Next Article in Journal
Does Engagement Partners’ Effort Affect Audit Quality? With a Focus on the Effects of Internal Control System
Next Article in Special Issue
Security Threats in Intelligent Transportation Systems and Their Risk Levels
Previous Article in Journal
Downside Beta and Downside Gamma: In Search for a Better Capital Asset Pricing Model
Previous Article in Special Issue
Cyber Risk Quantification: Investigating the Role of Cyber Value at Risk
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Cyber Insurance Ratemaking: A Graph Mining Approach

by
Yeftanus Antonio
1,
Sapto Wahyu Indratno
1,2,* and
Rinovia Simanjuntak
3
1
Statistics Research Division, Institut Teknologi Bandung, Bandung 40132, West Java, Indonesia
2
University Center of Excellence on Artificial Intelligence for Vision, Natural Language Processing & Big Data Analytics (U-CoE AI-VLB), Institut Teknologi Bandung, Bandung 40132, West Java, Indonesia
3
Combinatorial Mathematics Research Division, Institut Teknologi Bandung, Bandung 40132, West Java, Indonesia
*
Author to whom correspondence should be addressed.
Risks 2021, 9(12), 224; https://doi.org/10.3390/risks9120224
Submission received: 27 August 2021 / Revised: 4 November 2021 / Accepted: 12 November 2021 / Published: 6 December 2021
(This article belongs to the Special Issue Cyber Risk and Security)

Abstract

:
Cyber insurance ratemaking (CIRM) is a procedure used to set rates (or prices) for cyber insurance products provided by insurance companies. Rate estimation is a critical issue for cyber insurance products. This problem arises because of the unavailability of actuarial data and the uncertainty of normative standards of cyber risk. Most cyber risk analyses do not consider the connection between Information Communication and Technology (ICT) sources. Recently, a cyber risk model was developed that considered the network structure. However, the analysis of this model remains limited to an unweighted network. To address this issue, we propose using a graph mining approach (GMA) to CIRM, which can be applied to obtain fair and competitive prices based on weighted network characteristics. This study differs from previous studies in that it adds the GMA to CIRM and uses communication models to explain the frequency of communications as weights in the network. We used the heterogeneous generalized susceptible-infectious-susceptible model to accommodate different infection rates. Our approach adds up to the existing method because it considers the communication frequency and GMA in CIRM. This approach results in heterogeneous premiums. Additionally, GMA can choose more active communications to reflect high communications contribution in the premiums or rates. This contribution is not found when the infection rates are the same. Based on our experimental results, it is apparent that this method can produce more reasonable and competitive prices than other methods. The prices obtained with GMA and communication factors are lower than those obtained without GMA and communication factors.

1. Introduction

In 2020, the World Economic Forum placed cyberattacks in the top 10 categories of risks over the next ten years (World Economic Forum 2020). The rapid development of information and communication technology (ICT) has led to the need for proper risk management. Cyber insurance is one option that can protect ICT sources from losses incurred due to cyberattacks (Bodin et al. 2018; Camillo 2017). Empirical studies have shown the adequacy of the use of cyber insurance to manage cyber risks (Biener et al. 2015). Cyber insurance ratemaking (CIRM) is one of cyber insurance products’ main problems (Marotta et al. 2017). The uncertainty of cyber risk factors has caused companies to price cyber insurance products conservatively at high prices. Several existing risk models have been built without paying attention to network structure and computer information (Bohme and Schwartz 2010). The connectedness of ICT sources in the network and the transmission process occurring via connections between them are two distinctive characteristics of cyber risks. Therefore, the analysis of cyber threats must consider the network structure and the characteristics of computer information.
To characterize the structure, we propose using a graph mining approach (GMA) for CIRM on weighted networks. The weights describe the communication frequency (the number of connections made while sending and receiving information) in a computer communication network (Chou 1975). Several studies of network traffic and cyberattacks have shown a relationship between them (Almutairi et al. 2020; Pimenta Rodrigues et al. 2017; Wang and Jones 2020). Consequently, graph mining serves to acquire groups with intense communication. GMA has three stages. Stage 1 comprises the steps used to generate a weighted network based on probability distribution information. Miller and Childers (2012) treated the arrival of messages (packets) to a node as an example of a random process in the computer communication network and modeled it following the Poisson process. In this study, we modeled the number of connections using a probability distribution with two perspectives. These are node- and link-based models. The node-based model uses the analogy of the weighted co-purchase product network formation for market basket analysis (Kim et al. 2012; Raeder and Chawla 2011; Videla-Cavieres and Ríos 2014). The link-based model directly treats the weights on the links as random variables.
Stage 2 is the process of obtaining communication characteristics using the GMA (Zhang et al. 2011). This stage comprises three parts—namely, community detection, threshold setup, and a filtering process. Community detection is used for identifying structural similarity (Boobalan et al. 2016; Chang et al. 2017; Karatas and Sahin 2018; Remy et al. 2018). Especially in the spread of viruses, community detection can be used to find groups with more dense contacts than inter-group contacts (Wang et al. 2020). In every community, some nodes or links are rarely used. Threshold setting and filtering processes are used to determine the communication threshold. Nodes and links that are lower than the threshold are not involved in the CIRM simulation. The company can choose the level of risk desired based on the proportion of the threshold in each community. Nodes that do not meet the threshold are not covered by insurance. Hence, the insurance rate can be adjusted according to the company’s capabilities.
In stage 3, a Monte Carlo simulation is conducted to evaluate the network security level and calculate losses in each filtered community. We use the heterogeneous generalized susceptible- infectious-susceptible (HG-SIS) model by Ottaviano et al. (2018, 2019) as the basis of the simulation to include the effects of communication weight. The HG-SIS model is an extension of the ε -SIS model (Van Mieghem 2014; Van Mieghem and Cator 2012). The ε -SIS model has been used as the basis for previous CIRM simulations in the unweighted network (Xu and Hua 2019). Our previous study also extended the compartmental SIS model (Kermack and McKendrick 1991) to estimate cyber risk using the average degree for several particular network topologies (Indratno and Antonio 2019). This model was not used because it could not detect the individual status of the microlevel perspective simulations.
The main research objective of the GMA is to obtain a more appropriate and more competitive insurance rate (or price) by characterizing the network structure. This approach adjusts rates based on more active communication to overcome overpricing issues. The main contributions of this paper are as follows:
  • incorporating the effects of communication intensity in the CIRM process.
  • developing GMA procedures to homogenize high communications for CIRM in weighted networks.
  • extending the CIRM simulation with different link infection rates (according to communication intensity) using the HG-SIS model.
  • applying the GMA procedure for CIRM in two networks: a hybrid network and a random network. Then, the results are compared with those obtained without GMA cases.
The remainder of this paper is organized as follows. In Section 2, the CIRM from two perspectives—namely, model and network—is reviewed. Detailed procedures of a new approach (GMA) for CIRM are provided in Section 3. In Section 4, the process of involving communication factors in the model is described. Some significant experimental results are presented and discussed in Section 5. In Section 6, conclusions and future work are summarized.

2. Cyber Insurance Models

Several methods and models used for pricing or ratemaking in cyber insurance have been developed. Generally, to date, studies related to CIRM or pricing can be divided into two major groups—namely, those that do not consider the network structure (Böhme and Kataria 2006; Eling and Wirfs 2015; Herath and Herath 2011; Mukhopadhyay et al. 2013) and those that evaluate the network structure (Fahrenwaldt et al. 2018; Hua and Xu 2020; Xu and Hua 2019). As state-of-the-art tables, Table 1 and Table 2 provide a detailed comparison from the model and network viewpoints.
From the model’s perspective, the methods can be differentiated by model, total loss calculation, input, and loss type. Table 1 presents the comparisons of CIRM models from several previous studies. From a network viewpoint, methods can be distinguished by network type, network weight, risk selection, and communication effect. Table 2 shows comparisons of the CIRM networks used in several previous studies.
Research that considers network structure uses the stochastic process to simulate dynamic transmission. In Fahrenwaldt et al. (2018), the authors used the SIS model and found higher-order estimates of the mean-field approximation. The mean-field aggregate and the marked process point were used to calculate the total loss. Xu and Hua (2019) determine premium using a more general stochastic model—that is, ε -SIS. The total loss is calculated using the loss functions, and the infection data are generated using Monte Carlo simulation. Hua and Xu (2020) expanded the model with dependent dynamic infection and omitted the exact network structure from calculations for large and complex networks. Antonio et al. (2021) introduced a local clustering coefficient to reduce the transition probability in the Markov model through the inhibition function. However, they did not consider the frequency of communication as a cybersecurity factor and did not consider these factors in selecting and classifying risks through the GMA. Additionally, all pre-existing models were created using homogeneous infection rates. The activeness of computer communications can affect the infection rate, so each link’s infection rate depends on the number of communications. Therefore, it is more realistic to consider the infection rate.
Based on the comparison of Table 1 and Table 2, some of the limitations of the previous study that become overcome in this paper are as follows:
  • None of the works used GMA for selecting risk, especially from a network model perspective. We propose the use of GMA before the CIRM simulation.
  • The last three studies used epidemic models with similar infection rates. We adjusted the link infection rate based on the communication weights using the HG-SIS model.
  • Some works included network structures, but none used weighted networks. We considered the communication weight factor in the CIRM process.
  • Only one work included the communication effect—that is, the average arrival traffic per attack. However, there is none from the network model perspective. We consider the communication effect (the frequency of communication) from the network model perspective.

3. Graph Mining Approach

In this section, we explain the GMA used to study the structure of weighted networks for CIRM. Figure 1 shows the proposed approach used for the ratemaking process in cyber insurance products. This method comprises three stages: generating a weighted network, selecting risks using graph mining, and processing the ratemaking simulation. The methodology and algorithms at each stage are described in this section.
Stage 1 requires information on the frequency of communications in the network or the distribution of communication frequencies. Two models used for the study of communication frequency are the node-based model and the link-based model. In a node-based model, we use a co-purchase product network formation analogy. This model involves two random variables: the number of communications and the number of communicating nodes. The link-based model assumes the number of communication on the link to be a random variable. Synthesis data during the contract period can be obtained through the random communication process simulation based on statistical distribution assumptions.
In stage 2, the graph mining procedure is conducted on the weighted network formed in stage 1. Community detection on the weighted network is used to classify risks. In each community, threshold settings and filtering processes are conducted to select links with a high level of communication. Connections with small contacts are not involved in rate simulation.
The simulation of CIRM is conducted in communities that have been filtered in stage 3. Before carrying out the simulation, the infection rate for each link, which was initially the same, is adjusted to the communication frequency of each link. Therefore, we obtain different infection rates for each connection. The Monte Carlo simulation for capturing dynamic transmission is conducted using the HG-SIS model, with heterogeneous infection rates (different for each link). Insurance rates are finally obtained by calculating the total loss and using the standard deviation premium principle.

