{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T10:30:41Z","timestamp":1777545041575,"version":"3.51.4"},"reference-count":47,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2018,8,7]],"date-time":"2018-08-07T00:00:00Z","timestamp":1533600000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100018830","name":"German Institute for Trust and Safety on the Internet","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100018830","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2018,11,30]]},"abstract":"<jats:p>In a networked system, the risk of security compromises depends not only on each node\u2019s security but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes we should expect to lose, on average, for a given network topology, after certain types of incidents. Meanwhile, the pricing of insurance contracts for risks related to information technology (better known as cyber-insurance) requires determining additional information, for example, the maximum number of nodes we should expect to lose within a 99.5% confidence interval. Previous modeling research in network security has not addressed these types of questions, while research on cyber-insurance pricing for networked systems has not taken into account the network\u2019s topology. Our goal is to bridge that gap, by providing a mathematical basis for the assessment of systematic risk in networked systems.<\/jats:p>\n          <jats:p>\n            We define a\n            <jats:italic>loss-number distribution<\/jats:italic>\n            to be a probability distribution on the total number of compromised nodes within a network following the occurrence of a given incident, and we provide a number of modeling results that aim to be useful for cyber-insurers in this context. We prove NP-hardness for the general case of computing the loss-number distribution for an arbitrary network topology but obtain simplified computable formulas for the special cases of star topologies, ER-random topologies, and uniform topologies. We also provide a simulation algorithm that approximates the loss-number distribution for an arbitrary network topology and that appears to converge efficiently for many common classes of topologies.\n          <\/jats:p>\n          <jats:p>Scale-free network topologies have a degree distribution that follows a power law and are commonly found in real-world networks. We provide an example of a scale-free network in which a cyber-insurance pricing mechanism that relies naively on incidence reporting data will fail to accurately predict the true risk level of the entire system. We offer an alternative mechanism that yields an accurate forecast by taking into account the network topology, thus highlighting the lack\/importance of topological data in security incident reporting. Our results constitute important steps toward the understanding of systematic risk and help to contribute to the emergence of a viable cyber-insurance market.<\/jats:p>","DOI":"10.1145\/3166069","type":"journal-article","created":{"date-parts":[[2018,8,8]],"date-time":"2018-08-08T19:14:21Z","timestamp":1533755661000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["On the Assessment of Systematic Risk in Networked Systems"],"prefix":"10.1145","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7400-2357","authenticated-orcid":false,"given":"Aron","family":"Laszka","sequence":"first","affiliation":[{"name":"University of Houston, TX, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Benjamin","family":"Johnson","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Garching, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jens","family":"Grossklags","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Garching, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,8,7]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/646645.699044"},{"key":"e_1_2_1_2_1","volume-title":"The Economics of Information Security and Privacy, Rainer B\u00f6hme (Ed.)","author":"Anderson Ross","unstructured":"Ross Anderson , Chris Barton , Rainer B\u00f6hme , Richard Clayton , Michel van Eeten , Michael Levi , Tyler Moore , and Stefan Savage . 2013. Measuring the cost of cybercrime . In The Economics of Information Security and Privacy, Rainer B\u00f6hme (Ed.) . Springer , Berlin , 265--300. Ross Anderson, Chris Barton, Rainer B\u00f6hme, Richard Clayton, Michel van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The Economics of Information Security and Privacy, Rainer B\u00f6hme (Ed.). Springer, Berlin, 265--300."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jcss.2006.02.003"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.1173299"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.286.5439.509"},{"key":"e_1_2_1_6_1","unstructured":"Andrew Betts. 