Cyber Risk Assessment: From Breach Prediction to Incentive Design
Prof. Mingyan Liu
Peter and Evelyn Fuss Chair of Electrical Engineering and Computer Science
University of Michigan, Ann Arbor
Abstract: In this talk I will present our ongoing effort in the quantitative assessment of an organization's cybersecurity risk from externally observable properties, by applying modern machine techniques to large quantities of Internet measurement data. Specifically, I will first describe the use of host malicious activity data (including spam, phishing, and active scanning) combined with network configuration data to obtain cybersecurity incident prediction at a firm level. I will then briefly describe the additional use of business details about an organization to obtain more fine-grained prediction, which examines not just the overall risk of an incident, but the types of incidents it is particularly susceptible to. Both of these studies follow a supervised learning framework where ground truth information in the form of data breach reports is used. In the third study I will show how deep learning techniques can be used to obtain application-agnostic, universal, and light-weight features from global scan measurements in an unsupervised setting; these features can then be used in a variety of supervised learning applications including that of prediction of malicious hosts. I will conclude the talk by describing how our ability to make predictions, or more generally, our ability to quantify at a global level the security postures of organizations, can be crucial in designing mechanisms to induce more socially desirable behavior at the firm level. In particular, quantitative assessment of this type may be viewed as creating a form of "public monitoring" that enables inter-temporal incentives to sustain long-term security information sharing among firms, or viewed as a form of "security pre-screening" to effectively mitigate moral hazard in underwriting cyber insurance policies through premium discrimination.