Uploaded byecommerce
PPT, PDF384 views

Ecommerce(2)

The document discusses quantifying the risks of an e-commerce website for an insurance company. It describes modeling different risk scenarios like hardware failures, software issues, hacking or denial of service attacks. The modeling was done using stochastic testing and Monte Carlo simulations to estimate potential losses. This allowed the company to better understand the risks and pricing of insuring an e-commerce site.

Embed presentation

Downloaded 44 times
Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001
The Problem You’re the risk manager of a financial institution with a new web site Your insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits Your not exactly sure what the risks of the web site are What to do?
Background The financial institution provides community banks with a product portfolio of ancillary products such as: investments (mutual funds and stock trading) insurance other banking services You provide web sites for these community banks for investments, insurance and lending
What are the risks? Failure of the web site problems with the surroundings, power failure, fire or flooding failure of the hardware failure of the software attack through virus or computer hacker
Resultant damages are also varied Delay in performing a service Loss of brand value due to unreliability of service or transmission of computer virus loss of value through failure to deliver for example, an uncompleted stock trade
Background: E-commerce insurance coverage There is an intensive application the problem is that you can’t figure out how complex or risky a web site you are running A system audit is part of the insurance coverage there is a bias to find fault
How do you insure the high P/E ratio Its 1999 and the price/earnings ratio of the e-commerce function seems to have broken down The unspoken issue is how do you insure the value lost if something happens to the web site? Not sure this is an issue today
Why bring in Actuaries? Looking for someone to quantify the risk We brought a multidisciplinary team of actuaries, economists and policy expert The actuaries provided the quantification and modeling skill sets
Methodology Model the web site Stochastic testing Scenario testing
Model MMC ER developed a computer program to model the economic performance of the e-commerce infrastructure Used company’s performance statistics Used a Monte Carlo simulation to produce expected revenue and branding values Based on this quantification, valued the potential losses of a series of scenarios
Application Server/Firewall/Proxy Layer ISP Provider In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, data base performance etc were considered. Flow of Information and quantification of failure probabilities
Assumptions Visits per week Usage over the week Revenue Customer value Application acceptance Downtime
Results-Base Case
The Scenarios Denial of service Physical damage to hardware location New virus brings down complete system Malicious employee Threats/extortion Theft of credit card numbers
The Scenarios Attack causes a degradation of performance or loss of service to web site Not covered under current coverage Modeling assumption: site down for 3 hours Income loss/Customer value loss Denial of service
The Scenarios Location of where hardware is kept is disabled Covered under current insurance Modeling assumption: site down for 10 days Income loss/Customer value loss Client bank’s lost revenue Physical damage to hardware location
The Scenarios Not covered under current coverage Model assumption: system down for 2 days Income loss/Customer loss New virus brings down complete system
The Scenarios Destruction of important data or programs Cost of recovery process covered under current coverage Not modeled Theft of policyholder info or other intangible property Not covered under current coverage Malicious Employee
The Scenarios Threat to commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company Would be covered under current kidnap and ransom policies Threats/extortion
The Scenarios CD universe and Salesgate (e-mall) No credit card numbers are stored Theft of credit card numbers
Results of analysis Biggest risk business interruption Third party loss is minimal at this time though in time the Internet will affect its client relationship
Conclusions Better quantification of risks Better able to make a purchase decision Other risk management decisions What isn’t at risk is also important
Postscript The website is still in operation Strategy has been proven successful