2013. A sobering day. Financial Times Labs Retrieved from http:\/\/labs.ft.com\/2013\/05\/a-sobering-day\/.  Andrew Betts. 2013. A sobering day. Financial Times Labs Retrieved from http:\/\/labs.ft.com\/2013\/05\/a-sobering-day\/."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.24"},{"key":"e_1_2_1_8_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security.","author":"B\u00f6hme Rainer","year":"2005","unstructured":"Rainer B\u00f6hme . 2005 . Cyber-insurance revisited . In Proceedings of the Workshop on the Economics of Information Security. Rainer B\u00f6hme. 2005. Cyber-insurance revisited. In Proceedings of the Workshop on the Economics of Information Security."},{"key":"e_1_2_1_9_1","first-page":"5","article-title":"Towards insurable network architectures. Info","volume":"52","author":"B\u00f6hme Rainer","year":"2010","unstructured":"Rainer B\u00f6hme . 2010 . Towards insurable network architectures. Info . Technol. 52 , 5 (Sept. 2010), 290--293. Rainer B\u00f6hme. 2010. Towards insurable network architectures. Info. Technol. 52, 5 (Sept. 2010), 290--293.","journal-title":"Technol."},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security.","author":"B\u00f6hme Rainer","year":"2006","unstructured":"Rainer B\u00f6hme and Gaurav Kataria . 2006 . Models and measures for correlation in cyber-insurance . In Proceedings of the Workshop on the Economics of Information Security. Rainer B\u00f6hme and Gaurav Kataria. 2006. Models and measures for correlation in cyber-insurance. In Proceedings of the Workshop on the Economics of Information Security."},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security.","author":"B\u00f6hme Rainer","year":"2010","unstructured":"Rainer B\u00f6hme and Galina Schwartz . 2010 . Modeling cyber-insurance: Towards a unifying framework . In Proceedings of the Workshop on the Economics of Information Security. Rainer B\u00f6hme and Galina Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Proceedings of the Workshop on the Economics of Information Security."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1284680.1284681"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI\u201912)","author":"Chan Hau","year":"2012","unstructured":"Hau Chan , Michael Ceyko , and Luis Ortiz . 2012 . Interdependent defense games: Modeling interdependent security under deliberate attacks . In Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI\u201912) . 152--162. Hau Chan, Michael Ceyko, and Luis Ortiz. 2012. Interdependent defense games: Modeling interdependent security under deliberate attacks. In Proceedings of the 28th Conference on Uncertainty in Artificial Intelligence (UAI\u201912). 152--162."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017507.2017514"},{"key":"e_1_2_1_15_1","unstructured":"Fred Chong Ruby Lee Claire Vishik Alessandro Acquisti William Horne Charles Palmer Anup Ghosh Dimitrios Pendarakis William Sanders Eric Fleischman Hugo Teufel Gene Tsudik Dipankar Dasgupta Steven Hofmeyr and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-Chairs\u2019 Report. Retrieved from https:\/\/www.qinetiq-na.com\/wp-content\/uploads\/2011\/12\/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf.  Fred Chong Ruby Lee Claire Vishik Alessandro Acquisti William Horne Charles Palmer Anup Ghosh Dimitrios Pendarakis William Sanders Eric Fleischman Hugo Teufel Gene Tsudik Dipankar Dasgupta Steven Hofmeyr and Leor Weinberger. 2009. National Cyber Leap Year Summit 2009: Co-Chairs\u2019 Report. Retrieved from https:\/\/www.qinetiq-na.com\/wp-content\/uploads\/2011\/12\/National_Cyber_Leap_Year_Summit_2009_CoChairs_Report.pdf."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/1689499.1689586"},{"key":"e_1_2_1_17_1","unstructured":"Christopher Drew. 2011. Stolen data is tracked to hacking at Lockheed. New York Times. Retrieved from http:\/\/www.nytimes.com\/2011\/06\/04\/technology\/04security.html.  Christopher Drew. 2011. Stolen data is tracked to hacking at Lockheed. New York Times. Retrieved from http:\/\/www.nytimes.com\/2011\/06\/04\/technology\/04security.html."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1103\/PhysRevLett.89.108701"},{"key":"e_1_2_1_19_1","doi-asserted-by":"crossref","first-page":"290","DOI":"10.5486\/PMD.1959.6.3-4.12","article-title":"On random graphs","volume":"6","author":"Erd\u0151s Paul","year":"1959","unstructured":"Paul Erd\u0151s and Alfr\u00e9d R\u00e9nyi . 1959 . On random graphs . Publicationes Mathematicae (Debrecen) 6 (1959), 290 -- 297 . Paul Erd\u0151s and Alfr\u00e9d R\u00e9nyi. 1959. On random graphs. Publicationes Mathematicae (Debrecen) 6 (1959), 290--297.","journal-title":"Publicationes Mathematicae (Debrecen)"},{"key":"e_1_2_1_20_1","first-page":"17","article-title":"On the evolution of random graphs","volume":"5","author":"Erd\u0151s Paul","year":"1960","unstructured":"Paul Erd\u0151s and Alfr\u00e9d R\u00e9nyi . 