Techniques for Parametric Cybersecurity Insurance

Jan 01, 2018

Cybersecurity insurance is an interesting field. I’ve been thinking about this space for the past few years and wanted to share some of the things I’ve come up with.

  1. Bug bounties versus insurance: bug bounties go one way, insurance goes the other way.
  2. Bug bounties and red teams
  3. Some problems with bug bounties
  4. So, how do you automatically detect a cyber-breach?
  5. Here’s what’s interesting about cyber-risk: you can prove that you could compromise something without actually compromising it.
  6. The answer is that for some attacks: yes, you can.
  7. The biggest issue is that it’s really hard to monetize cybersecurity risk.
  8. So, how do we monetize it?
  9. Existing payments: you can make bigger or you can make them easier. It generally takes a while before you get paid from a bug bounty program, and even then, there’s an incentive to say that something isn’t actually a bug.
  10. So, what’s a middle ground that an attacker can use to prove that they’ve found a compromise without actually compromising the service?
  11. This is where cyber-risk is unique: I can prove that I’ve compromised something (i.e do something that requires the same access level) in a way that does not actually cause business discontinuity. ****

Cyberattacks and how to verify them

Let’s say Alice can compromise Bob’s DNS. Here’s what they do:

  1. Bob publishes their key. key.bob.com -> getting that returns their public key.
  2. Alice finds a vulnerability.
  3. Old way: they submit a disclosure report and spend a while waiting to hear back.
  4. New way: Bob publishes

How do I show that I can compromise something without actually compromising it? Let’s say that attacker Alice wants to compromise Bob’s DNS server. Today, Alice If this is something you find exciting, reach out. I’d love to chat.