e-Commerce Risk Bruce Schneier - Secrets and Lies (Wiley Computer Publishing, 2000) “ The insurance industry does this kind of thing all the time; it’s how they calculate premiums. They figure out the annual loss expectancy for a given risk, tack on some extra for their operational costs plus some profit and use the result”
e-Commerce Risk Bruce Schneier - Secrets and Lies (Wiley Computer Publishing, 2000) “ Of course there’s going to be a lot of guesswork in any of these; the particular risks we’re talking about are just too new and too poorly understood to be better quantized (sic).”
e-Commerce Risk Pricing e-Commerce Risk Determine Strategy Identify the Risks Collect Available Data Develop Model Price According to Strategy
e-Commerce Risk Determine Strategy “Guess and Confess” Loss Leader Self-Supporting Franklin Approach
e-Commerce Risk Determine Strategy - “Guess and Confess” Insurer uses best available judgment (usually discovered deep in the bowels of the marketing department) as to the proper rate Alternatively, rely on advice of career agents
e-Commerce Risk Determine Strategy - Loss Leader Aptly named, this strategy is based upon the assumption that the best way to develop experience and expertise is to write a lot of exposure
e-Commerce Risk Determine Strategy - Self-Supporting Goal is to cover losses and expenses, including start-up expenses, over some reasonable period of time. This is a radical strategy and has rarely been adopted in the property-casualty industry.
e-Commerce Risk Determine Strategy - Franklin Approach Focuses on loss avoidance Underwrites against “undesirable” hazards, e.g. large user base large asset base high public profile
e-Commerce Risk Identify the Risks We have a good track record here Medical Malpractice Computer Leasing Asbestos and Environmental
e-Commerce Risk How many do you recognize? Daemon Data mining Digital wallet Extranet Luhn formula Smart card Thin client
e-Commerce Risk How many do you recognize? Daemon - a structured background process
e-Commerce Risk How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns
e-Commerce Risk How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID
e-Commerce Risk How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet
e-Commerce Risk How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm
e-Commerce Risk Luhn formula (1) Start with penultimate digit and, moving left, double the value of each alternating digit. If you get a two digit number, add the two digits. (2) Add up all digits. Result must be zero mod 10
e-Commerce Risk Luhn formula 1234 567890 12347 1 4 3 8 5 3 7 7 9 0 1 4 3 8 7 1+4+3+8+5+3+7+7+9+0+1+4+3+8+7=70
e-Commerce Risk How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card
e-Commerce Risk How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card Thin client - network computer w/o hard drive
e-Commerce Risk Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company “ The court finds that ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality .”
e-Commerce Risk Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company “ Restricting the policy’s language to that proposed by American [i.e.that contained in the policy] would be archaic .”
e-Commerce Risk TD Waterhouse fined $225,000 for repeated outages which left customers unable to trade 11 online brokers reported 88 outages for 1st 9 months 1999 (12th firm reported so many outages it didn’t keep track).
e-Commerce Risk Collect Available Data Exposure base not well-defined Economic costs of losses not disclosed Industry is young and evolving Threat base is also evolving
e-Commerce Risk Collect Available Data Remember, “Lloyd’s List” was started in 1696 but it wasn’t until 75 years later that the Society of Lloyd’s was formed
e-Commerce Risk Develop Model Identify major processes Identify major threats Relate threats to processes Determine (or guess at) parameters
e-Commerce Risk Example - Distributed Denial of Service (DDoS)
e-Commerce Risk “ Attack of the Zombies” - February,2000 Monday, February 7 Yahoo! portal rendered inaccessible for 3 hours Tuesday, February 8 Buy.com 90% inaccessible eBay incapacitated CNN 95% inaccessible Amazon.com slowed to 5 minute access time Wednesday, February 9 ZDNet.com unreachable E*Trade slowed “to a crawl” Excite 60% inaccessible
e-Commerce Risk How DDoS Works Goal is to render system inoperable One attacker controls multiple servers Method: Break into numerous sites, install “attack script” and orchestrate coordinated attack
e-Commerce Risk USER PCs HACKER UNWITTING HOST “ ZOMBIE” OTHER NETWORK COMPUTERS VICTIM’S SERVER
 