3.1. Connectivity Models

3.1.1. Node-Based Model

To build a communication network, we need a model to represent random events in the network. We consider the analogy of basket market analysis to create an interconnected network using the number of communications in every link. Then, we build the weighted network based on the number of co-purchase products derived from the data of each transaction in the market basket analysis using the network. Each transaction includes several co-purchase products. This analogy can be used to build a communication model on a computer network by assuming transactions as communications, and each transmission can involve several nodes or computers.
The communication calculation between two nodes produces a weighted communication network based on the node or computer that communicates in a specific transaction. The weights are the frequency or quantity of communications. This approach is called the node-based model and is explained in Figure 2. Suppose that a company has four nodes (computers). In one day, there are three communications where C1 denotes the first communication, C2 denotes the second communication, and C3 denotes the third communication. The first communication involves Node 1, Node 2, and Node 4. In the second communication, Node 2, Node 3, and Node 4 send data. The interaction between Node 3 and Node 4 occurs during the third communication.
Let X denote a random variable representing the number of communications that follow a discrete distribution with a probability mass function p X = P ( X = c ) . Also, let Y is a random variable representing the number of nodes that communicate in each communication, which follows a discrete distribution with the probability mass function p Y = P ( Y = n ) . Both are independent, and they can follow binomial distributions, Poisson distributions, or negative binomial distributions. If the random variables X and Y are drawn from Poisson distributions, they indicate the number of communications or nodes within a specific time. If both have binomial distributions, they represent the number of successful communications or nodes linked successfully. They might also be interpreted as the number of successful communications. When the total number of communication failures are known, they exhibit negative binomial distributions.
A formula for the number of connected pairs of nodes in a day is n 2 c . For this, we assume a company that has 100 computer units. Consequently, the maximum number of nodes connected to the communication is also 100. We assume that the company’s computer network can accommodate up to a thousand contacts per day. Figure 3 shows the effect of c and n on the total communication that occurs in all links. If given a value around the mean of the random variable Y equal to n, then the change in the value of c will have a linear relationship to the total number of communications in a day (see Figure 3a). Meanwhile, the value of n and the total number of communications have a nonlinear relationship if a value around the mean of the random variable X equals c (see Figure 3b). The algorithm used for the node-based model is given by Algorithm 1.
Algorithm 1: Network construction simulation using a node-based model.
Risks 09 00224 i001

3.1.2. Link-Based Model

A simpler model that is also used as a communication quantity model treats the number of communications on each link as a random process. This model is called the link-based model. Let Z k denote a random variable of the number of communications in each link k with the probability mass function p l = P ( Z k = l ) . The difference with the node-based model is building a weighted network process where the weight of each link is the number of communications through the link. Thus, this model only uses one random variable. Following the previous model, Z k is an identical binomial random variable, a Poisson random variable, or a negative binomial random variable, implying the same distribution for every k. Table 3 explains the probability mass function for each distribution of Z k .
All distributions depend on the value of the parameter. Suppose a network has links. Thus, Z k , k = 1 , 2 , , are the independent and identically distributed random variables. The distribution of the total communication in a network is the sum of Z k equal to Z = Z 1 + Z 2 + + Z . The following properties show the distribution of the number of communications in the network Z for each distribution of Z k in Table 3 using the characteristics function.
Proposition 1
(Dekking et al. (2005)). Let Z k for k = 1 , 2 , , denote a random variable for the number of communication in k-th link with an independent and identically Poisson distribution and parameter λ for every k. The distribution of the total number of communications Z = Z 1 + Z 2 + + Z in a network is a Poisson distribution with the parameter λ .
Proposition 2
(Dekking et al. (2005)). Let Z k for k = 1 , 2 , , denote a random variable for the number of communications in the k-th link with an independent and identically binomial distribution and parameters m and p for every k. The distribution of the total number of communications Z = Z 1 + Z 2 + + Z in a network is a binomial distribution with the parameters m and p.
Proposition 3
(Dekking et al. (2005)). Let Z k for k = 1 , 2 , , denote a random variable for the number of communications in the k-th link with an independent and identically negative binomial distribution and the parameter r, ρ ¯ for every k. The distribution of the total number of communications Z = Z 1 + Z 2 + + Z in a network is a negative binomial distribution with the parameter r , ρ ¯ .
Algorithm 2 provides the rule used for creating weights using a link-based model. First, we generate a random number of communications in a network from the given distribution. Then, we choose an active link for each contact based on its probability. The link weight denotes how much the link is selected as an active link. This step runs until time T. We used the beta distribution as a sampling probability for the algorithm to accommodate different communication patterns rather than assuming the patterns to be uniform.
Algorithm 2: Network construction simulation using link-based model.
Risks 09 00224 i002

3.2. Community Detection

The structural properties of node interactions in its group are the output of community detection procedures. Community detection algorithms are widely used in the fields of computer science and mathematics. Community detection for communication networks has been used to find efficient mobile networks (Nguyen et al. 2014). Community detection is also used to obtain the similarity of communication structures in mobile phone communication networks (Blondel et al. 2008). After we obtain a graph with communication weight in a computer network, the next step is to find the similarity of its structure through community detection methods.
There are two major groups of community detection algorithms: disjoint community detection algorithms and overlapping community detection algorithms (Javed et al. 2018). In this case, we want a node to only be in one risk group so that the detection of the selected communities results in disjoint communities. One of the disjoint community detection algorithms is the modularity-based algorithm. Suppose that G = ( G 1 , G 2 , G ζ ) is a disjoint sequence of ζ subgraphs and the number of subgraphs ζ is assumed to be unknown. The number of subgraphs should be determined using an algorithm for maximizing the modularity function Q, where Q is equal to
Q = i = 1 ζ ( i j a i ) .
where i j is the total number of links that have one end node in the community i and the other in community j, while the term a i is the total number of edges that connect to nodes in the community i (Newman and Girvan 2004).
Three algorithms can be used to solve this problem. First, modularity-based algorithms use a heuristic searching method to approximate the optimization problem, called extremal optimization Boettcher and Percus (2001a, 2001b). Second, spectral optimization (Chen et al. 2014; Newman 2006; Newman and Girvan 2004) uses spectral information from matrix data, eigenvalues, and eigenvectors to maximization the modularity. Finally, greedy optimization (Blondel et al. 2008; Clauset et al. 2004; Danon et al. 2006; Newman and Girvan 2004) runs the modularity optimization of the largest number of communities (treating every node as a community).
Because of the time complexity issue, the greedy algorithm from Blondel et al. (2008), which we can call the Louvain algorithm, is chosen for our problem. A communication network is a weighted network where the link weight is the communication between two nodes. We need a modularity function for a weighted network (Newman 2004). For a weighted network, the modularity function Q W can be defined as:
Q W = 1 2 m i , j w i j k i k j 2 m δ ( G i , G j ) ,
where w i j is denoted as the weight of nodes i and j, k i and k j are the cumulative weight of the link between nodes i and j, and m is the total weight of a network. G i and G j are denoted as the community locations of nodes i and j, respectively, and δ ( . ) is the Kronecker delta function.    
δ ( G i , G j ) = 1 , if G i = G j 0 , o t h e r w i s e .
Afterwards, we need to define the threshold setup and network filter methodology.

3.3. Threshold Setup

We should define the threshold of η to extract a strong connection. The threshold is created because the entire co-product network contains high degrees and spurious edges (Videla-Cavieres and Ríos 2014). We also assume that the connections between the computers in the computer communication network have high degrees (similar to the fully connected network topology) and contains spurious connections. Then, it is necessary to determine η . This methodology find a new graph that meets the criteria that remove the weight of all edges w u v , u , v = 1 , 2 , , N lower than η , w u v < η .
Although there is no standard method for this step, several ways have been used to determine η of the co-purchase network. The threshold η can be chosen from a specific constant value even though it cannot apply to all networks. Alternatively, η is selected from the average weight on the network or using the top three heavy edge thresholds (tthet) (Videla-Cavieres and Ríos 2014). We consider applying this method for our weighted computer communication network and adding other two criteria, namely, the top four heavy edge thresholds (tfhet) and the top five heavy edge thresholds (tvhet), as a comparison.
Suppose the descending ordered set of m weighted links in the network is W = { ω 1 , ω 2 , , ω m } . Therefore, tthet, tfhet, and tvhet are defined as the average of the top three weights, the top four weights, and the top five weights according to the following term:
t t h e t = ω 1 + ω 2 + ω 3 3 ,
t f h e t = ω 1 + ω 2 + ω 3 + ω 4 4 ,
t v h e t = ω 1 + ω 2 + ω 3 + ω 4 + ω 5 5 ,
where ω 1 is the heaviest edge weight and ω 2 to ω 5 are the second to fifth heaviest edge weights, respectively.

3.4. Network Filter

We also use network filter methodology (Videla-Cavieres and Ríos 2014) for filtering our communication network. This filtering step can make a new graph more flexible than only using a threshold set-up methodology. Sometimes only a little edge weight will satisfy the minimum threshold. The filtering step is the proportion or percentage of tthet, tfhet, and tvhet. Consider every 5% of thresholds tthet, tfhet, and tvhet until 100% are p ˜ = { 0.05 , 0.1 , 0.15 , , 0.95 , 1 } . A new set of thresholds is found, with 20 members for each.
Using dot product between p ˜ and thresholds, the set of filters can be written as:
f i l t e r s = p ˜ · t h r e s h o l d = { 0.05 t h r e s h o l d , 0.1 t h r e s h o l d , , 0.95 t h r e s h o l d , 1 t h r e s h o l d } .
With this methodology, we can find the limit of weight that makes the network structure represent each risk not only for high-risk categories but also for medium- and low-risk categories.

