{"title":"IT/OT系统的网络风险管理有多难?国际社会保险分类与克服困难的理论研究","authors":"R. Pal, Peihan Liu, Taoan Lu, Edward Y. Hua","doi":"10.1145/3568399","DOIUrl":null,"url":null,"abstract":"Third-party residual cyber-risk management (RCRM) services (e.g., insurance, re-insurance) are getting increasingly popular (currently, a multi-billion-dollar annual market) with C-suites managing industrial control systems (ICSs) based upon IoT-driven cyber-physical IT and OT technology. Apart from mitigating and diversifying losses from (major) cyber-threats RCRM services positively contribute to improved cyber-security as an added societal benefit. However, it is also well known that RCRM markets (RCRM for ICSs being a mere subset) are relatively nascent and sparse. There is a huge (approximately 10-fold) supply-demand gap in an environment where (a) annual cyber-losses range in trillions of USD, and (b) CRM markets (residual or otherwise) are annually worth only up to 0.25 trillion USD. The main reason for this wide gap is the age-old information asymmetry (IA) bottleneck between the demand and supply sides of the third-party RCRM market, which is significantly amplified in modern cyber-space settings. This setting primarily comprises interdependent and intra-networked ICSs (and/or traditional IT systems) from diverse application sectors inter-networked with each other in a service supply-chain environment. In this article, we are the first to prove that optimal cyber-risk diversification (integral to RCRM) under IA is computationally intractable, i.e., NP-hard, for such (systemic) inter-networked societies. Here, the term “optimal diversification” implies the best way a residual and profit-minded cyber-risk manager can form a portfolio of client coverage contracts. We follow this up with the design and analysis of a computational policy that alleviates this intractability challenge for the social good. Here, the social good can be ensured through denser RCRM markets that in principle improve cyber-security. Our work formally establishes (a) the reason why it has been very difficult in practice (without suitable policy intervention) to densify IA-affected RCRM markets despite their high demand in modern CPS/ICS/IoT societies; and (b) the efficacy of our computational policy to mitigate IA issues between the supply and demand sides of an RCRM market in such societies.","PeriodicalId":380257,"journal":{"name":"ACM Transactions on Cyber-Physical Systems (TCPS)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs\",\"authors\":\"R. Pal, Peihan Liu, Taoan Lu, Edward Y. Hua\",\"doi\":\"10.1145/3568399\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Third-party residual cyber-risk management (RCRM) services (e.g., insurance, re-insurance) are getting increasingly popular (currently, a multi-billion-dollar annual market) with C-suites managing industrial control systems (ICSs) based upon IoT-driven cyber-physical IT and OT technology. Apart from mitigating and diversifying losses from (major) cyber-threats RCRM services positively contribute to improved cyber-security as an added societal benefit. However, it is also well known that RCRM markets (RCRM for ICSs being a mere subset) are relatively nascent and sparse. There is a huge (approximately 10-fold) supply-demand gap in an environment where (a) annual cyber-losses range in trillions of USD, and (b) CRM markets (residual or otherwise) are annually worth only up to 0.25 trillion USD. The main reason for this wide gap is the age-old information asymmetry (IA) bottleneck between the demand and supply sides of the third-party RCRM market, which is significantly amplified in modern cyber-space settings. This setting primarily comprises interdependent and intra-networked ICSs (and/or traditional IT systems) from diverse application sectors inter-networked with each other in a service supply-chain environment. In this article, we are the first to prove that optimal cyber-risk diversification (integral to RCRM) under IA is computationally intractable, i.e., NP-hard, for such (systemic) inter-networked societies. Here, the term “optimal diversification” implies the best way a residual and profit-minded cyber-risk manager can form a portfolio of client coverage contracts. We follow this up with the design and analysis of a computational policy that alleviates this intractability challenge for the social good. Here, the social good can be ensured through denser RCRM markets that in principle improve cyber-security. Our work formally establishes (a) the reason why it has been very difficult in practice (without suitable policy intervention) to densify IA-affected RCRM markets despite their high demand in modern CPS/ICS/IoT societies; and (b) the efficacy of our computational policy to mitigate IA issues between the supply and demand sides of an RCRM market in such societies.\",\"PeriodicalId\":380257,\"journal\":{\"name\":\"ACM Transactions on Cyber-Physical Systems (TCPS)\",\"volume\":\"39 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-10-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Transactions on Cyber-Physical Systems (TCPS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3568399\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Cyber-Physical Systems (TCPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3568399","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
How Hard Is Cyber-risk Management in IT/OT Systems? A Theory to Classify and Conquer Hardness of Insuring ICSs
Third-party residual cyber-risk management (RCRM) services (e.g., insurance, re-insurance) are getting increasingly popular (currently, a multi-billion-dollar annual market) with C-suites managing industrial control systems (ICSs) based upon IoT-driven cyber-physical IT and OT technology. Apart from mitigating and diversifying losses from (major) cyber-threats RCRM services positively contribute to improved cyber-security as an added societal benefit. However, it is also well known that RCRM markets (RCRM for ICSs being a mere subset) are relatively nascent and sparse. There is a huge (approximately 10-fold) supply-demand gap in an environment where (a) annual cyber-losses range in trillions of USD, and (b) CRM markets (residual or otherwise) are annually worth only up to 0.25 trillion USD. The main reason for this wide gap is the age-old information asymmetry (IA) bottleneck between the demand and supply sides of the third-party RCRM market, which is significantly amplified in modern cyber-space settings. This setting primarily comprises interdependent and intra-networked ICSs (and/or traditional IT systems) from diverse application sectors inter-networked with each other in a service supply-chain environment. In this article, we are the first to prove that optimal cyber-risk diversification (integral to RCRM) under IA is computationally intractable, i.e., NP-hard, for such (systemic) inter-networked societies. Here, the term “optimal diversification” implies the best way a residual and profit-minded cyber-risk manager can form a portfolio of client coverage contracts. We follow this up with the design and analysis of a computational policy that alleviates this intractability challenge for the social good. Here, the social good can be ensured through denser RCRM markets that in principle improve cyber-security. Our work formally establishes (a) the reason why it has been very difficult in practice (without suitable policy intervention) to densify IA-affected RCRM markets despite their high demand in modern CPS/ICS/IoT societies; and (b) the efficacy of our computational policy to mitigate IA issues between the supply and demand sides of an RCRM market in such societies.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