 
e-Commerce Risk Price According to Strategy Frequency will vary with Popularity Profile Potential
e-Commerce Risk Price According to Strategy Severity will vary eToys v. E*Trade
e-Commerce Risk “ You gotta be careful if you don’t know where you’re going ‘cause you might not get there. ” - Yogi Berra

More Related Content

PDF
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
byNormShield
 
PDF
Cover and CyberSecurity Essay
byMichael Solomon
 
PDF
InformationSecurity_11141
bysraina2
 
PPT
How really to prepare for a credit card compromise (PCI) forensics investigat...
bySecurity B-Sides
 
PDF
Cyber Risks - Maligec and Eskins
byChristine Maligec, CRM-E, CRIS
 
PDF
Is Cloud the new home for Cyber Criminals? How to be Safe?
byWeb Werks Data Centers
 
PDF
Whitepaper - Application Delivery in PCI DSS Compliant Environments
byJason Dover
 
PDF
Reasons to be secure
byMeg Weber
 
Review on 3rd-party Cyber Risk Assessment and Scoring Tools
byNormShield
 
Cover and CyberSecurity Essay
byMichael Solomon
 
InformationSecurity_11141
bysraina2
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
bySecurity B-Sides
 
Cyber Risks - Maligec and Eskins
byChristine Maligec, CRM-E, CRIS
 
Is Cloud the new home for Cyber Criminals? How to be Safe?
byWeb Werks Data Centers
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
byJason Dover
 
Reasons to be secure
byMeg Weber
 

What's hot

PDF
How to Establish a Cyber Security Readiness Program
byMatt Moneypenny
 
PDF
cybersecurity-in-the-c-suite-a-matt
byYigal Behar
 
PPT
Cyber Insurance Temp
byRohan Sehgal
 
PDF
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
PDF
Before the Breach: Using threat intelligence to stop attackers in their tracks
by- Mark - Fullbright
 
PDF
2016 Finance industry cybersecurity report
byOwen Bartolome
 
PDF
SecurityScorecard_2016_Financial_Report
byAlex Himmelberg
 
PDF
Briefing paper: Third-Party Risks: The cyber dimension
byThe Economist Media Businesses
 
PDF
Cyber liaility insurance the basics
byChandrasekar Koushik ACII®
 
PDF
How close is your organization to being breached | Safe Security
byRahul Tyagi
 
PDF
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
PDF
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
byAccenture Insurance
 
PDF
Top 10 leading fraud detection and prevention solution providers
byMerry D'souza
 
PDF
WhiteHat’s Website Security Statistics Report 2015
byJeremiah Grossman
 
PDF
CyberSecurity Insurance - The Ugly Truth!
bytopseowebmaster
 
PDF
EY - SEC Reporting update - Spotlight on cybersecurity disclosures
byJulien Boucher
 
PPTX
Security Best Practices for Small Business
byValiant Technology
 
PDF
Cybersecurity and The Board
byPaul Melson
 
PPTX
Cyber Liability - Insurance Risk Management and Preparation
byEric Reehl
 
PPTX
The CPAs Guide to Buying Cyber Insurance
byJoseph Brunsman
 
How to Establish a Cyber Security Readiness Program
byMatt Moneypenny
 
cybersecurity-in-the-c-suite-a-matt
byYigal Behar
 
Cyber Insurance Temp
byRohan Sehgal
 
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
by- Mark - Fullbright
 
2016 Finance industry cybersecurity report
byOwen Bartolome
 
SecurityScorecard_2016_Financial_Report
byAlex Himmelberg
 
Briefing paper: Third-Party Risks: The cyber dimension
byThe Economist Media Businesses
 
Cyber liaility insurance the basics
byChandrasekar Koushik ACII®
 
How close is your organization to being breached | Safe Security
byRahul Tyagi
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
byPaige Rasid
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
byAccenture Insurance
 
Top 10 leading fraud detection and prevention solution providers
byMerry D'souza
 
WhiteHat’s Website Security Statistics Report 2015
byJeremiah Grossman
 
CyberSecurity Insurance - The Ugly Truth!
bytopseowebmaster
 
EY - SEC Reporting update - Spotlight on cybersecurity disclosures
byJulien Boucher
 
Security Best Practices for Small Business
byValiant Technology
 
Cybersecurity and The Board
byPaul Melson
 
Cyber Liability - Insurance Risk Management and Preparation
byEric Reehl
 
The CPAs Guide to Buying Cyber Insurance
byJoseph Brunsman
 

Similar to Ecommerce(2)

DOCX
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
bymalbert5
 
DOCX
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
byjoellemurphey
 
PDF
Risk Analysis using open FAIR and Adoption of right Security Controls
byPriyanka Aash
 
PPTX
Risk Management ecommerce
byRaina Zia
 
PDF
Levon Ter-Isahakyan, Agoda. Machine Learning and Culture changes for better F...
byIT Arena
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
PPT
Rm
byansulag19
 
PDF
2015 LOMA Conference - Third party risk management - Session 20
byMarc S. Sokol
 
PPTX
Module 8 - External Crisis – Changing Technology.pptx
bycaniceconsulting
 
PPTX
Managing specialized risk_14
byRione Drevale
 
PPTX
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
PDF
Reputational Risk
byIBMGovernmentCA
 