4. HG-SIS Model Ratemaking

After obtaining communication, the next step is to simulate CIRM for the graphs that have been received. Previous studies have used homogeneous infection rates and recovery rates for ratemaking. These rates can vary. Figure 4 illustrates the processes that occur at each node by using the SIS, ε -SIS, H-SIS, and HG-SIS models. All models are worked as node-level models. In the SIS model (Van Mieghem 2014; Van Mieghem et al. 2009), each node can have a vulnerable or infected status at a rate that remains assumed to be the same. In this model, the infection occurs because of contact with other infected nodes (see Figure 4a). The ε -SIS model (Van Mieghem and Cator 2012) generalization adds the source of infection through self-inflicted access to malicious sites, opening e-mails containing worms, downloading files that are inserted with malicious software, etc. (see Figure 4b).
Cyber insurance pricing uses a homogeneous ε -SIS model (Fahrenwaldt et al. 2018; Xu and Hua 2019). Heterogeneous models have also been described for the case of the spread of computer viruses at different infection rates. Heterogeneous SIS (H-SIS) allows the rate of each link to be different (see Figure 4c) Ottaviano et al. (2018, 2019). The H-SIS model enables infection rates that depend on the type of connection between the two nodes. This model is more realistic and has a broader scope. We included the possibility of self-infection in the H-SIS model. Hence, we call this the HG-SIS model. The HG-SIS model is a generalization of the heterogeneous SIS model (H-SIS) with a self-infection rate. In other words, HG-SIS is a ε -SIS with different link infection rates (see Figure 4d).

4.1. HG-SIS Model

Let us consider a network represented by a graph G = ( N , L ) , where N is the node-set, and L is the link set (Diestel 2017). Computer viruses spread in this network through links. Graph G is a loopless graph that does not accommodate a connection to itself. Representation graph G as an undirected graph is based on the assumption that each node can send and receive data, or this attack is called a two-way attack. Graph G is a weighted graph where the weight of the link ( u , v ) L for u , v N is given by w u v and w u u = 0 for every u N because G is an undirected graph. Weights in this network are the number of communication on each link obtained from the node-based or link-based models.
Suppose that β u v is the infection rate for connection types between u and v for u , v N . Because the network type does not have a loop, there is no connection to itself or β u u = 0 for every u L . Given that G is an undirected graph, the infection rate matrix B = [ β u v ] , for u , v = 1 , 2 , N , is a symmetric matrix. At the node, v recovery and infection can occur depending on the type of computer, δ v and ε v . The infection, recovery, and self-infection process follows the Poisson process, where the infection rate is β u v , the recovery rate is δ v , and the self-infection rate is ε v . Hence, the time to infection for node u due to an attack from infected node v is an exponential random variable with mean β u v . Next, the time to recovery for node v is an exponential random variable with mean δ v . The time to self-infection for the v node is an exponential random variable with mean ε v . They follow a homogeneous Poisson process, which is a Poisson process that does not depend on time. However, links or nodes have non-identical (heterogeneous) rates.
The infection rate is a function of the communication weight in the network. Assume that for communication weights, there are a maximum and a minimum infection rate so that ( u , v ) E , m i n ( β u v ) < β u v < m a x ( β u v ) . The relationship between the network weight and infection rate is given by the positive sigmoid function β u v = f ( w u v ) , where f ( w u v ) is defined as:
f ( w u v ) = 0 , for w u v = 0 β δ β 1 + e x p ( k ( w u v w ¯ ) ) + δ β , for w u v > 0 ,
where β > δ β and k > 0 . The infection rate matrix B = β u v becomes:
B = 0 β δ β 1 + e x p ( k ( w 12 w ¯ ) ) + δ β · β δ β 1 + e x p ( k ( w 1 N w ¯ ) ) + δ β β δ β 1 + e x p ( k ( w 21 w ¯ ) ) + δ β 0 · β δ β 1 + e x p ( k ( w 2 N w ¯ ) ) + δ β β δ β 1 + e x p ( k ( w N 1 w ¯ ) ) + δ β β δ β 1 + e x p ( k ( w N 2 w ¯ ) ) + δ β 0 ,
where β > 0 and δ β > 0 . The average communication weight is given by w ¯ = u , v w u v / 2 m and the growth rate of function is given by k = 1 / σ , where:
σ = u , v | w u v w ¯ | 2 m ,
and m is the number of links | L | . The following proposition describes the characteristics of the function regarding the infection rate.
Proposition 4.
For a function defined by a positive sigmoid function, the infection rate β u v satisfies the following properties:
  • m a x ( β u v ) = β and m i n ( β u v ) = δ β
  • If w u v w ¯ and σ > 0 , then β u v = β + δ β 2
  • If w u v and σ > 0 , then β u v = β
  • If w u v 0 , w ¯ 0 and σ > 0 , then β u v = δ β
The full proof of Proposition 4 can be found in Appendix A. Figure 5 shows a transformation function f ( w u v ) for β u v . In practice, the upper and lower limits of the infection rate ( β and δ β ) can be determined by the upper and lower limits of the confidence interval of the point estimator for the link infection rate: β ^ .
Let I v ( t ) be the random variable that explains the status of node v, where I v ( t ) { 0 , 1 } . If at time t, node v is infected, then I v ( t ) = 1 with probability p v ( t ) = P ( I v ( t ) = 1 ) . If node v is vulnerable at time t, then I v ( t ) = 0 with probability 1 p v ( t ) = P ( I v ( t ) = 0 ) . The transition probabilities of node v, which is p v , x y ( t ) = P ( I v ( t + h ) = y | I v ( t ) = x ) , of the HG-SIS model can be written as follows:
p v , x y ( t ) = j = 1 N β v j I j ( t ) + ε v h + o ( h ) ; x = 0 , y = 1 δ v h + o ( h ) ; x = 1 , y = 0 .
Clearly, I v ( t ) is a Bernoulli random variable with E [ I v ( t ) ] = p v ( t ) . Consider the conditional probability of infected node v at time t + h :
P I v ( t + h ) = 1 | I v ( t ) = 1 I v ( t ) j = 1 N β v j I j ( t ) + ε v h + I v ( t ) 1 δ v h + o ( h ) .
Equation (12) is also equal to E [ I v ( t + h ) | I v ( t ) ] . By the law of total expectation (Ross 2019) and the same perspective as the SIS model (Van Mieghem 2014), we can obtain:
E [ I v ( t + h ) ] = E 1 I v ( t ) j = 1 N β v j I j ( t ) + ε v h + I v ( t ) 1 δ v h + o ( h )
= E ( 1 I v ( t ) ) j = 1 N β v j I j ( t ) + ε v h + E [ I v ( t ) ] 1 δ v h + o ( h ) = j = 1 N β v j E [ I j ( t ) ] + ε v h j = 1 N β v j E [ I j ( t ) I v ( t ) ] + ε v E [ I v ( t ) ] h
+ E [ I v ( t ) ] 1 δ v h + o ( h ) .
The dynamic equation for the infection probability of the HG-SIS model can be driven using N-intertwined mean-field approximation (NIMFA) (Van Mieghem 2014) as follows:
p v ( t + h ) p v ( t ) = ( 1 p v ( t ) ) j = 1 N β v j p j ( t ) + ε v h p v ( t ) δ v h + o ( h )
p v ( t + h ) p v ( t ) h = j = 1 N β v j p j ( t ) + ε v j = 1 N β v j p j ( t ) p v ( t ) ( δ v + ε v ) p v ( t ) + o ( h )
for h 0 ,
d p v ( t ) d t = j = 1 N β v j p j ( t ) j = 1 N β v j p j ( t ) p v ( t ) ( δ v + ε v ) p v ( t ) + ε v .
The other approximation uses the upper bound of infection probability. Cator and Mieghem (Cator and Van Mieghem 2014) showed that:
E [ X i ( t ) X j ( t ) ] E [ X i ( t ) ] E [ X j ( t ) ] ,
where X i ( t ) and X j ( t ) are non-negatively correlated for all finite graphs. This result leads us to find the upper bound of infection probability (Xu and Hua 2019), which was previously found for the ε -SIS model.
Theorem 1
(extended version of Xu and Hua (2019)). Let Q ¯ = d i a g δ v δ v + ε v B d i a g ( ε v + δ v ) and B = [ β u v ] for u , v = 1 , 2 , , N , then, for the HG-SIS model, the upper bound for infection probabilities is given by:
p * ( t ) = e Q ¯ t p ( 0 ) + Q ¯ 1 k = 1 Q ¯ k t k k ! ε .
We can show that the result of Theorem 1 can be obtained in the same way as Xu and Hua (2019) (see Appendix B). The difference between this theorem and the previous theorem (Xu and Hua 2019) is a generalization of the adjacency matrix to the link-infection rate matrix. Note that the stationary probability of NIMFA is the upper bound for the SIS model, which is: p v = p v .
Proposition 5.
The stationary distribution for the infection probability of the HG-SIS model using NIMFA is given by:
p v = j = 1 N β v j p j ( t ) + ε v j = 1 N β v j p j ( t ) + δ v + ε v .
Proof of Proposition 5 is given in Appendix C.

4.2. Ratemaking

A rate is the total losses or price per unit of exposure (Michael and Rejda 2017). Exposure is a quantity that corresponds to the risk of the policyholder (Parodi 2014). Prices comprise pure premiums used to pay total losses and loading factors as price adjustments for expanding sales and company profits. We consider the standard deviation premium principle (Tse 2009) for pricing the premium, which is:
P = E [ S ] + θ V a r ( S ) ,
where P is the premium, S is the total loss, and θ is the loading factor.
The exposure has a criterion that is proportional to the expected loss. If the exposure increases, the loss expectation also increases. Consider the communication weight on the link ( u , v ) , which is w u v ; the total weight on the network is chosen as the exposure factor—i.e., e = u , v w u v 2 . The cyber insurance rate for the whole network during a time [ 0 , t ] is proportional to:
R a t e = P e = 2 ( E [ S ( t ) ] + θ V a r ( S ( t ) ) ) u , v w u v ,
where P is the premium and e is the exposure factor. Conversely, the rate for each node is given by:
R a t e v = P v e v = 2 ( E [ s v ( t ) ] + θ V a r ( s v ( t ) ) ) u w u v ,
where R a t e v is the rate of node v, P v is the premium using the standard deviation premium principle of node v, and e v is the exposure of node v.
Now, we define the total loss using the same perspective with two losses factors (Xu and Hua 2019). Let L v ( i ) denote the i-th loss of node v caused by infection (stolen information; destroyed data; unauthorized use of an asset; exposed personal data, passwords, or records, etc.). Also, let R v ( i ) denote the i-th loss of node v caused by the time needed for the system recovery system downtime, where it cannot work as usual to obtain profit. Both of these are modeled by the cost functions μ v ( L v ( i ) ) and ξ v ( R v ( i ) ) . The commutative loss for node v to time t is given as follows:
s v ( t ) = i = 1 M v ( t ) μ v ( L v ( i ) ) + ξ v ( R v ( i ) ) ,
where for node v, the total number of infections during ( 0 , t ] is given by M v ( t ) . The total network loss up to time t is a summation of each node loss that is equal to:
S ( t ) = i = 1 N s v ( t ) = i = 1 N μ v ( L v ( i ) ) + ξ v ( R v ( i ) ) .
Therefore, the rate for each node v can be determined using the concept in Equation (22) for substitution with a total loss for node v in Equation (23).
Assume that the losses caused by infection L v follow a generalized beta distribution with the following density function:
f L v ( ϕ | a , b , c , w ˜ v ) = c ϕ B ( a , b ) ϕ w ˜ v a c 1 ϕ w ˜ v c b 1 , 0 < ϕ < w ˜ v ,
where w ˜ v is the scale parameter that explains the initial wealth or information resources of node v, a , b , c > 0 are shape parameters, and B is the beta function. The loss profile of this model is explained in Figure 6.
The generalized beta distribution was selected as a loss distribution because it has a loss value that does not exceed the computer wealth w ˜ v . This distribution is also a flexible distribution that can cover all profiles of losses depending on the selected parameter. Figure 6a shows several types of loss profiles that depend on the selected parameter of the loss profile collected at small, center, and large values for the scale parameter w ˜ v  = 1000. The scaling distribution for w ˜ v = 2000 is given by Figure 6b, which uses the same shape parameter values and gives the same profile with a different variability. Consider the linear cost function for the loss caused by infection and the loss caused by the time taken to recover are defined as:
μ v ( L v = ϕ ) = α ϕ , ξ v ( R v = r v ) = α 1 w ˜ v + α 2 r v ,
where α , α 1 , α 2 are rates related to the infection, initial wealth, and recovery process. We used Algorithm 3 to simulate the total loss. The algorithm is a slight modification of the algorithm created by Xu and Hua (2019).
Algorithm 3: Simulation of cyber security risk with different infection rates
Risks 09 00224 i003

