Successfully reported this slideshow.
Your SlideShare is downloading. ×

Insured Access: An Approach to Ad-hoc Information Sharing for Virtual Organizations

Ad

Third ACM Conference on Data and Application Security and Privacy
February 20, 2013, San Antonio, TX, USA




Insured Acce...

Ad

This presentation proposes insurance-based
ad-hoc information sharing scheme




Insured Access
                          ...

Ad

Traditional access control grants
access for original purposes
         Bob                      Alice
Information Consume...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
PROTOTYPING
PROTOTYPING
Loading in …3
×

Check these out next

1 of 31 Ad
1 of 31 Ad

Insured Access: An Approach to Ad-hoc Information Sharing for Virtual Organizations

Download to read offline

Presented at the third ACM Conference on Data and Application Security and Privacy (CODASPY '13) on February 20, 2013 in San Antonio, TX, USA

Presented at the third ACM Conference on Data and Application Security and Privacy (CODASPY '13) on February 20, 2013 in San Antonio, TX, USA

Advertisement
Advertisement

More Related Content

Advertisement

Insured Access: An Approach to Ad-hoc Information Sharing for Virtual Organizations

  1. 1. Third ACM Conference on Data and Application Security and Privacy February 20, 2013, San Antonio, TX, USA Insured Access: An Approach to Ad-hoc Information Sharing for Virtual Organizations Naoki Tanaka†,‡,∗ , Marianne Winslett†,∗, Adam J. Lee◦, David K. Y. Yau⋄,∗, Feng Bao‡ † Department of Computer Science, University of Illinois at Urbana-Champaign ‡ Cryptography & Security Department, Institute for Infocomm Research ∗ Advanced Digital Sciences Center ◦ Department of Computer Science, University of Pittsburgh ⋄ Department of Computer Science, Purdue University
  2. 2. This presentation proposes insurance-based ad-hoc information sharing scheme Insured Access 18 Pricing 17 consumer1 consumer2 consumer3 Average of Capitals consumer4 and 16 15 consumer5 consumer6 consumer7 consumer8 Purchase Decisions 14 13 consumer9 consumer10 12 11 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Simulation Results 2
  3. 3. Traditional access control grants access for original purposes Bob Alice Information Consumer Information Producer Map of USA Information Alice prepared a map of USA for Bob Bob has access to the map of USA 3
  4. 4. Traditional access control grants access for original purposes Alice Carol Information Producer Information Consumer Map of Singapore Information Alice prepared a map of Singapore for Carol Carol has access to the map of Singapore 4
  5. 5. Can traditional access control deal with ad-hoc information access? Bob Alice Carol Information Consumer Information Producer Information Consumer Hey Alice, I came up with a good idea to use Map of Singapore the map of Singapore! Information Alice prepared a map of Singapore for Carol
  6. 6. Access rights are assigned according to the original purpose of information Bob Alice Carol Information Consumer Information Producer Information Consumer Sorry Bob, but I cannot release it. Map of Singapore (I don’t want to be Information blamed later…) Alice prepared a map of Singapore for Carol Information access for other purposes is denied 6
  7. 7. Traditional authorization methods are inflexible Bob Alice Carol Information Consumer Information Producer Information Consumer Traditional methods try to eliminate risk We need a more flexible method to consider benefits while bounding risk 7
  8. 8. Risk-based access control tries to mitigate problems MITRE JASON report proposed a risk-based access control approach Use risk tokens to purchase access rights Risk tokens Information 1 token = one-day, soft-copy-only access to one document by the average Secret-cleared individual Price = expected value of damages due to the access Total amount of allocated tokens < tolerable risk 8
  9. 9. Current risk-based access control has its own problems Use risk tokens to purchase access rights Risk tokens Information Cannot control the worst-case aggregate damages Doesn’t distinguish between good and bad risk-takers 9
  10. 10. Insured access encourages information sharing Innis Insurer Insurance policy Information Bob Alice Information Consumer Information Producer 10
  11. 11. Insured access encourages information sharing Innis Insurer Insurance policy 1. Request policy Information Bob Alice Information Consumer Information Producer 11
  12. 12. Insured access encourages information sharing Innis Insurer Insurance policy 2. Quote price or deny access Use premium principles Information Bob Alice Information Consumer Information Producer 12
  13. 13. Insured access encourages information sharing Innis Insurer Insurance policy 3. Pay premium Decide considering benefits & costs Information Bob Alice Information Consumer Information Producer 13
  14. 14. Insured access encourages information sharing Innis Insurer 4. Receive policy Insurance policy Information Bob Alice Information Consumer Information Producer 14
  15. 15. Insured access encourages information sharing Innis Insurer 5. Request access, show policy Insurance policy Information Bob Alice Information Consumer Information Producer 15
