possible to find the most efficient set of countermeasures \(K^{*}_{i}\).

4 Case Study

As a case study, we consider an organisation with initial wealth \( W^0 = 100000 \) which decides how to distribute the available funds to reduce cyber risks. First, five main threats are identified, as well as their average frequency (\(\bar{F}\)) and single loss expectancy (\(\bar{L} = \langle 3000, 1800, 2800, 4000, 3800\rangle \)). So far, only the basic cyber security countermeasures are implemented (with the total initial investments (\(x_{init}=200\)) and initial probabilities of survival \(\bar{pr}_{init}\)) but an analyst has identified eight additional countermeasures which can be installed (\(|K|=n_{k}=8\)), their relative costs (\(c(k_{1}) = 480;~c(k_{2}) = 240;~c(k_{3}) = 120;~c(k_{4}) = 80;~c(k_{5}) = 200;~c(k_{6}) = 120;~c(k_{7}) = 280;~c(k_{8}) = 200\)) and the probabilities of survival (\(\bar{\pi }\) function). All input vectors are defined in Table 2.

Table 2. Input vectors
Full size table

If we apply our approach based on the dynamic programming proposed in Sect. 3.4, we start with initial expenditure exp equal to 5986. This expenditure will be our first limit for searching the optimal investment level. Naturally, \( \bar{pr}(K_{i}|x)) \) equals to vector \(\bar{pr}_{init}\) in the beginning. The minimal premium is equal to \(P^{*}_{min}=136\). Table 3 contains the result for the first 21 rounds of the algorithm. In the first round, our expenditure increases by the investment increment \(C=40\) since there are no countermeasures of the cost below the current investment level \(x=40\). After the first two rounds of investment (\(x=2*C=80\)), we find a possible solution, if countermeasure \(k_{4}\) (with \(c(k_{4})=80\)) is selected (overall expenditure exp becomes 4188, which is lower than previous limit 5986). Thus, we raise the current optimal value of \(X^{*}\) to 80. The next increment of x (\(x=120\)) increases the expenditure up to 4228 and we see that there is no more efficient countermeasure set than previous choice \(\{k_{4}\}\). As we continue the analysis, we see that, although, in general, the overall expenditure falls, in some cases (e.g., for \(x=80\), \(x=320\) or \(x=560\)), it raises. Thus, it is obvious, that our problem may have local minimums, but the algorithm easily overcomes them and continues up to the global minimum. The intermediate results of our algorithm, with several local and one global minimums, are displayed in Fig. 1. The global minimum (optimal self-protection investments) is found at \(x^{*}=760\), with \(exp=1642\) and the set of selected countermeasures \(\{k_2,k_3,k_4,k_6,k_8\}\). After finding the optimal value, our algorithm continues up to \(x=1642 - 200 - 136 = 1306\). Although some values of investment have got close to the optimal value (e.g., for \(x=960\) and \(x=1040\)), non of them becomes a new optimum and the algorithm stops (red vertical line in Fig. 1). Note that initially we planned to check the self-investment values up to 5986, but eventually stopped at \(x=1280\), preventing the unnecessary computational resource usage.

Table 3. Selection of best countermeasures within security investment
Full size table
Fig. 1.
figure 1

(Exp) expenditure for security self-investments x

Full size image

5 Related Work

Cyber insurance is a young market which slowly matures facing a number of challenges [4, 5, 22]. Some of these challenges (e.g., lack of data, definition of contractual language, specification of standards for cyber insurance underwriting process) are of practical nature and mostly require insurers to gain more experience in the field. On the other hand, such challenges as correlated risks, interdependent security and information asymmetry require careful theoretical analysis in order to help the market to flourish and the society to benefit from it.

One of the central problems considered by several researchers is proving that availability of insurance incentivises agents to invest more in self-protection [6, 8, 13, 15]. Many well-known cyber security researchers believed that this is true [9, 10, 24], but a thorough mathematical analysis has proved that sometimes agents may simply decide to insure the future losses rather than increase their protection [13, 16], especially if interdependent security and information asymmetry take place [8, 11, 13, 15]. Thus, researchers considered various regulatory mechanisms which can ensure high enough investments in self-protection and acceptable cyber insurance contracts: fines and rebates [8, 12], liability coverage [13], non-competitive market [14]. For performing these analysis, the researchers applied two types of models for modelling the relation between investments and the probability of attack: (1) a continuous model, decreasing the probability with any investment [8, 13, 15]; and (2) a simplistic discrete model, allowing two levels for the probability (high and low), depending on whether investments exceed a threshold or they do not [6, 12]. In contrast to these papers, we propose a more realistic model which increases protection only when enough investments for installation of the next countermeasures are available and allows as many of such increases as required. We have shown how the probability of survival (or a probability of attack) could be computed using a set of available countermeasures, and how the investments could be distributed between the self-investment and cyber insurance. One may argue that the continuous model is just an approximation of the reality, which skips the low-level details for the sake of simplicity of the more complex analysis. This may well be true, but then our approach could be seen as the link between the low level details and high level model, as well as the instrument for proving that such approximation is valid.

The problem of selecting the right set of countermeasures for cyber security is not new. For example, Sawik [18] conceptualises the selection of countermeasures based on their efficiency of blocking threats and cost of countermeasures. For doing this, he applies single- or bi-objective mixed integer program and conditional value-at-risk approach. The variety of knapsack problems [20] and their solutions are natural choices for being applied in optimisation of cyber security. For example, Smeraldi et al. [17] introduced a framework which combines combinatorial optimisation with classical Knapsack Problem in order to spend security investment optimally. Fielder et al. [19] investigated both game theoretic and Knapsack approaches for efficient security investment in Small and Medium Enterprises (SMEs). Krautsevich et al. [21] applied the 0–1 knapsack problem to selection of the most secure web-service. In contrast to these papers, we considered the problem of minimisation of the probability of survival, adapting the problem to the 0–1 multi-objective knapsack problem. But, it is more important to note that were looking for the optimal specification of the investment limit, which is the input to classical knapsack problems. In short, we did not simply applied the knapsack problem to our scenario, but have solved a different problem (i.e., defining the optimal investment in self-protection and insurance) using the solution of the knapsack problem only as its integral part.

6 Conclusion

In this paper, we have proposed a viable solution for maximising the utility of an organisation by finding an efficient distribution of investments in self-protection and cyber insurance. In contrast to the exiting models used for the definition of such distribution, we applied a discrete model of self-investments which allows selecting concrete countermeasures that efficiently protect the organisation and reduce the insurance premium. For selection of countermeasures we applied a solution based on the 0–1 multi-objective knapsack problem, but our solution goes beyond this well-known problem and looks for efficient investments (which is a prerequisite for the knapsack problems). The algorithm developed on the theoretical background ensures that only the minimal amount of evaluation cycles are executed.

Not only does our model provide a more practical approach for investment distribution and helps to select the concrete countermeasures to install, but it is also able to conduct the analysis of the planned configuration which is not 100% efficient from security point of view. Such configuration could be enforced by the global enterprise rules, Service Level Agreements or by the law (e.g., GDPR). Although the enforced configuration may be not the most efficient, it still reduces the probability of threat survival and cannot be ignored in the analysis (especially, because it has its own cost).

So far, this paper mostly focuses on the modelling of investments. In contrast to other models, we did not analyse how discrete investments affect the incentive of insureds to invest in self-protection with and without insurance. We also did not include security interdependence and information asymmetry problems into our model. These future steps are required in order to make more precise (and practical) predictions about cyber insurance market behaviour.