5. Experimental Results and Discussion

Suppose that two companies have two different types of network topologies. There are three divisions in the first company with 50 computers connected to the complete network topology and connected by one bridge. The second company has 150 units of the computer using a network topology that follows a random network (van der Hofstad 2016). Figure 7 shows both of the topologies.
They want to ensure their computer and provide data related to the number of communications in the network. The number of communications can be modelled by the node-based model or the link-based model given in Section 2. It appears that the first topology has three communities based on their structure. The second topology is generated from a random network with N = 150 and p = 0.1 , where N is the number of nodes and p is the probability. The process of generating random graphs is an evolutionary process that starts with N isolated node. Then, the process develops with a successful link that exceeds the value of p. In these networks, procedures are performed using the following steps:
  • Generating weighted graphs. In practice, link weight can be formed by communication data. Then, we can fit and simulate the distribution of communication using Algorithms 1 or 2 to predict future risk.
  • Finding risk group. To reduce the size of the network, we separate the network into some communities using community detection.
  • Threshold setting and filtering. Some of the activities or areas of contact between nodes are small. This step excludes the low communication in each community.
  • Ratemaking. A simulation for infection risk is carried out for every community after the threshold setting and filtering processes. Then, the total premium or rate is the total premium or rate in every community.
The results are described and discussed in the following subsections.

5.1. Generating Weighted Networks

Weighted network modelling in this section uses models in Section 3, specifically node-based models using Algorithm 1 and link-based models using Algorithm 2. Consider the computer network of the first company and the second company—they are as shown in Figure 7. First, the node-based model requires the distribution of the number of communication p c in a day and the number of nodes involved in each communication. Both companies want a one-year contract period of T = 365 . Let the number of communications and the number of nodes involved in each communication follow the Poisson distribution with mean λ c and λ n . The values of λ c and λ n affect the communication weight distribution in links. Assume that, on average, there are λ c = 400 communications in the network and that each communication involves λ n = 20 nodes on average each day.
Figure 8 shows the distributions of each topology. Based on these results, the first network with 3678 links gives 9,369,070 total communications in the network. Conversely, the second network with 1126 links provides 2,756,208 total communications in the network. Although both networks have the same number of nodes equal to 150, the number of links dramatically affects the total number of communications in the network. Figure 8 also shows a high number of spurious connections or connections with small weights. This result indicates that the model represents many real cases, where not all nodes communicate with high intensity, and some are even connected with sporadic communication.
Table 4 explains descriptive statistics for both networks. These results provide similar mean values of weights for the first and second networks. The mean value of the first network is 2547.33, and the mean is 2447.79 for the second network. The maximum weights for each network are 11,154 and 10,773, with minimum values of 0 and 7, respectively. The standard deviation of weight in the second network is equal to 2352.23 and more generous than the standard deviation of weight in the first network equals 2162.83.
Next, we introduce the process of generating weighted networks by a link-based model with the procedure given in Algorithm 2. This algorithm requires the number of links and the distribution of Z k , k = 1 , 2 , , . The distribution is assumed to be selected from the three distributions given in Table 3. This algorithm uses the beta distribution as a sampling probability because this distribution is in the ( 0 , 1 ) interval. The model can adjust parameters a , b so that there are many spurious weighted links. If we use a uniform distribution as we did before, the frequency of each weight will be similar.
We select the parameters used for the sampling probability distribution of a = 1 and b = 4 . From the information given in Table 5, there are 1 = 3678 links in the first network and 2 = 1126 in the second network. Suppose that the average number of communication per link per day is 20. Thus, for the Poisson distribution we select λ = 20 , for the binomial distribution we select n = 100 and p = 0.2 , and for the negative binomial distribution we choose r = 60 and ρ ¯ = 0.25 .
Figure 9 shows the results for each distribution in each link. During one year, 26.8 million communications took place in the first network, and 8 million communications took place in the second network based on simulations conducted using a link-based model. This result is due to the number of links in the first network being three times the number of links in the second network. An identical link weight distribution is obtained, which implies that two networks have the same average communication on the link for each distribution. The descriptive statistics in Table 5 show how close the central tendency is and measure of dispersion for each distribution in both networks. Thus, the models can always obtain a distribution of communication weights on the network with much spurious weight. Both the node-based and link-based models can be used to model the number of connections in each link. In the next section, we consider the results of the node-based model, as shown in Figure 8.

5.2. Finding Risk Group

After the previous step, including modelling network weight, community detection is obtained by maximizing the modularity for weighted networks using the Louvain algorithm provided in Section 3. Figure 10 explains the results of community detection, where there are three communities in the first network and six communities in the second network. The same colour indicates that the nodes are in the same community. Different colours imply that the nodes are in various communities. As discussed earlier, the first network comprises three communities, with each group connected to a complete network.
Next, assume that each group or community or subgraph is mutually exclusive. Figure 11 describes each of the subnetworks from the first and second networks. The maximum modularity is 0.666 for the first network and 0.210 for the second community. The three subnetworks in the first network have the same nodes—i.e., 50 nodes per community. Conversely, six subnetworks in the second network have different numbers of nodes—i.e., 30, 18, 28, 27, 24, and 23 sequentially from the first to the sixth community.

5.3. Threshold Setup and Filtering Process

We want to eliminate the spurious link—for example, a link with a weight equal to 0, which causes the infection rate to be 0. In this step, removing the link is achieved using the threshold setup and filtering process methodology. Considering the thresholds in Equations (5) and (6), Table 6 provides the results of the threshold for each community in the first and second networks. Every community in every network has a threshold near the maximum value. It means that only a few links meet the thresholds. The threshold in Table 6 gives decreasing values for tthet, tfhet, and tvhet. Thus, by increasing the average threshold, we can obtain a more relaxed threshold value, allowing the inclusion of more nodes. Based on these results, we choose to use tvhet to provide a more flexible threshold and use filtering processes to adjust the number of links and the number of nodes in this case.
For the filtering step, we consider the proportion of the thresholds that have been predetermined.
f i l t e r s = p ¯ · t v h e t
where p ¯ is a proportion set { 0.05 , 0.1 , , 0.95 , 1 } . Figure 12 explains the relationship between the number of nodes and the number of edges. If the proportion selection of the filter is large, fewer nodes and links are involved in it. Therefore, it is necessary to consider selecting a good filter to delete the spurious link but not too many to eliminate the connection in the network. The relationship between the number of nodes and the number of links in the first network has the same pattern, although the community in the second network has a different pattern. This pattern is dependent on the link structure and its weight in each community, where the three communities in the first network have a similar structure.

5.4. Infection Characteristics and Ratemaking

Let us consider three communities in the first network and six communities in the second network. In each community, we build a weight matrix and use the functions in Equation (8) to show the upper bounds of the infection probability using Theorem 1 and premium simulation using Algorithm 3 for all nodes. As an adjustment, the weight is divided by 365 to obtain the average number of communications per day. Furthermore, β u v for u , v = 1 , 2 , , N is applied using a positive sigmoid function. Consider ( β , δ β , δ v , ε v ) = ( 0.02 , 0.01 , 0.05 , 1 ) , for v = 1 , 2 , , N ; this parameter is chosen based on the assumption that the average time taken for one node to infect its neighbours via the link is between 50 and 100 days and n s = 1000 . The average time taken until one node becomes infected with self infection is 20 days. The average repair time is one day. β and δ β are the maximum and minimum infection rates for all nodes.
Moreover, consider the risk profile in Figure 6; assume that the w v parameter for computer unit wealth is 2000; and follow a red profile pattern where most of the losses occur between 0 and 1000 with parameters a = 2 , b = 5 , and c = 0.7 . Suppose the parameter value for the linear cost function ( α , α 1 , α 2 ) equals ( 0.01 , 5 × 10 6 , 2 × 10 5 ) . To demonstrate the significance of the results, we consider several conditions. These conditions are:
  • Full network without GMA (without community detection and filtering).
  • With GMA (using community detection and filtering). In this case, the percentages of the filter are 0% (no filter), 5%, 10%, 15%, and 20%. We set the maximum percentage to 20% to avoid too many links not being considered in the simulation, which would lead to underestimation.
The three conditions were carried out at homogeneous ( ε -SIS) and heterogeneous infection rates (IH-SIS). Homogeneous cases used an infection rate of 0.02. Figure 13 and Figure 14 show the upper bound of stationary infection probabilities and the premiums of nodes for cases without and with GMA. Additionally, Figure 15 and Figure 16 depict the total premium and covered nodes in each scenario. These four figures can help explain some of the impacts on the upper bound, premium, and total premium.

