Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Third ACM Conference on Data and Application Security and PrivacyFebruary 20, 2013, San Antonio, TX, USAInsured Access:An ...
This presentation proposes insurance-basedad-hoc information sharing schemeInsured Access                                 ...
Traditional access control grantsaccess for original purposes         Bob                      AliceInformation Consumer  ...
Traditional access control grantsaccess for original purposes                          Alice                   Carol      ...
Can traditional access control dealwith ad-hoc information access?         Bob                           Alice            ...
Access rights are assigned according tothe original purpose of information         Bob                          Alice     ...
Traditional authorization methodsare inflexible         Bob                   Alice                  CarolInformation Cons...
Risk-based access control tries tomitigate problems   MITRE JASON report proposed a   risk-based access control approach  ...
Current risk-based access controlhas its own problems               Use risk tokens to               purchase access right...
Insured access encouragesinformation sharing                           Innis                          Insurer             ...
Insured access encouragesinformation sharing                           Innis                          Insurer             ...
Insured access encouragesinformation sharing                            Innis                           Insurer           ...
Insured access encouragesinformation sharing                           Innis                          Insurer             ...
Insured access encourages  information sharing                                Innis                               Insurer ...
Insured access encourages  information sharing                                Innis                               Insurer ...
Insured access encourages  information sharing                                Innis                               Insurer ...
Insured access encourages  information sharing                                Innis                               Insurer ...
Insured access encourages  information sharing                                Innis                               Insurer ...
Insurer calculates premium (policy price)using premium principle                          Innis                         In...
Principle of Equivalent Utility is the mostwidely adopted approach  Principle of Equivalent Utility uI: insurer’s utility ...
Exponential Principle is derived whenexponential utility function is usedWhen exponential utility function   risk aversion...
Consumers consider both benefitsand costs of accessing informationConsumers purchase policies only whenthe following inequ...
We can derive the maximum premiumthe consumer is willing to payWhen exponential utility function is used… P+: maximum prem...
Bonus-malus system rewards goodrisk-takers and punishes bad onesNew insureds enter at step 2      Dutch system       Bad r...
Discrete event simulations model a mapsharing scenario                          Sensitivity is reflected in parameters of ...
Discrete event simulations model a mapsharing scenario10 consumers   10 producers   Each insured access is independent    ...
Discrete event simulations model a mapsharing scenario10 consumers   10 producersFor each purchased policy  1 claim arriva...
More risk averse insurer results in smallercapitals because of smaller # of transactions  Varied the insurer’s risk aversi...
With BM, consumers who make smallernumber of claims have larger capitals              Consumer ID                    1    ...
We need to estimate distributionsto realize Insured Access1. Request policy2. Quote price   or deny access   Can we estima...
This presentation proposed Insured Access andevaluated its effectiveness through simulationsProposed Insured Accessthat co...
Upcoming SlideShare
Loading in …5
×

Insured Access: An Approach to Ad-hoc Information Sharing for Virtual Organizations

695 views

Published on

Presented at the third ACM Conference on Data and Application Security and Privacy (CODASPY '13) on February 20, 2013 in San Antonio, TX, USA

  • Be the first to comment

  • Be the first to like this

Insured Access: An Approach to Ad-hoc Information Sharing for Virtual Organizations

  1. 1. Third ACM Conference on Data and Application Security and PrivacyFebruary 20, 2013, San Antonio, TX, USAInsured Access:An Approach to Ad-hocInformation Sharing forVirtual Organizations Naoki Tanaka†,‡,∗ , Marianne Winslett†,∗, Adam J. Lee◦, David K. Y. Yau⋄,∗, Feng Bao‡ † Department of Computer Science, University of Illinois at Urbana-Champaign ‡ Cryptography & Security Department, Institute for Infocomm Research ∗ Advanced Digital Sciences Center ◦ Department of Computer Science, University of Pittsburgh ⋄ Department of Computer Science, Purdue University
  2. 2. This presentation proposes insurance-basedad-hoc information sharing schemeInsured Access 18 Pricing 17 consumer1 consumer2 consumer3 Average of Capitals consumer4 and 16 15 consumer5 consumer6 consumer7 consumer8 Purchase Decisions 14 13 consumer9 consumer10 12 11 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Simulation Results 2
  3. 3. Traditional access control grantsaccess for original purposes Bob AliceInformation Consumer Information Producer Map of USA Information Alice prepared a map of USA for Bob Bob has access to the map of USA 3
  4. 4. Traditional access control grantsaccess for original purposes Alice Carol Information Producer Information Consumer Map of Singapore Information Alice prepared a map of Singapore for Carol Carol has access to the map of Singapore 4
  5. 5. Can traditional access control dealwith ad-hoc information access? Bob Alice CarolInformation Consumer Information Producer Information Consumer Hey Alice, I came up with a good idea to use Map of Singapore the map of Singapore! Information Alice prepared a map of Singapore for Carol
  6. 6. Access rights are assigned according tothe original purpose of information Bob Alice CarolInformation Consumer Information Producer Information Consumer Sorry Bob, but I cannot release it. Map of Singapore (I don’t want to be Information blamed later…) Alice prepared a map of Singapore for Carol Information access for other purposes is denied 6
  7. 7. Traditional authorization methodsare inflexible Bob Alice CarolInformation Consumer Information Producer Information Consumer Traditional methods try to eliminate risk We need a more flexible method to consider benefits while bounding risk 7
  8. 8. Risk-based access control tries tomitigate problems MITRE JASON report proposed a risk-based access control approach Use risk tokens to purchase access rightsRisk tokens Information 1 token = one-day, soft-copy-only access to one document by the average Secret-cleared individualPrice = expected value of damages due to the access Total amount of allocated tokens < tolerable risk 8
  9. 9. Current risk-based access controlhas its own problems Use risk tokens to purchase access rightsRisk tokens InformationCannot control the worst-case aggregate damagesDoesn’t distinguish between good and bad risk-takers 9
  10. 10. Insured access encouragesinformation sharing Innis Insurer Insurance policy Information Bob Alice Information Consumer Information Producer 10
  11. 11. Insured access encouragesinformation sharing Innis Insurer Insurance policy1. Request policy Information Bob Alice Information Consumer Information Producer 11
  12. 12. Insured access encouragesinformation sharing Innis Insurer Insurance policy2. Quote price or deny access Use premium principles Information Bob Alice Information Consumer Information Producer 12
  13. 13. Insured access encouragesinformation sharing Innis Insurer Insurance policy3. Pay premium Decide considering benefits & costs Information Bob Alice Information Consumer Information Producer 13
  14. 14. Insured access encourages information sharing Innis Insurer 4. Receive policyInsurance policy Information Bob Alice Information Consumer Information Producer 14
  15. 15. Insured access encourages information sharing Innis Insurer 5. Request access, show policyInsurance policy Information Bob Alice Information Consumer Information Producer 15
  16. 16. Insured access encourages information sharing Innis Insurer No reason to deny because producers won’t lose anything 6. Provide accessInsurance policy Information Bob Alice Information Consumer Information Producer 16
  17. 17. Insured access encourages information sharing Innis Insurer 7. File claim against policyInsurance policy Information Bob Alice Information Consumer Information Producer 17
  18. 18. Insured access encourages information sharing Innis Insurer 8. Pay claim Producers get reimbursed for the exact amountInsurance policy Information Bob Alice Information Consumer Information Producer 18
  19. 19. Insurer calculates premium (policy price)using premium principle Innis Insurer Risk distribution Premium (Policy price) Insurance policyRisk distribution representsthe total amount of claims 19
  20. 20. Principle of Equivalent Utility is the mostwidely adopted approach Principle of Equivalent Utility uI: insurer’s utility function wI: insurer’s current capital P: premium (policy price) X: random variable representing the total amount of claims Insurer is equally happy whether or not the policy is issued (indifferent) 20
  21. 21. Exponential Principle is derived whenexponential utility function is usedWhen exponential utility function risk aversion indexis used…Exponential Principle π: premium principle X: random variable representing the total amount of claims mX(α): moment generating function of X around α Exponential Principle is widely used because of its favorable properties 21
  22. 22. Consumers consider both benefitsand costs of accessing informationConsumers purchase policies only whenthe following inequality is met u: consumer’s utility function w: consumer’s current capital P: premium (policy price) Y: random variable representing the consumer’s expected additional value (revenue) Traditional actuarial methods don’t consider this kind of tradeoff 22
  23. 23. We can derive the maximum premiumthe consumer is willing to payWhen exponential utility function is used… P+: maximum premium (policy price) the consumer is willing to pay mY(αc): moment generating function of Y around αc Y: random variable representing the consumer’s expected additional value (revenue) αc: consumer’s risk aversion index If the quoted price is less than P+, the consumer buys the policy and accesses information 23
  24. 24. Bonus-malus system rewards goodrisk-takers and punishes bad onesNew insureds enter at step 2 Dutch system Bad risk-takers Good risk-takers Many claims No claims Incur penalty Enjoy discount 24
  25. 25. Discrete event simulations model a mapsharing scenario Sensitivity is reflected in parameters of risk (claim size) distributions10 consumers 10 producers 25
  26. 26. Discrete event simulations model a mapsharing scenario10 consumers 10 producers Each insured access is independent Arrival of requests is modeled by a separate Poisson process for each consumer Inter-arrival time follows exponential distribution A consumer chooses a producer a uniformly at random from the producers it has not purchased previously 26
  27. 27. Discrete event simulations model a mapsharing scenario10 consumers 10 producersFor each purchased policy 1 claim arrival & 1 benefit arrival Arrival time follows exponential distribution Risk (claim size) & Benefit follow Normal Distribution 27
  28. 28. More risk averse insurer results in smallercapitals because of smaller # of transactions Varied the insurer’s risk aversion index α, and examined how α affects capitals at the end of simulations Each principal has $10 as its initial capital 160 insurer 140 consumers all Average of Capitals 120 100 80 60 40 20 0 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alphaLarge α → Small # of transactions → Small capitals 28
  29. 29. With BM, consumers who make smallernumber of claims have larger capitals Consumer ID 1 2 3 4 5 6 7 8 9 10 Probability of causing claims 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 14 18 consumer1 consumer1 13.5 consumer2 17 consumer2 consumer3 consumer3Average of Capitals Average of Capitals 13 consumer4 consumer4 16 consumer5 consumer5 12.5 consumer6 consumer6 consumer7 15 consumer7 12 consumer8 consumer8 consumer9 14 consumer9 11.5 consumer10 consumer10 13 11 10.5 12 10 11 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Insurer’s Risk Aversion Index alpha Without Bonus-Malus With Bonus-Malus steps are updated every 5 time periodsGood risk-takers (small # of claims) → Large capitals 29
  30. 30. We need to estimate distributionsto realize Insured Access1. Request policy2. Quote price or deny access Can we estimate distributions?3. Pay premium 7. File claim against policy4. Receive policy 8. Pay claim 5. Request access, show policy 6. Provide access 30
  31. 31. This presentation proposed Insured Access andevaluated its effectiveness through simulationsProposed Insured Accessthat considers benefits whilebounding risk Showed how to calculate premium and how consumers decide to buy policies 18 consumer1 17 consumer2 consumer3 Simulation results confirmed the Average of Capitals 16 consumer4 consumer5 consumer6 15 consumer7 consumer8 14 consumer9 effectiveness of Insured Access 13 12 consumer10 11 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Email: tanaka5@illinois.edu Questions? Twitter: @naokitnk 31

×