1960 . On the evolution of random graphs . Publicat. Math. Inst. Hungarian Acad. Sci. 5 (1960), 17 -- 61 . Paul Erd\u0151s and Alfr\u00e9d R\u00e9nyi. 1960. On the evolution of random graphs. Publicat. Math. Inst. Hungarian Acad. Sci. 5 (1960), 17--61.","journal-title":"Publicat. Math. Inst. Hungarian Acad. Sci."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2005.1498374"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1367497.1367526"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.3386\/w10706"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-25280-8_11"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.5555\/1947915.1947937"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2014.30"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590308"},{"key":"e_1_2_1_29_1","volume-title":"Advances in Neural Information Processing Systems","author":"Kearns Michael","unstructured":"Michael Kearns and Luis Ortiz . 2004. Algorithms for interdependent security games . In Advances in Neural Information Processing Systems , vol. 16 , S. Thrun, L. Saul, and B. Sch\u00f6lkopf (Eds.). MIT Press , 561--568. Michael Kearns and Luis Ortiz. 2004. Algorithms for interdependent security games. In Advances in Neural Information Processing Systems, vol. 16, S. Thrun, L. Saul, and B. Sch\u00f6lkopf (Eds.). MIT Press, 561--568."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/RISP.1991.130801"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.5555\/882489.884191"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1024119208153"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2012.2189794"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635673"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-45472-5_27"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.5555\/1793974.1794207"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1403027.1403034"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1384529.1375463"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2009.5062066"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1080\/15427951.2005.10129111"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1146381.1146391"},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security.","author":"Ogut Hulisi","year":"2005","unstructured":"Hulisi Ogut , Nirup Menon , and Srinivasan Raghunathan . 2005 . Cyber insurance and IT security investment: Impact of interdependent risk . In Proceedings of the Workshop on the Economics of Information Security. Hulisi Ogut, Nirup Menon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependent risk. In Proceedings of the Workshop on the Economics of Information Security."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1103\/PhysRevLett.86.3200"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1103\/PhysRevE.65.035108"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.0501179102"},{"key":"e_1_2_1_46_1","volume-title":"Emerging Threat: Dragonfly\/Energetic Bear--APT Group. Symantec Connect,","year":"2014","unstructured":"Symantec. 2014 . Emerging Threat: Dragonfly\/Energetic Bear--APT Group. Symantec Connect, Retrieved from http:\/\/www.symantec.com\/connect\/blogs\/emerging-threat-dragonfly-energetic-bear-apt-group. Symantec. 2014. Emerging Threat: Dragonfly\/Energetic Bear--APT Group. Symantec Connect, Retrieved from http:\/\/www.symantec.com\/connect\/blogs\/emerging-threat-dragonfly-energetic-bear-apt-group."},{"key":"e_1_2_1_47_1","volume-title":"Economics of Information Security","author":"Varian Hal","unstructured":"Hal Varian . 2004. System reliability and free riding . In Economics of Information Security , J. Camp and S. Lewis (Eds.). Kluwer Academic Publishers , Dordrecht, The Netherlands, 1--15. Hal Varian. 2004. System reliability and free riding. In Economics of Information Security, J. Camp and S. Lewis (Eds.). Kluwer Academic Publishers, Dordrecht, The Netherlands, 1--15."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/RELDIS.2003.1238052"}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3166069","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3166069","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:26:55Z","timestamp":1750213615000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3166069"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,8,7]]},"references-count":47,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2018,11,30]]}},"alternative-id":["10.1145\/3166069"],"URL":"https:\/\/doi.org\/10.1145\/3166069","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,8,7]]},"assertion":[{"value":"2016-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-08-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}