5.4.1. Filter Selection and Community Detection Effects

We discuss the effect of selecting a percentage of tvhet on communities in the first and second networks. Based on Figure 12, the number of nodes and links for each filter percentage is significantly reduced. The stationary probability given by Equation (20) can be used to approximate rates or premiums. We consider five filter percentages—namely, 0%, 5%, 10%, 15%, and 20%. Theorem 1 and Proposition 5 are used to obtain the effect of the filtering process on the upper bound of the stationary infection probability.
Figure 13, Figure 14 and Figure 15 show the results of the filtering process for the upper bound, the premium estimation, and the total premium for the first and second network. The findings for the upper bound of the infection probabilities using Theorem 1 follow the same pattern as the results of the premium simulation. As a result, this upper bound of infection probabilities can be used to approximate the premium. In the first network, all the results showed significant decreases in the upper bound, the premium, and the total premium. These results indicate that although the first network density is high, many nodes were not actively communicating. Conversely, the drop in upper bound, premium and total premium for each filter percentage is not statistically significant in the second network, with an extremely low density. By selecting this risk, we can provide more realistic premiums or rates. The first network is more than three times denser (3678 links) than the second network (1126 links). The filter’s effect on the upper bound, premium and total premium in a low-density network is not very visible.
Both networks produce intriguing results when a 0% filter is used (no filter). The premium is calculated in this situation just by identifying the community. The modularity of the first network is 0.666, while the modularity of the second network is 0.210. As a result, the first network produces extremely comparable results for the full network (no community detection and no filter). Meanwhile, the second network delivers a significant reduction. This is because networks with low modularity eliminate a large number of connections between communities. Thus, community detection is recommended for networks with high modularity (more than 0.6). Figure 16 shows the percentage reduction achieved against no filter (filter 0%) and nodes covered for every case. The decrease in premium occurred due to a decrease in the number of covered nodes. On the 20% filter, only 128 (first network) and 120 (second network) are covered. The decrease in premium was faster than the decrease in covered nodes. The selection of a large filter can lead to underestimation. However, our approach could identify risk and allow policyholders to adjust the number of nodes covered (% filter) based on their capacity to pay premiums.

5.4.2. Different Infection Rate and Communication Effects

We compare the model used by Xu and Hua (2019)—namely, ε -SIS and the model with different link infection rates: HG-SIS. Figure 4 shows the difference between the two models. Considering Figure 13, Figure 14 and Figure 15, the results obtained for the upper bound, premium, and total premium with heterogeneous infection rates give lower premiums than homogeneous ones. As with the scenario that included filtering, the heterogeneous infection rate was more significant in the high-density network (first network) than in the low-density network (second network). According to Figure 16, the heterogeneous infection rate lowered the total premium by 35.6% in the first network and 22.77% in the second network without filtering (0% filter).
Xu and Hua (2019) and Antonio and Indratno (2021) obtained results showing that the insurance premiums they produce are greatly influenced by the degree of the node. Thus, the weight factor or communication frequency is not considered in this model. To illustrate the importance of these findings, we plot the relationship between the total communication weight of neighbours and the premiums provided by the model with homogeneous and heterogeneous infection rates. Figure 17 shows the results obtained for the first network, while Figure 18 shows the results obtained for the second network. In the first network, both full and unfiltered scenarios with homogenous infection rates demonstrate a lack of connection between communication weights and premiums, where correlation coefficients of ρ = 0.057 and ρ = 0.021 with p-values > 0.05. The relationship is seen in the 5–20% filter with the results ρ > 0.5 and p-value < 0.05. However, this relationship seems to be affected only by degrees because u w u v is also the sum of the degree. All cases demonstrated significant findings for the first network with heterogeneous infection rates, with a ρ > 0.9 and a p-value < 0.05.
The premiums of the second network effectively lead to the same conclusion. For homogenous infection rates, the premium demonstrates no relationship between the premiums and communication weights ( ρ < 0.3 ) in any of the cases. Meanwhile, the premium based on heterogeneous infection rates produced significant results in all cases with ρ > 5.9 , although the results were lower than the first network. Therefore, the model developed has some highly appealing outcomes. The heterogeneous model could handle risk based on the intensity of contact or communication in the network.

5.4.3. GMA Effects on Microlevel

At the micro-level (node level), we compare the premium or rate obtained without GMA (full and homogenous) to the premium or rate obtained with GMA (community detection, filtering, and heterogeneous infection rate) for fifteen selected nodes. To display the most comprehensive comparison, we chose to use the 20% filter. Table 7 represents the premium calculation simulation results without GMA and with GMA for the 15 selected nodes.
In the first network without GMA, it appears that each node has a mean infection in the interval 63–68, with a principal value of 49 degrees. The premiums show almost the same results of approximately 25 in one currency unit. At node 2 (N2) in the first network (see Table 7A), GMA succeeded in reducing the premium estimate to 6.827 currency units with a 20% filter. Using this method, the premium for Node 2 is diminished by 73.6% compared to the premium without GMA. The previous procedure was conducted in uniform network conditions. GMA considers active communications to acquire risk groups to offer lower prices. The effect of rate adjustment is seen at node 2 (N2). N2 has four neighbours (degree is equal to 4), and the premium is 6.827. Meanwhile, node 142 (N142), with 24 degrees, has a premium of 6.795. Thus, the degree is no longer an influential factor affecting premiums.
In Table 7B, the second network was constructed from random networks. Thus, the degree of each node is different. Although the degrees are different, the premium calculation performed without GMA shows that the 15 nodes are between 21 and 27. The degree effect was also seen in the non-GMA results, where nodes with high degrees had more mean infections. For cases without GMA, node 24 (N24) had a mean infection of 27.150 and a premium of 10.526 in currency units with 23 degrees. The premium obtained for N23 was successfully reduced by 37.9% using GMA.
This result also supports the previous outcome (Figure 13, Figure 14, Figure 15 and Figure 16), showing that the first network achieved a considerable reduction in the total premium or total loss. These results show that by using a 20% filter, the contraction that occurred reached 70% or more. Filter selection is highly dependent on network density. For dense networks, a 20% filter is too high. However, in low-density networks, the 20% filter yields reasonable improvements. The results of the second network also improve the total premiums. Thus, this method has the potential to be developed and evaluated as a method for adjusting cyber insurance premiums using a network structure to obtain premiums or rates that are genuinely appropriate (not overpriced).

6. Conclusions

We propose the use of a GMA for CIRM in this study. CIRM performed using GMA has three stages. In stage 1, a network is built with communication weight. In stage 2, community detection and filtering are carried out as the essence of GMA. Stage 3 simulates the premium or rate. The experiments were carried out using two types of networks: a hybrid network and a random network with 150 nodes. The proportion of filters applied during the filtering operation substantially affects the premium or rate outcomes. According to the premium calculation, network density substantially affects the filter’s efficiency and the heterogeneous infection rate. Low-density networks tend to produce fewer improvements and vice versa. Community detection is advised if the network’s modularity is sufficiently strong (more than 0.6).
Comparisons of the ε -SIS and HG-SIS models show very significant levels of premium reduction. This result is more visible in the network with a high density (first network) than in the second network. The relationship between the communication weights and premiums shows that the proposed model successfully accommodates the communication factor. The correlation between the premium obtained using a heterogeneous infection rate and the weight of the communication was much higher than that obtained for the premium with a homogeneous infection rate. The experimental comparison of the total loss and premium for the first and second networks shows that the GMA results are lower than those obtained without GMA. Consequently, GMA can be developed and evaluated to reduce insurance rates based on the characteristics of communication networks.
This study is still limited to two network characteristics—namely, communication weight and network density. In the future, other network characteristics should be explored. Additionally, this approach disregards the importance of cybersecurity expertise and internal threats posed by employees. Macro-level models, such as those suggested by Xu and Hua (2019) must also consider these variables. Network analyses such as centrality measure degrees, random-walk betweenness, shortest-path betweenness, and farness (Christley et al. 2005) can be considered for the identification of high-risk nodes in future studies. The average degree is also a network size that greatly affects the epidemic thresholds (Kim et al. 2021). In large networks, simulations face complex computational time problems. We suggest using the SIS process simulation approach with the Gillespie Algorithm (Indratno and Antonio 2019; Kiss et al. 2017), which is one of the cornerstones of analysing dynamical processes in complex networks in future studies. Individual-level epidemic models or other agent-based models that can explain the process of computer virus infection still require exploration.

Author Contributions

Conceptualization, Y.A. and S.W.I.; methodology, S.W.I.; software, Y.A.; validation, Y.A., S.W.I., and R.S.; formal analysis, Y.A., S.W.I., and R.S.; investigation, Y.A.; resources, Y.A. and S.W.I.; data curation, Y.A.; writing—original draft preparation, Y.A.; writing—review and editing, S.W.I. and R.S.; visualization, Y.A.; supervision, S.W.I. and R.S.; project administration, S.W.I.; funding acquisition, S.W.I. and R.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research was partially funded by the Directorate of Research and Community Services of the Ministry of Research and Technology/National Agency for Research and Innovation of the Republic of Indonesia under PMDSU research grant number 2/E1/KP.PTNBH/2020 and was supported by the University Center of Excellence on Artificial Intelligence for Vision, Natural Language Processing & Big Data Analytics (U-CoE AI-VLB), Institut Teknologi Bandung.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data sharing not applicable to this article as no datasets were generated or analysed during the current study.

Acknowledgments

We thank the Institute for Research and Community Services of Institut Teknologi Bandung for their support and direction. YA gratefully thank the Directorate General of Higher Education of the Ministry of Education and Culture of the Republic of Indonesia for their full financial support via the PMDSU scholarship.

