BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Cyberinsurance: good for your company\, bad for your country? - Fa
 bio Massacci - University of Trento
DTSTART:20160621T130000Z
DTEND:20160621T140000Z
UID:TALK66599@talks.cam.ac.uk
CONTACT:Laurent Simon
DESCRIPTION:*Abstract:*\n 'Cyberinsurance' is a broad industry term indica
 ting a corporate liability insurance covering damages due to security brea
 ches of the IT corporate infrastructure. It is a booming market that raise
 s significant expectations: both policy makers (e.g. the UK Paymaster Gene
 ral and the US Senate Committee on Security)\, and cyber experts (e.g. Bru
 ce Schneier) have heralded it as a mechanism for efficiently valuing the c
 ost of cyber attacks and to act as an effective substitute for government 
 action.  Whilst the effect of purchasing insurance on the behavior of indi
 viduals or firms has been studied for more than four decades\, the unique\
 , adaptive characteristics of cyber attacks make past findings not necessa
 rily applicable.\n\nIn this talk I will illustrate a general economic mode
 l of heterogeneous firms\, making risk averse decisions facing losses from
  cyber attacks conducted by strategic adversaries in a Cournot competition
 . We demonstrate that whilst the presence of actuarially fair insurance in
 creases the aggregate utility of target firms\, the presence of insurance 
 does *not* necessarily increase the security expenditures wrt those mandat
 ed by a benevolent social planner. Furthermore\, we show that when insuran
 ce is provided by a\nmonopolist insurer mandating firms security expenditu
 re (as it has been proposed) the aggregate security expenditure is predict
 ed to fall\ndramatically (and the number of attackers to increase). In oth
 er words\, delegating to cyberinsurers the policy maker role of regulating
  security expenditures might yield a digital tragedy of the commons.\n\nJo
 int work with Julian Williams (Durham) and Joe Swierzbinski (Aberdeen)\n\n
 *Bio:*\nFabio Massacci is a professor at the University of Trento (IT). He
  has a Ph.D. in Computing from the University of Rome La Sapienza in 1998.
  In his career he has visited Cambridge (UK)\, Toulouse (FR) and Siena (IT
 ). He has published [105\,111\,197\,203\,308] articles in peer reviewed jo
 urnals and conferences and his h-index is [14\,22\,36] depending on your f
 avorite bibliographic database. In 2015 he received the IEEE Requirements 
 Engineering '10 years most influential paper award' for his research on se
 curity requirements engineering. He was the European Coordinator of the pr
 oject SECONOMICS (www.seconomics.org) on socio-economic aspects of securit
 y (See our paper with UK National Grid in the May'16 issue of IEEE Securit
 y & Privacy). Part of the ideas behind this research has also been incorpo
 rated by the Common Vulnerability Scoring Standard (CVSS) v3\, just releas
 ed in June 2015. He is now working on empirical methods for security and v
 ulnerability risk assessment (e.g. are all these cyber security standards 
 actually useful?).\n\nPersonal web site: http://disi.unitn.it/~massacci/ (
 not very much updated)\nLaboratory web site: https://securitylab.disi.unit
 n.it\n
LOCATION:Room FW26\, Computer Laboratory\, William Gates Building
END:VEVENT
END:VCALENDAR