PPTX
Cyber Security # Lec 3
byKabul Education University
 
PPTX
Iso27001 Risk Assessment Approach
bytschraider
 
PDF
EIS Amendments CA INTER
byRaj Kumar
 
PDF
Outsourcing
bykarlhennessy
 
PPTX
CRI Retail Cyber Threats
byOCTF Industry Engagement
 
PPT
Software security engineering
byaizazhussain234
 
PPTX
Infomation Technology class Presentation.pptx
byfactical
 
PPTX
Chapter 17 a fraud in e commerce Jen
byVidaB
 
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
bymalbert5
 
Risk and Threat Assessment Report Anthony WolfBSA 5.docx
byjoellemurphey
 
Risk Analysis using open FAIR and Adoption of right Security Controls
byPriyanka Aash
 
Risk Management ecommerce
byRaina Zia
 
Levon Ter-Isahakyan, Agoda. Machine Learning and Culture changes for better F...
byIT Arena
 
MIS: Information Security Management
byJonathan Coleman
 
Rm
byansulag19
 
2015 LOMA Conference - Third party risk management - Session 20
byMarc S. Sokol
 
Module 8 - External Crisis – Changing Technology.pptx
bycaniceconsulting
 
Managing specialized risk_14
byRione Drevale
 
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
Reputational Risk
byIBMGovernmentCA
 
Cyber Security # Lec 3
byKabul Education University
 
Iso27001 Risk Assessment Approach
bytschraider
 
EIS Amendments CA INTER
byRaj Kumar
 
Outsourcing
bykarlhennessy
 
CRI Retail Cyber Threats
byOCTF Industry Engagement
 
Software security engineering
byaizazhussain234
 
Infomation Technology class Presentation.pptx
byfactical
 
Chapter 17 a fraud in e commerce Jen
byVidaB
 

More from ecommerce

PPT
E Commerce14a(2)
byecommerce
 
PPT
E Com Center Klagenfurt
byecommerce
 
PPT
Maloney Slides
byecommerce
 
PPT
Ecommerce1
byecommerce
 
PPT
Cybercrime
byecommerce
 
PPT
E Commerce14a
byecommerce
 
PPT
B Hkorba
byecommerce
 
PPT
Am Cham Taipei Sept2004
byecommerce
 
PPT
Ecommerce(3)
byecommerce
 
PPT
Nordin Malaysia
byecommerce
 
PPT
B4 Gusmeroli
byecommerce
 
PPT
E Commerce052503
byecommerce
 
PPT
Wsis Alf C7 Unctad
byecommerce
 
PPT
Ecommerce
byecommerce
 
PPT
Documentation Set Up
byecommerce
 
PPT
Ecommerce Overview
byecommerce
 
PPT
Napier
byecommerce
 
PPT
S719a
byecommerce
 
PPT
Mea1
byecommerce
 
E Commerce14a(2)
byecommerce
 
E Com Center Klagenfurt
byecommerce
 
Maloney Slides
byecommerce
 
Ecommerce1
byecommerce
 
Cybercrime
byecommerce
 
E Commerce14a
byecommerce
 
B Hkorba
byecommerce
 
Am Cham Taipei Sept2004
byecommerce
 
Ecommerce(3)
byecommerce
 
Nordin Malaysia
byecommerce
 
B4 Gusmeroli
byecommerce
 
E Commerce052503
byecommerce
 
Wsis Alf C7 Unctad
byecommerce
 
Ecommerce
byecommerce
 
Documentation Set Up
byecommerce
 
Ecommerce Overview
byecommerce
 
Napier
byecommerce
 
S719a
byecommerce
 
Mea1
byecommerce
 

Recently uploaded

PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PDF
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
PDF
Chapter 05 Drugs Acting on the Central Nervous System: Anti-Depressant Drugs
bySandeshSul
 
PPTX
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PPTX
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
PDF
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PPTX
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PDF
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PDF
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PDF
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
PDF
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PDF
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
Chapter 05 Drugs Acting on the Central Nervous System: Anti-Depressant Drugs
bySandeshSul
 
Problem and Solution (PowerPoint Game Template)
byacpaulite
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
Tetracycline Class of Antibiotics: SAR, MOA and Uses
bymominzarinamdnajeeb
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 