Conflicts of Interest

The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analysis, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations

The following abbreviations are used in this manuscript:
CIRMCyber Insurance Ratemaking
GMAGraph Mining Approach
HG-SISHeterogeneous Generalized Susceptible-Infectious-Susceptible

Appendix A. Proof of Proposition 4

Function in Equation (8) was chosen because we want β u v to be at an interval that depends on β and δ β .
  • The first and second derivatives for β u v = f ( w u v ) are:
    f ( w u v ) = ( β δ β ) e x p ( k ( w u v w ¯ ) ) k 1 + e x p ( k ( w u v w ¯ ) ) 2 f ( w u v ) = 2 ( β δ β ) k 2 e x p ( k ( w u v w ¯ ) ) 2 ( 1 + e x p ( k ( w u v w ¯ ) ) ) 3 ( β δ β ) k 2 e x p ( k ( w u v w ¯ ) ) ( 1 + e x p ( k ( w u v w ¯ ) ) ) 2
    By substituting β u v , we obtain:
    f ( w u v ) = k ( β u v δ β ) e x p ( k ( w u v w ¯ ) ) 1 + e x p ( k ( w u v w ¯ ) ) = k ( β u v δ β ) 1 1 1 + e x p ( k ( w u v w ¯ ) ) = k ( β u v δ β ) 1 β u v δ β β δ β
    Since k > 0 , the function reaches its maximum or minimum value when f ( w u v ) = 0 . Consider the following equation:
    k ( β u v δ β ) 1 β u v δ β β δ β = 0
    These conditions are met for two cases—namely, β u v δ β = 0 or β u v δ β β δ β = 1 . Thus, the maximum or minimum value that meets the conditions is β u v = δ β or β u v = β . We can use the second derivative test for local extremes to determine the maximum and minimum values. For β u v = β or β u v = δ β , f ( w ) is 0. Thus, β u v = β and β u v = δ β can be the maximum value or the minimum value. As a result of δ β < β , m a x ( β u v ) = β and m i n ( β u v ) = δ β .
  • For w u v w ¯ :
    lim w u v w ¯ β u v = lim w u v w ¯ β δ β 1 + e x p ( k ( w u v w ¯ ) ) + δ β = β δ β 1 + e x p ( 0 ) + δ β = β + δ β 2
  • For w u v :
    lim w u v β u v = lim w u v β δ β 1 + e x p ( k ( w u v w ¯ ) ) + δ β = β δ β 1 + e x p ( ) + δ β = β
  • Consider w u v 0 :
    lim w u v 0 β u v = lim w u v 0 β δ β 1 + e x p ( k ( w u v w ¯ ) ) + δ β = β δ β 1 + e x p ( k w ¯ ) + δ β
    Since k > 0 and w ¯ 0 , then e k w ¯ , such that: lim w u v 0 β u v = δ β

Appendix B. Proof of Theorem 1

Considering Equation (13) for h 0 , we can obtain the dynamic of expectation in this equation:
d E [ I v ( t ) ] d t = j = 1 N β v j E [ I j ( t ) ] j = 1 N β v j E [ I j ( t ) I v ( t ) ] ( δ v + ε v ) E [ I v ( t ) ] + ε v .
Using the result in Equation (19) (Cator and Van Mieghem 2014):
d E [ I v ( t ) ] d t j = 1 N β v j E [ I j ( t ) ] j = 1 N β v j E [ I j ( t ) ] E [ I v ( t ) ] ( δ v + ε v ) E [ I v ( t ) ] + ε v
which is equal to:
d p v ( t ) d t j = 1 N β v j p j ( t ) j = 1 N β v j p j ( t ) p v ( t ) ( ε v + δ v ) p v ( t ) + ε v
Let B = [ β u v ] for u , v = 1 , 2 , , N . The result of two-state continuous Markov chain is p v ( t ) ε v δ v + ε v (Xu and Hua 2019), and Equation (A3) can be written in the following matrix form:
d p ( t ) d t B p ( t ) d i a g ( p v ( t ) ) B p ( t ) d i a g ( ε v + δ v ) p ( t ) + ε
B p ( t ) d i a g ε v δ v + ε v B p ( t ) d i a g ( ε v + δ v ) p ( t ) + ε
= I d i a g ε v δ v + ε v B d i a g ( ε v + δ v ) p ( t ) + ε
where p ( t ) = ( p 1 ( t ) , p 2 ( t ) , , p N ( t ) ) dan ε = ( ε 1 , ε 2 , , ε N ) . Suppose
Q ¯ = d i a g δ v δ v + ε v B d i a g ( ε v + δ v )
We consider that the equation for the upper bound for dynamic infection probability is:
p * ( t ) = Q ¯ p ( t ) + ε
That equation is a non-homogeneous system of differential equations with order 1 in matrix form. Using integrating factor u ( t ) = e Q ¯ d t , the solution is given by:
p * ( t ) = e Q ¯ t C + 0 t e Q ¯ s ε d s
= e Q ¯ t C + 0 t e Q ¯ ( t s ) d s ε
= e Q ¯ t C + Q ¯ 1 [ e Q ¯ t I ] ε
Assume that at t = 0 the infection probability is equal to p * ( 0 ) . Finally, the solution of the upper bound for infection probability is p * ( t ) = e Q ¯ t p * ( 0 ) + Q ¯ 1 [ e Q ¯ t I ] ε . Since, Q ¯ = k = 0 Q k ¯ t k k ! = k = 1 Q k ¯ t k k ! + I , we obtain:
p * ( t ) = e Q ¯ t p * ( 0 ) + Q ¯ 1 k = 1 Q ¯ k t k k ! ε .

Appendix C. Proof of Proposition 5

Clearly, p v holds when d p v ( t ) d t = 0 . Using simple algebraic manipulation in Equation (18) for d p v ( t ) d t = 0 , the proposition is proven.

