Role of Incentives, Liabilities, and Cyber Insurance

There is no denying the fact that huge interconnectivity of devices on the Internet raises many security issues for organisations and online businesses. Weak defence mechanisms, fragile cryptographic protocols, and loose access control policies are not the only reasons, but the lack of economic aspects, i.e„ incentives and liabilities in technical solutions is also responsible for security breaches. This lack of economic aspects forces organisations to invest in defence methods in such a way that the marginal cost is almost equal to the marginal benefit. Therefore, this chapter illuminates the importance of incentives and liabilities in any Distributed Denial of Service (DDoS) defensive mechanism. Further, we also highlight cyber insurance and its conceptualisation in risk assessment process.

Economic Factors for Cybersecurity

Cybersecurity and Internet management is an inherently strenuous process because of the huge interconnectivity and dependencies of devices, and also, due to lack of micro-economics in any defensive solution [1,2]. A rational approach for raising incentives for Internet security can be

20 Distributed Denial of Service (DDoS) Attacks

achieved by assessing vulnerabilities, likelihood of their successful exploitation, and the cost of addressing these vulnerabilities. An organization always has an overhead of legitimising its security cost within security investment, which cannot be handled without knowing incentivisation concept. Researchers believe that security failure is caused more often by bad incentives rather than by bad design [3]. It is a matter of fact that economic solutions have always been ignored by researchers in dealing with DDoS attacks [4-6]. The simple reason behind this is "Generally, parties defending against threats and attacks are not suffering parties while suffering parties are not defending parties.” This is why despite having so many good technical solutions like cooperative caching and cooperative filtering, we cannot implement them in real time [7, 8]. Therefore, the generation of incentives is not the only matter of concern; in fact, the generation of incentives at the right place of the network and by the right party is also important. Incentive is defined as the motivation inducing a certain behaviour or action of a user that leaves positive externality or payoff on other users. Payoff is the final outcome of cost-benefit analysis [9]. Utility functions help in analysing cost-benefit trade-offs and, hence, used to represent the preferences of participating agents. Therefore, this tradeoff analysis arranges the order of outcomes for different choices a user has chosen. If the payoff is positive, then the user will end up having an incentive for a particular action. If it is negative, then the user will be penalised, which is a disincentive. Properly formulated incentives will lead to optimal choices for users; otherwise users will have to opt for sub-optimal choices [10]. We consider an example where a gateway shields a network from various cyberattacks. Due to the action of the gateway router, the end user and the content provider have the maximum benefit. In the case of attack, the gateway router is hardly compensated for any loss by the end user or the content provider. In this example, we do not mean that the end user or the content provider should transfer money directly to the gateway router [11]. In fact, we need to set the incentive chain right among different heterogeneous Internet entities.

Every organisation has a pre-defined security budget from which a fixed part is invested in security methods, tools, and other defence mechanisms. The remaining budget is used to hire a third party, which provides cyber insurance as well as coverage of the organisation’s losses. This third partybased cyber insurance depends on the size of the organisation. Therefore, some aspects of economic solution are not feasible for small- to mediumsized businesses. Hence, it is necessary to shield the disadvantages of economic and technical solutions while combining their strengths to build a robust DDoS defence mechanism [12, 13].

2 • Incentives, Liabilities, Cyber Insurance 21

Misaligned Incentives

Incentives are as important as technical design in any defensive mechanism. Most of the researches have solely been focused on technical aspects, but risk perception and disproportionate incentives have not been given much consideration [14]. Risk perception is a very important field in security domain as it involves risk assessment for evaluating risks and its associated potential damages [15]. A researcher, named Ross Anderson, discussed the importance of incentives through an example of success of ATMs in the US, while failed in Britain [16]. In Britain, in case of any contention between a user and a bank, the whole liability lies on the user to prove the bank wrong. On the contrary, in the US, the whole liability is on the bank to prove the user wrong in case of any discourse between the user and the bank. Therefore, with the passage of time, people have started losing faith in ATMs in Britain and stopped using them. In the US, this liability on the bank provides incentives to it to deploy security cameras and to invest in information security practices so that no user can cheat them. This is how incentives and liabilities w'ork in case of Internet security too. In this case, banks are in a better position to secure people’s money and data; so, there is no harm in assigning more liability to them.

Misaligned incentives have always been leveraged by attackers more efficiently than by defenders. The criminal hacker ecosystem encourages innovation, quick adaptation and effectively directs capital to the lowest cost and the most productive criminal and illicit activities [17]. The main features of criminal economy are decentralisation, support of commoditisation, and competitiveness. On the contrary, in a defensive market, corporate hierarchy slows down the process of decision-making and is non-competitive. According to a survey of 800 IT companies, there exist mainly three incentive mismatches [18]. Table 2.1 lists the main incentive mismatches.

The top elite layer of a hidden economy tends to take advantage of vulnerabilities before they are exposed and patched. One analysis showed that 42% of the revealed vulnerabilities are exploited by attackers within 30 days of release, which implies that if such vulnerabilities were unveiled publicly, the criminal economy would rapidly transform them into new attacks [19]. The black hat economy has a large talent pool and explores freelancing to generate highly specialised products and services. With very low barrier of entry, anybody with naive technical knowledge can be a part of the black hat economy. This whole black sector consists of a large number of network experts ranging from providers of infected machines to human resource to capitalise on malware kits and hacked identities. This all helps in extensive grow'th of various illegal businesses through spam, data theft and manipulation, and extortion.

22 Distributed Denial of Service (DDoS) Attacks

TABLE 2.1 Incentives mismatch on Internet

On the contrary, Internet users and the white hat community are reluctant to adapt to the benefits of the black hat community. Companies in the grey market primarily serve governments and major businesses whose main objective is intelligence gathering and monitoring [18].

Figure 2.1 shows the map of white and grey hacker market. The white hacker community discloses vulnerability to the public only through vendors. This community does not try to exploit the newly found vulnerability. A grey hat never works for his personal benefits. Figure 2.2 shows the vulnerability map of the black hat community where providers of compromised machines and attacking tools, social engineering, malware developers, and mule herders contribute to various cyberattacks. Table 2.2 lists some of the attributes that should be adopted from black hat economy.