  16. 16. Insured access encourages information sharing Innis Insurer No reason to deny because producers won’t lose anything 6. Provide access Insurance policy Information Bob Alice Information Consumer Information Producer 16
  17. 17. Insured access encourages information sharing Innis Insurer 7. File claim against policy Insurance policy Information Bob Alice Information Consumer Information Producer 17
  18. 18. Insured access encourages information sharing Innis Insurer 8. Pay claim Producers get reimbursed for the exact amount Insurance policy Information Bob Alice Information Consumer Information Producer 18
  19. 19. Insurer calculates premium (policy price) using premium principle Innis Insurer Risk distribution Premium (Policy price) Insurance policy Risk distribution represents the total amount of claims 19
  20. 20. Principle of Equivalent Utility is the most widely adopted approach Principle of Equivalent Utility uI: insurer’s utility function wI: insurer’s current capital P: premium (policy price) X: random variable representing the total amount of claims Insurer is equally happy whether or not the policy is issued (indifferent) 20
  21. 21. Exponential Principle is derived when exponential utility function is used When exponential utility function risk aversion index is used… Exponential Principle π: premium principle X: random variable representing the total amount of claims mX(α): moment generating function of X around α Exponential Principle is widely used because of its favorable properties 21
  22. 22. Consumers consider both benefits and costs of accessing information Consumers purchase policies only when the following inequality is met u: consumer’s utility function w: consumer’s current capital P: premium (policy price) Y: random variable representing the consumer’s expected additional value (revenue) Traditional actuarial methods don’t consider this kind of tradeoff 22
  23. 23. We can derive the maximum premium the consumer is willing to pay When exponential utility function is used… P+: maximum premium (policy price) the consumer is willing to pay mY(αc): moment generating function of Y around αc Y: random variable representing the consumer’s expected additional value (revenue) αc: consumer’s risk aversion index If the quoted price is less than P+, the consumer buys the policy and accesses information 23
  24. 24. Bonus-malus system rewards good risk-takers and punishes bad ones New insureds enter at step 2 Dutch system Bad risk-takers Good risk-takers Many claims No claims Incur penalty Enjoy discount 24
  25. 25. Discrete event simulations model a map sharing scenario Sensitivity is reflected in parameters of risk (claim size) distributions 10 consumers 10 producers 25
  26. 26. Discrete event simulations model a map sharing scenario 10 consumers 10 producers Each insured access is independent Arrival of requests is modeled by a separate Poisson process for each consumer Inter-arrival time follows exponential distribution A consumer chooses a producer a uniformly at random from the producers it has not purchased previously 26
  27. 27. Discrete event simulations model a map sharing scenario 10 consumers 10 producers For each purchased policy 1 claim arrival & 1 benefit arrival Arrival time follows exponential distribution Risk (claim size) & Benefit follow Normal Distribution 27
  28. 28. More risk averse insurer results in smaller capitals because of smaller # of transactions Varied the insurer’s risk aversion index α, and examined how α affects capitals at the end of simulations Each principal has $10 as its initial capital 160 insurer 140 consumers all Average of Capitals 120 100 80 60 40 20 0 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Large α → Small # of transactions → Small capitals 28
  29. 29. With BM, consumers who make smaller number of claims have larger capitals Consumer ID 1 2 3 4 5 6 7 8 9 10 Probability of causing claims 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 14 18 consumer1 consumer1 13.5 consumer2 17 consumer2 consumer3 consumer3 Average of Capitals Average of Capitals 13 consumer4 consumer4 16 consumer5 consumer5 12.5 consumer6 consumer6 consumer7 15 consumer7 12 consumer8 consumer8 consumer9 14 consumer9 11.5 consumer10 consumer10 13 11 10.5 12 10 11 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Insurer’s Risk Aversion Index alpha Without Bonus-Malus With Bonus-Malus steps are updated every 5 time periods Good risk-takers (small # of claims) → Large capitals 29
  30. 30. We need to estimate distributions to realize Insured Access 1. Request policy 2. Quote price or deny access Can we estimate distributions? 3. Pay premium 7. File claim against policy 4. Receive policy 8. Pay claim 5. Request access, show policy 6. Provide access 30
  31. 31. This presentation proposed Insured Access and evaluated its effectiveness through simulations Proposed Insured Access that considers benefits while bounding risk Showed how to calculate premium and how consumers decide to buy policies 18 consumer1 17 consumer2 consumer3 Simulation results confirmed the Average of Capitals 16 consumer4 consumer5 consumer6 15 consumer7 consumer8 14 consumer9 effectiveness of Insured Access 13 12 consumer10 11 0 10 20 30 40 50 60 70 80 90 100 Insurer’s Risk Aversion Index alpha Email: tanaka5@illinois.edu Questions? Twitter: @naokitnk 31

×