References

  1. Almutairi, Suzan, Saoucene Mahfoudh, Sultan Almutairi, and Jalal S. Alowibdi. 2020. Hybrid Botnet Detection Based on Host and Network Analysis. Journal of Computer Networks and Communications 2020: 1–16. [Google Scholar] [CrossRef]
  2. Antonio, Yeftanus, and Sapto Wahyu Indratno. 2021. Cyber Insurance Rate Making Based on Markov Model for Regular Networks Topology. Journal of Physics: Conference Series 1752: 012002. [Google Scholar] [CrossRef]
  3. Antonio, Yeftanus, Sapto Wahyu Indratno, and Suhadi Wido Saputro. 2021. Pricing of cyber insurance premiums using a Markov-based dynamic model with clustering structure. PLoS ONE 16: e0258867. [Google Scholar] [CrossRef] [PubMed]
  4. Biener, Christian, Martin Eling, and Jan Hendrik Wirfs. 2015. Insurability of cyber risk: An empirical analysis. Geneva Papers on Risk and Insurance: Issues and Practice 40: 131–158. [Google Scholar] [CrossRef] [Green Version]
  5. Blondel, Vincent D., Jean-Loup Guillaume, Renaud Lambiotte, and Etienne Lefebvre. 2008. Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment 2008: P10008. [Google Scholar] [CrossRef] [Green Version]
  6. Bodin, Lawrence D., Lawrence A. Gordon, Martin P. Loeb, and Aluna Wang. 2018. Cybersecurity insurance and risk-sharing. Journal of Accounting and Public Policy 37: 527–44. [Google Scholar] [CrossRef]
  7. Boettcher, Stefan, and Allon G. Percus. 2001a. Extremal optimization for graph partitioning. Physical Review E 64: 026114. [Google Scholar] [CrossRef] [Green Version]
  8. Boettcher, Stefan, and Allon G. Percus. 2001b. Optimization with Extremal Dynamics. Physical Review Letters 86: 5211–14. [Google Scholar] [CrossRef] [Green Version]
  9. Böhme, Rainer, and Gaurav Kataria. 2006. On the limits of cyber-insurance. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Berlin/Heidelberg: Springer. [Google Scholar] [CrossRef]
  10. Bohme, Rainer, and Galina Schwartz. 2010. Modeling Cyber-Insurance: Towards A Unifying Framework. Paper presented at 9th Workshop on the Economics of Information Security (WEIS 2010), Cambridge, MA, USA, June 7–8. [Google Scholar]
  11. Boobalan, M. Parimala, Daphne Lopez, and Xiaozhi Gao. 2016. Graph clustering using k-Neighbourhood Attribute Structural similarity. Applied Soft Computing Journal 47: 216–23. [Google Scholar] [CrossRef]
  12. Camillo, Mark. 2017. Cyber risk and the changing role of insurance. Journal of Cyber Policy 2: 53–63. [Google Scholar]
  13. Cator, Eric, and Piet Van Mieghem. 2014. Nodal infection in Markovian susceptible-infected-susceptible and susceptible-infected-removed epidemics on networks are non-negatively correlated. Physical Review E—Statistical, Nonlinear, and Soft Matter Physics 89: 052802. [Google Scholar] [CrossRef] [Green Version]
  14. Chang, Yi-Chun, Kuan-Ting Lai, Seng-Cho T. Chou, and Ming-Syan Chen. 2017. Mining the Networks of Telecommunication Fraud Groups using Social Network Analysis. Paper presented at 2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining 2017—ASONAM’17, Sydney, Australia, July 31–August 3; New York: ACM Press, pp. 1128–31. [Google Scholar] [CrossRef]
  15. Chen, Mingming, Konstantin Kuzmin, and Boleslaw K. Szymanski. 2014. Community Detection via Maximization of Modularity and Its Variants. IEEE Transactions on Computational Social Systems 1: 46–65. [Google Scholar] [CrossRef] [Green Version]
  16. Chou, Wushow. 1975. Computer communication networks. Paper presented at National Computer and Exposition on—AFIPS ’75, Anaheim, CA, USA, May 19–22; New York: ACM Press, p. 119. [Google Scholar]
  17. Christley, R. M., G. L. Pinchbeck, R. G. Bowers, D. Clancy, N. P. French, R. Bennett, and J. Turner. 2005. Infection in Social Networks: Using Network Analysis to Identify High-Risk Individuals. American Journal of Epidemiology 162: 1024–31. [Google Scholar] [CrossRef] [PubMed]
  18. Clauset, Aaron, Mark E. J. Newman, and Cristopher Moore. 2004. Finding community structure in very large networks. Physical Review E 70: 066111. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  19. Danon, Leon, Albert Díaz-Guilera, and Alex Arenas. 2006. The effect of size heterogeneity on community identification in complex networks. Journal of Statistical Mechanics: Theory and Experiment 2006: P11010. [Google Scholar] [CrossRef] [Green Version]
  20. Dekking, Frederik Michel, Cornelis Kraaikamp, Hendrik Paul Lopuhaä, and Ludolf Erwin Meester. 2005. A Modern Introduction to Probability and Statistics. Springer Texts in Statistics. London: Springer. [Google Scholar] [CrossRef]
  21. Diestel, Reinhard. 2017. Graph Theory. In Graduate Texts in Mathematics. Berlin/Heidelberg: Springer, vol. 173. [Google Scholar] [CrossRef]
  22. Eling, Martin, and Jan Hendrik Wirfs. 2015. Modelling and Management of Cyber Risk. International Actuarial Association. Available online: http://www.actuaries.org/oslo2015/presentations/IAALS-Wirfs&Eling-P.pdf (accessed on 10 July 2021).
  23. Fahrenwaldt, Matthias A., Stefan Weber, and Kerstin Weske. 2018. Pricing of cyber insurance contracts in a network model. ASTIN Bulletin 48: 1175–218. [Google Scholar] [CrossRef] [Green Version]
  24. Herath, Hemantha S. B., and Tejaswini C. Herath. 2011. Copula-Based Actuarial Model for Pricing Cyber-Insurance Policies. Insurance Markets and Companies: Analyses and Actuarial Computations 2: 7–20. [Google Scholar]
  25. Hua, Lei, and Maochao Xu. 2020. Pricing cyber insurance for a large-scale network. arXiv arXiv:2007.00454. [Google Scholar]
  26. Indratno, Sapto Wahyu, and Yeftanus Antonio. 2019. A Gillespie Algorithm and Upper Bound of Infection Mean on Finite Network. In Communications in Computer and Information Science. Singapore: Springer. [Google Scholar] [CrossRef]
  27. Javed, Muhammad Aqib, Muhammad Shahzad Younis, Siddique Latif, Junaid Qadir, and Adeel Baig. 2018. Community detection in networks: A multidisciplinary review. Journal of Network and Computer Applications 108: 87–111. [Google Scholar] [CrossRef]
  28. Karatas, Arzum, and Serap Sahin. 2018. Application Areas of Community Detection: A Review. Paper presented at 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT), Ankara, Turkey, December 3–4; pp. 65–70. [Google Scholar] [CrossRef]
  29. Kermack, William Ogilvy, and Anderson Gray McKendrick. 1991. Contributions to the mathematical theory of epidemics—I. Bulletin of Mathematical Biology 53: 33–55. [Google Scholar] [CrossRef]
  30. Kim, Hyea Kyeong, Jae Kyeong Kim, and Qiu Yi Chen. 2012. A product network analysis for extending the market basket analysis. Expert Systems with Applications 39: 7403–10. [Google Scholar] [CrossRef]
  31. Kim, Kiseong, Sunyong Yoo, Sangyeon Lee, Doheon Lee, and Kwang-Hyung Lee. 2021. Network Analysis to Identify the Risk of Epidemic Spreading. Applied Sciences 11: 2997. [Google Scholar] [CrossRef]
  32. Kiss, István Z., Joel C. Miller, and Péter L. Simon. 2017. Mathematics of Epidemics on Networks. In Interdisciplinary Applied Mathematics. Cham: Springer International Publishing, vol. 46. [Google Scholar] [CrossRef]
  33. Marotta, Angelica, Fabio Martinelli, Stefano Nanni, Albina Orlando, and Artsiom Yautsiukhin. 2017. Cyber-Insurance Survey. Computer Science Review 24: 35–61. [Google Scholar] [CrossRef]
  34. Michael, J. McNamara, and George E. Rejda. 2017. Principles of Risk Management and Insurance [ebook]. Available online: https://www.pearson.com/store/p/principles-of-risk-management-and-insurance/P100002652088/9780135641293 (accessed on 2 May 2020).
  35. Miller, Scott L., and Donald Childers. 2012. Probability and Random Processes. Amsterdam: Elsevier. [Google Scholar] [CrossRef]
  36. Mukhopadhyay, Arunabha, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, and Samir K. Sadhukhan. 2013. Cyber-risk decision models: To insure IT or not? Decision Support Systems 56: 11–26. [Google Scholar] [CrossRef]
  37. Newman, Mark E. J. 2004. Analysis of weighted networks. Physical Review E 70: 056131. [Google Scholar] [CrossRef] [Green Version]
  38. Newman, Mark E. J. 2006. Finding community structure in networks using the eigenvectors of matrices. Physical Review E 74: 036104. [Google Scholar] [CrossRef] [Green Version]
  39. Newman, Mark E. J., and Michelle Girvan. 2004. Finding and evaluating community structure in networks. Physical Review E 69: 026113. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  40. Nguyen, Nam P., Thang N. Dinh, Yilin Shen, and My T. Thai. 2014. Dynamic Social Community Detection and Its Applications. PLoS ONE 9: e91431. [Google Scholar] [CrossRef] [PubMed]
  41. Ottaviano, Stefania, Francesco De Pellegrini, Stefano Bonaccorsi, and Piet Van Mieghem. 2018. Optimal curing policy for epidemic spreading over a community network with heterogeneous population. Journal of Complex Networks 6: 800–29. [Google Scholar] [CrossRef]
  42. Ottaviano, Stefania, Francesco De Pellegrini, Stefano Bonaccorsi, Delio Mugnolo, and Piet Van Mieghem. 2019. Community Networks with Equitable Partitions. In Multilevel Strategic Interaction Game Models for Complex Networks. Cham: Springer. [Google Scholar] [CrossRef]
  43. Parodi, Pietro. 2014. Pricing in General Insurance. New York: Chapman and Hall/CRC. [Google Scholar] [CrossRef]
  44. Pimenta Rodrigues, Gabriel, Robson de Oliveira Albuquerque, Flávio Gomes de Deus, Rafael de Sousa Jr., Gildásio de Oliveira Júnior, Luis García Villalba, and Tai-Hoon Kim. 2017. Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection. Applied Sciences 7: 1082. [Google Scholar] [CrossRef] [Green Version]
  45. Raeder, Troy, and Nitesh V. Chawla. 2011. Market basket analysis with networks. Social Network Analysis and Mining 1: 97–113. [Google Scholar] [CrossRef]
  46. Remy, Cazabet, Baccour Rym, and Latapy Matthieu. 2018. Tracking Bitcoin Users Activity Using Community Detection on a Network of Weak Signals. Cham: Springer, pp. 166–77. [Google Scholar] [CrossRef] [Green Version]
  47. Ross, Sheldon. 2019. Introduction to Probability Models. Los Angeles: Elsevier. [Google Scholar] [CrossRef]
  48. Tse, Yiu Kuen. 2009. Nonlife Actuarial Models: Theory, Methods and Evaluation. New York: Cambridge University Press. [Google Scholar] [CrossRef]
  49. van der Hofstad, Remco. 2016. Random Graphs and Complex Networks. Cambridge: Cambridge University Press. [Google Scholar] [CrossRef] [Green Version]
  50. Van Mieghem, Piet. 2014. Performance Analysis of Complex Networks and Systems. Cambridge: Cambridge University Press. [Google Scholar] [CrossRef] [Green Version]
  51. Van Mieghem, Piet, and Eric Cator. 2012. Epidemics in networks with nodal self-infection and the epidemic threshold. Physical Review E 86: 016116. [Google Scholar] [CrossRef] [Green Version]
  52. Van Mieghem, Piet, Jasmina Omic, and Robert Kooij. 2009. Virus Spread in Networks. IEEE/ACM Transactions on Networking 17: 1–14. [Google Scholar] [CrossRef]
  53. Videla-Cavieres, Ivan F., and Sebastián A. Ríos. 2014. Extending market basket analysis with graph mining techniques: A real case. Expert Systems with Applications 41: 1928–36. [Google Scholar] [CrossRef]
  54. Wang, Lidong, and Randy Jones. 2020. Big Data Analytics in Cyber Security: Network Traffic and Attacks. Journal of Computer Information Systems 61: 410–17. [Google Scholar] [CrossRef]
  55. Wang, Shanfeng, Maoguo Gong, Wenfeng Liu, and Yue Wu. 2020. Preventing epidemic spreading in networks by community detection and memetic algorithm. Applied Soft Computing 89: 106118. [Google Scholar] [CrossRef]
  56. World Economic Forum. 2020. WEF—The Global Risks Report 2020. Geneva: World Economic Forum, Technical Report. [Google Scholar]
  57. Xu, Maochao, and Lei Hua. 2019. Cybersecurity Insurance: Modeling and Pricing. North American Actuarial Journal 23: 220–49. [Google Scholar] [CrossRef]
  58. Zhang, Xinhua, Novi Quadrianto, Kristian Kersting, Zhao Xu, Yaakov Engel, Claude Sammut, Mark Reid, Bin Liu, Geoffrey I. Webb, Claude Sammut, and et al. 2011. Graph Mining. In Encyclopedia of Machine Learning. Boston: Springer, pp. 469–71. [Google Scholar] [CrossRef]
Figure 1. Graph mining approach (GMA) used for cyber insurance ratemaking (CIRM).
Figure 1. Graph mining approach (GMA) used for cyber insurance ratemaking (CIRM).
Risks 09 00224 g001
Figure 2. An analogy based on a co-product purchases network used in market basket analysis to generate a communication network in the node-based model.
Figure 2. An analogy based on a co-product purchases network used in market basket analysis to generate a communication network in the node-based model.
Risks 09 00224 g002
Figure 3. Effect of c and n on the number of communications in the network during a day. (a) Change in c for a given n. (b) Change in n for a given c.
Figure 3. Effect of c and n on the number of communications in the network during a day. (a) Change in c for a given n. (b) Change in n for a given c.
Risks 09 00224 g003