Ecommerce(2)

  • 1.
    Quantifying e-Commerce RiskDavid Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001
  • 2.
    The Problem You’rethe risk manager of a financial institution with a new web site Your insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits Your not exactly sure what the risks of the web site are What to do?
  • 3.
    Background The financialinstitution provides community banks with a product portfolio of ancillary products such as: investments (mutual funds and stock trading) insurance other banking services You provide web sites for these community banks for investments, insurance and lending
  • 4.
    What are therisks? Failure of the web site problems with the surroundings, power failure, fire or flooding failure of the hardware failure of the software attack through virus or computer hacker
  • 5.
    Resultant damages arealso varied Delay in performing a service Loss of brand value due to unreliability of service or transmission of computer virus loss of value through failure to deliver for example, an uncompleted stock trade
  • 6.
    Background: E-commerceinsurance coverage There is an intensive application the problem is that you can’t figure out how complex or risky a web site you are running A system audit is part of the insurance coverage there is a bias to find fault
  • 7.
    How do youinsure the high P/E ratio Its 1999 and the price/earnings ratio of the e-commerce function seems to have broken down The unspoken issue is how do you insure the value lost if something happens to the web site? Not sure this is an issue today
  • 8.
    Why bring inActuaries? Looking for someone to quantify the risk We brought a multidisciplinary team of actuaries, economists and policy expert The actuaries provided the quantification and modeling skill sets
  • 9.
    Methodology Model theweb site Stochastic testing Scenario testing
  • 10.
    Model MMC ERdeveloped a computer program to model the economic performance of the e-commerce infrastructure Used company’s performance statistics Used a Monte Carlo simulation to produce expected revenue and branding values Based on this quantification, valued the potential losses of a series of scenarios
  • 11.
    Application Server/Firewall/Proxy LayerISP Provider In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, data base performance etc were considered. Flow of Information and quantification of failure probabilities
  • 12.
    Assumptions Visits perweek Usage over the week Revenue Customer value Application acceptance Downtime
  • 13.
  • 14.
    The Scenarios Denialof service Physical damage to hardware location New virus brings down complete system Malicious employee Threats/extortion Theft of credit card numbers
  • 15.
    The Scenarios Attackcauses a degradation of performance or loss of service to web site Not covered under current coverage Modeling assumption: site down for 3 hours Income loss/Customer value loss Denial of service
  • 16.
    The Scenarios Locationof where hardware is kept is disabled Covered under current insurance Modeling assumption: site down for 10 days Income loss/Customer value loss Client bank’s lost revenue Physical damage to hardware location
  • 17.
    The Scenarios Notcovered under current coverage Model assumption: system down for 2 days Income loss/Customer loss New virus brings down complete system
  • 18.
    The Scenarios Destructionof important data or programs Cost of recovery process covered under current coverage Not modeled Theft of policyholder info or other intangible property Not covered under current coverage Malicious Employee
  • 19.
    The Scenarios Threatto commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company Would be covered under current kidnap and ransom policies Threats/extortion
  • 20.
    The Scenarios CDuniverse and Salesgate (e-mall) No credit card numbers are stored Theft of credit card numbers
  • 21.
    Results of analysisBiggest risk business interruption Third party loss is minimal at this time though in time the Internet will affect its client relationship
  • 22.
    Conclusions Better quantificationof risks Better able to make a purchase decision Other risk management decisions What isn’t at risk is also important
  • 23.
    Postscript The websiteis still in operation Strategy has been proven successful
  • 24.
    e-Commerce Risk BruceSchneier - Secrets and Lies (Wiley Computer Publishing, 2000) “ The insurance industry does this kind of thing all the time; it’s how they calculate premiums. They figure out the annual loss expectancy for a given risk, tack on some extra for their operational costs plus some profit and use the result”
  • 25.
