Cyber insurance and time-to-compromise: An integrated approach

Fast-growing numbers of technologies and devices make cyber security landscape more complicated and require more accurate models. This complexity challenges cyber security experts to devise a better solution to manage cyber risks. One of the promising methods is to find the best distribution of security expenditure for risk mitigation and transfer (i.e. cyber insurance) options. In this work, we propose a solution to find the optimal security investments when there is a cyber insurance option by applying a time-to-compromise metric to the probability of attack computation. In particular, we find the best set of countermeasures which decreases the maximum number of vulnerabilities to increase the required time to compromise a system. Our approach is based on a multiple-objective knapsack problem for the selection of countermeasures and we find the best distribution of security expenditure by computing the time-to-compromise metric which eventually defines the probability of attack.