Figure 4. Illustration for the difference in the SIS model, ε -SIS model, heterogeneous SIS model, and HG-SIS model in the node-level framework. (a) SIS model. (b) ε -SIS model. (c) Heterogeneous SIS model. (d) HG-SIS model.
Figure 4. Illustration for the difference in the SIS model, ε -SIS model, heterogeneous SIS model, and HG-SIS model in the node-level framework. (a) SIS model. (b) ε -SIS model. (c) Heterogeneous SIS model. (d) HG-SIS model.
Risks 09 00224 g004
Figure 5. Transformation function for β u v in the range [ δ β , β ] using communication weight w u v .
Figure 5. Transformation function for β u v in the range [ δ β , β ] using communication weight w u v .
Risks 09 00224 g005
Figure 6. Profile of losses caused by infection following a generalized beta distribution for the given parameters.
Figure 6. Profile of losses caused by infection following a generalized beta distribution for the given parameters.
Risks 09 00224 g006
Figure 7. Topological structure of the first and second company. (a) Network of the first company. (b) Network of the second company.
Figure 7. Topological structure of the first and second company. (a) Network of the first company. (b) Network of the second company.
Risks 09 00224 g007
Figure 8. Distribution of the number of communications for a 1-year contract follows a Poisson distribution with λ c = 400 and λ n = 20 according to a node-based model. (a) Distribution in the first network. (b) Distribution in the second network.
Figure 8. Distribution of the number of communications for a 1-year contract follows a Poisson distribution with λ c = 400 and λ n = 20 according to a node-based model. (a) Distribution in the first network. (b) Distribution in the second network.
Risks 09 00224 g008
Figure 9. Distributions of the number of communication for one year contract usiang a link-based model.
Figure 9. Distributions of the number of communication for one year contract usiang a link-based model.
Risks 09 00224 g009
Figure 10. Community detection of the weighted network for the first and the second company using the Louvain algorithm.
Figure 10. Community detection of the weighted network for the first and the second company using the Louvain algorithm.
Risks 09 00224 g010
Figure 11. Subgraphs or subnetworks of the first and second networks.
Figure 11. Subgraphs or subnetworks of the first and second networks.
Risks 09 00224 g011aRisks 09 00224 g011b
Figure 12. Effect of filtering on the number of nodes and edges for each community in the first and second network.
Figure 12. Effect of filtering on the number of nodes and edges for each community in the first and second network.
Risks 09 00224 g012
Figure 13. Stationary infection probabilities of nodes based on filters and infection rates in the first and second network. There are two cases for homogeneous and heterogeneous infection rates: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%).
Figure 13. Stationary infection probabilities of nodes based on filters and infection rates in the first and second network. There are two cases for homogeneous and heterogeneous infection rates: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%).
Risks 09 00224 g013
Figure 14. Premiums of nodes based on filters and infection rates in the first and second network. There are two cases for homogeneous and heterogeneous infection rates: (1) without GMA (Full) and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%).
Figure 14. Premiums of nodes based on filters and infection rates in the first and second network. There are two cases for homogeneous and heterogeneous infection rates: (1) without GMA (Full) and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%).
Risks 09 00224 g014
Figure 15. Comparison of homogeneous total premium and heterogeneous total premium in the first and second network for two cases: (1) without GMA (Full) and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%.
Figure 15. Comparison of homogeneous total premium and heterogeneous total premium in the first and second network for two cases: (1) without GMA (Full) and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%.
Risks 09 00224 g015
Figure 16. Comparison of homogeneous total premium ( Risks 09 00224 i004), heterogeneous total premium ( Risks 09 00224 i005) and covered nodes ( Risks 09 00224 i006) in the first and second network for two cases: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%.
Figure 16. Comparison of homogeneous total premium ( Risks 09 00224 i004), heterogeneous total premium ( Risks 09 00224 i005) and covered nodes ( Risks 09 00224 i006) in the first and second network for two cases: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15% and 20%.
Risks 09 00224 g016
Figure 17. Relationship between the total weight of the neighbors and their premium (homogeneous and heterogeneous) for two cases: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15%, and 20% in the first network. ρ is the Pearson correlation coefficient and p is the probability value.
Figure 17. Relationship between the total weight of the neighbors and their premium (homogeneous and heterogeneous) for two cases: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15%, and 20% in the first network. ρ is the Pearson correlation coefficient and p is the probability value.
Risks 09 00224 g017
Figure 18. Relationship between the total weight of neighbors and their premium (homogeneous and heterogeneous) for two cases: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15%, and 20% in the second network. ρ is the Pearson correlation coefficient and p is the probability value.
Figure 18. Relationship between the total weight of neighbors and their premium (homogeneous and heterogeneous) for two cases: (1) without GMA (Full), and (2) with GMA (using filter 0% (No Filter), 5%, 10%, 15%, and 20% in the second network. ρ is the Pearson correlation coefficient and p is the probability value.
Risks 09 00224 g018
Table 1. Comparison of the CIRM model. The-state-of-the-art of our proposed model, total loss, model input, and loss type.
Table 1. Comparison of the CIRM model. The-state-of-the-art of our proposed model, total loss, model input, and loss type.
ReferenceModelTotal LossInputLoss Type
Böhme and Kataria (2006)Beta-binomial and one-factor latent modelInternal failure correlationCyberattack dataLoss function of stopping operation
Herath and Herath (2011)Copula based modelIntegrated copula-based simulationThe number of infected computers and their total loss.First party damage due to a breach
Mukhopadhyay et al. (2013)Collective risk modelCopula-aided Bayesian belief network (CBBN)Twenty indicator variables (loss, system update, etc.)General cybersecurity breaches
Eling and Wirfs (2015)Extreme value theoryValue-at-Risk (VaR) dan Tail Value-at-Risk (TVaR)Operational risk data of ICT assetsInternal and external errors of systems and humans
Fahrenwaldt et al. (2018)Stochastic process (SIS model)Marked point process and mean field aggregateNetwork topology, infection and recovery rate, initial infectionsLosses due to infections
Xu and Hua (2019)Stochastic processes. Markov ( ε -SIS model), non-Markov, and CopulaMonte Carlo simulation of infection and recovery processNetwork topology, infection, recovery, and self-infection rateLosses due to infection and losses due to service downtime
Hua and Xu (2020)Stochastic process/non-Markov (Copula)Monte Carlo simulation of infection and recovery processThe number of nodes and links, scale-free index, etc.Losses due to service interruptions and losses related to computer repair costs
Antonio et al. (2021) (this paper)Stochastic process/Markov (HG-SIS)Monte Carlo simulation of infection and recovery processNetwork topology, communication weight, and spreading parametersLosses due to infection and losses due to service downtime
Table 2. Comparison of CIRM networks. The-state-of-the-art of our proposed network, risk selection, and communication effect.
Table 2. Comparison of CIRM networks. The-state-of-the-art of our proposed network, risk selection, and communication effect.
ReferenceNetworkWeighted/ UnwightedRisk SelectionCommunication Effect
Böhme and Kataria (2006)NoneNoneNoneAverage arrival traffic per attack
Herath and Herath (2011)NoneNoneNoneNone
Mukhopadhyay et al. (2013)NoneNoneNoneNone
Eling and Wirfs (2015)NoneNoneNoneNone
Fahrenwaldt et al. (2018)Homogeneus, clustered, and star-shapedUnweightedNoneNone
Xu and Hua (2019)Small network (10 nodes) and large real email networkUnweightedNoneNone
Hua and Xu (2020)Large-scale network or scale-free networkUnweightedNoneNone
Antonio et al. (2021) (this paper)Hybrid and random network (150 nodes)WeightedGraph mining approachThe frequency of communications
Table 3. Distribution of Z k .
Table 3. Distribution of Z k .
No.DistributionParameter p l = P ( Z k = l )
1Poisson λ e λ λ l l !
2Binomial m , a n d   p m l p l ( 1 p ) m l
3Negative Binomial r , ρ ¯ l + r 1 l ρ ¯ l ( 1 ρ ¯ ) r
Table 4. Descriptive statistics for the weight of both networks according to the node-based model.
Table 4. Descriptive statistics for the weight of both networks according to the node-based model.
Networkn LinksMeanSDMedianMinMax95th Perc.
First36782547.332162.832009.5011,1546787
Second11262447.792352.231742710,7737635.8
Table 5. Descriptive statistics for the weight of both networks created using a link-based model.
Table 5. Descriptive statistics for the weight of both networks created using a link-based model.
Desc. Stat.Pois. 1stPois. 2ndBin. 1stBin. 2ndNbin. 1stNbin. 2nd
Mean7300.757303.287301.787299.87298.267299.78
SD5904.146178.825883.685961.655974.056218.04
Median5922.557275897.557995798.55622
Min122832
Max32,93132,53931,02033,97232,62932,290
95th perc.19,310.819,68119,001.819,00019,407.620,258
Table 6. Threshlods for each community of the first and second networks.
Table 6. Threshlods for each community of the first and second networks.
Thresholds
NetworkCommunitytthettfhettvhet
First1 (orange)10,483.6710,1449928
2 (cyan)10,757.6710,543.2510,413.4
3 (green)10,082.3310,055.259964.0
Second1 (orange)8565.6785208460.4
2 (cyan)946289168532.6
3 (green)9808.6792638714
4 (yellow)9747.3392948903
5 (blue)8453.338120.757786.4
6 (red)7192.6767496473.6
Table 7. Premiums and rates for the 15 selected nodes without GMA and with GMA with a 20% filter.
Table 7. Premiums and rates for the 15 selected nodes without GMA and with GMA with a 20% filter.
Without GMA (Full-Homogeneous)With GMA with 20% Filter (Heterogeneous)
NodeDegreeMeanPremiumExposureRateDegreeMeanPremiumsExposureRate
Panel A: The First Network
N24965.9425.33453.9320.47417.6326.8279.1230.748
N94963.7824.619134.3280.1832918.737.164114.0690.063
N124967.1225.617141.9490.182919.6167.636120.6920.063
N334964.6224.49463.8160.3841117.5236.76626.3680.257
N504966.3225.10579.670.3152017.4086.75252.9290.128
N515164.4223.937251.8160.0954125.7599.889235.850.042
N784964.9424.8239.1460.1044025.9159.971225.7960.044
N794966.825.49215.6630.1184024.2589.283203.8090.046
N894965.1624.29677.4540.3141217.2566.61430.6480.216
N1004967.0826.5660.9160.436417.3756.78.8550.757
N1404967.1225.449157.990.1613420.6997.938144.6560.055
N1424967.6825.93487.4130.2972417.5586.79564.5260.105
N1434965.6624.268.0760.3551417.4456.86333.3040.206
N1444966.5425.7583.5110.3082317.5286.76559.7240.113
N1454967.725.698184.60.1393622.6558.697173.270.05
Panel B: The Second Network
N21122.3108.62791.1070.095318.4707.30518.2800.400
N31624.3309.37958.1540.161618.6637.21739.8210.181
N211925.3309.83745.0690.218717.2706.60412.0120.550
N221021.1808.11034.1070.238517.4526.79115.2280.446
N231523.9509.36124.6430.380417.3306.53423.7720.275
N242327.15010.52670.3570.150617.9566.9417.7670.894
N371423.0008.75737.5100.233417.6706.74417.0730.395
N38821.4908.32723.5730.353217.9206.92117.0730.395
N632526.56010.02417.5090.573517.6296.8635.5201.254
N711925.0409.49016.5720.573617.5226.76110.9290.619
N971924.9009.60844.8240.214718.0636.9309.8810.701
N115921.8708.30157.2220.145818.4506.9405.3891.288
N1161322.9309.07630.2110.300417.3666.7193.5461.895
N1262326.63010.33724.6920.419517.7426.8696.9510.988
N1271323.6609.18046.6400.197517.7496.86819.7430.348
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Antonio, Y.; Indratno, S.W.; Simanjuntak, R. Cyber Insurance Ratemaking: A Graph Mining Approach. Risks 2021, 9, 224. https://doi.org/10.3390/risks9120224

AMA Style

Antonio Y, Indratno SW, Simanjuntak R. Cyber Insurance Ratemaking: A Graph Mining Approach. Risks. 2021; 9(12):224. https://doi.org/10.3390/risks9120224

Chicago/Turabian Style

Antonio, Yeftanus, Sapto Wahyu Indratno, and Rinovia Simanjuntak. 2021. "Cyber Insurance Ratemaking: A Graph Mining Approach" Risks 9, no. 12: 224. https://doi.org/10.3390/risks9120224

APA Style

Antonio, Y., Indratno, S. W., & Simanjuntak, R. (2021). Cyber Insurance Ratemaking: A Graph Mining Approach. Risks, 9(12), 224. https://doi.org/10.3390/risks9120224

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop