A Joint Optimization Approach to Security-as-a-Service Allocation and Cyber Insurance Management

Security-as-a-Service (SECaaS), pay-per-use cloud-based services that provides information security measures via the cloud, are increasingly used by corporations to maintain their systems' security posture. Customers often have to provision these SECaaS services based on the potential subscription costs incurred. However, these security services are unable to deal with all possible types of threats. A single threat (e.g. malicious insiders) can result in the loss of valuable data and revenue. Hence, it is also common to see corporations (i.e. cloud customers) manage their risks by purchasing cyber insurance to cover costs and liabilities due to unforeseen losses. A balance between service allocation cost and insurance is often required but not well studied. In this paper, we propose an optimized SECaaS provisioning framework that enables customers to optimally allocate security services from SECaaS providers to their applications, while managing risks from information security breaches via purchasing cyber insurance policies. Finding the right balance is a great challenge, and the solutions of the security service allocation and insurance management are obtained through solving an optimization model derived from stochastic programming with a three-stage recourse. Simulations were conducted to evaluate this optimization model. We exposed our model to several uncertain information parameters and the results are promising -- demonstrating an effective approach to balance customers' security requirements while keeping service subscription and insurance policy costs low.