    e-Commerce Risk BruceSchneier - Secrets and Lies (Wiley Computer Publishing, 2000) “ Of course there’s going to be a lot of guesswork in any of these; the particular risks we’re talking about are just too new and too poorly understood to be better quantized (sic).”
  • 26.
    e-Commerce Risk Pricinge-Commerce Risk Determine Strategy Identify the Risks Collect Available Data Develop Model Price According to Strategy
  • 27.
    e-Commerce Risk DetermineStrategy “Guess and Confess” Loss Leader Self-Supporting Franklin Approach
  • 28.
    e-Commerce Risk DetermineStrategy - “Guess and Confess” Insurer uses best available judgment (usually discovered deep in the bowels of the marketing department) as to the proper rate Alternatively, rely on advice of career agents
  • 29.
    e-Commerce Risk DetermineStrategy - Loss Leader Aptly named, this strategy is based upon the assumption that the best way to develop experience and expertise is to write a lot of exposure
  • 30.
    e-Commerce Risk DetermineStrategy - Self-Supporting Goal is to cover losses and expenses, including start-up expenses, over some reasonable period of time. This is a radical strategy and has rarely been adopted in the property-casualty industry.
  • 31.
    e-Commerce Risk DetermineStrategy - Franklin Approach Focuses on loss avoidance Underwrites against “undesirable” hazards, e.g. large user base large asset base high public profile
  • 32.
    e-Commerce Risk Identifythe Risks We have a good track record here Medical Malpractice Computer Leasing Asbestos and Environmental
  • 33.
    e-Commerce Risk Howmany do you recognize? Daemon Data mining Digital wallet Extranet Luhn formula Smart card Thin client
  • 34.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process
  • 35.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns
  • 36.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID
  • 37.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet
  • 38.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm
  • 39.
    e-Commerce Risk Luhnformula (1) Start with penultimate digit and, moving left, double the value of each alternating digit. If you get a two digit number, add the two digits. (2) Add up all digits. Result must be zero mod 10
  • 40.
    e-Commerce Risk Luhnformula 1234 567890 12347 1 4 3 8 5 3 7 7 9 0 1 4 3 8 7 1+4+3+8+5+3+7+7+9+0+1+4+3+8+7=70
  • 41.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card
  • 42.
    e-Commerce Risk Howmany do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card Thin client - network computer w/o hard drive
  • 43.
    e-Commerce Risk IngramMicro Inc. vs. American Guarantee & Liability Insurance Company “ The court finds that ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality .”
  • 44.
    e-Commerce Risk IngramMicro Inc. vs. American Guarantee & Liability Insurance Company “ Restricting the policy’s language to that proposed by American [i.e.that contained in the policy] would be archaic .”
  • 45.
    e-Commerce Risk TDWaterhouse fined $225,000 for repeated outages which left customers unable to trade 11 online brokers reported 88 outages for 1st 9 months 1999 (12th firm reported so many outages it didn’t keep track).
  • 46.
    e-Commerce Risk CollectAvailable Data Exposure base not well-defined Economic costs of losses not disclosed Industry is young and evolving Threat base is also evolving
  • 47.
    e-Commerce Risk CollectAvailable Data Remember, “Lloyd’s List” was started in 1696 but it wasn’t until 75 years later that the Society of Lloyd’s was formed
  • 48.
    e-Commerce Risk DevelopModel Identify major processes Identify major threats Relate threats to processes Determine (or guess at) parameters
  • 49.
    e-Commerce Risk Example- Distributed Denial of Service (DDoS)
  • 50.
    e-Commerce Risk “Attack of the Zombies” - February,2000 Monday, February 7 Yahoo! portal rendered inaccessible for 3 hours Tuesday, February 8 Buy.com 90% inaccessible eBay incapacitated CNN 95% inaccessible Amazon.com slowed to 5 minute access time Wednesday, February 9 ZDNet.com unreachable E*Trade slowed “to a crawl” Excite 60% inaccessible
  • 51.
    e-Commerce Risk HowDDoS Works Goal is to render system inoperable One attacker controls multiple servers Method: Break into numerous sites, install “attack script” and orchestrate coordinated attack
  • 52.
    e-Commerce Risk USERPCs HACKER UNWITTING HOST “ ZOMBIE” OTHER NETWORK COMPUTERS VICTIM’S SERVER
  • 53.
  • 54.
  • 55.
    e-Commerce Risk PriceAccording to Strategy Frequency will vary with Popularity Profile Potential
  • 56.
    e-Commerce Risk PriceAccording to Strategy Severity will vary eToys v. E*Trade
  • 57.
    e-Commerce Risk “You gotta be careful if you don’t know where you’re going ‘cause you might not get there. ” - Yogi Berra