1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS...
-
Upload
lawrence-snow -
Category
Documents
-
view
218 -
download
3
Transcript of 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS...
![Page 1: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/1.jpg)
1
Quantifying e-Commerce Risk
David Fishbaum, FSAChuck McClenahan, FCAS
MMC ENTERPRISE RISK
CAS Seminar on Ratemaking - March, 2001
![Page 2: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/2.jpg)
2
The Problem
You’re the risk manager of a financial institution with a new web site
Your insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits
Your not exactly sure what the risks of the web site are
What to do?
![Page 3: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/3.jpg)
3
Background
The financial institution provides community banks with a product portfolio of ancillary products such as:
investments (mutual funds and stock trading) insurance other banking services
You provide web sites for these community banks for investments, insurance and lending
![Page 4: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/4.jpg)
4
What are the risks?
Failure of the web site problems with the surroundings, power failure,
fire or flooding failure of the hardware failure of the software attack through virus or computer hacker
![Page 5: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/5.jpg)
5
Resultant damages are also varied
Delay in performing a service Loss of brand value due to unreliability of
service or transmission of computer virus loss of value through failure to deliver
for example, an uncompleted stock trade
![Page 6: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/6.jpg)
6
Background: E-commerce insurance coverage
There is an intensive application the problem is that you can’t figure out how
complex or risky a web site you are running A system audit is part of the insurance
coverage there is a bias to find fault
![Page 7: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/7.jpg)
7
How do you insure the high P/E ratio
Its 1999 and the price/earnings ratio of the e-commerce function seems to have broken down
The unspoken issue is how do you insure the value lost if something happens to the web site?
Not sure this is an issue today
![Page 8: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/8.jpg)
8
Why bring in Actuaries?
Looking for someone to quantify the risk We brought a multidisciplinary team of
actuaries, economists and policy expert The actuaries provided the quantification
and modeling skill sets
![Page 9: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/9.jpg)
9
Methodology
Model the web site Stochastic testing Scenario testing
![Page 10: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/10.jpg)
10
Model
MMC ER developed a computer program to model the economic performance of the e-commerce infrastructure
Used company’s performance statistics Used a Monte Carlo simulation to produce
expected revenue and branding values Based on this quantification, valued the
potential losses of a series of scenarios
![Page 11: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/11.jpg)
11
Application Server/Firewall/Proxy Layer
ISP Provider
Application Host - I Application Host - III
In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, data base performance etc were considered.
Application Host - II
Flow of Information and quantification of failure probabilities
User's Browser
![Page 12: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/12.jpg)
12
Assumptions
Visits per week Usage over the week Revenue Customer value Application acceptance Downtime
![Page 13: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/13.jpg)
13
Results-Base Case2000 2001 2002
# of participating banks
Internet applications
Application feesInsurance underwriting
TOTAL
New loans to banksPresent value of income onnew loans
![Page 14: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/14.jpg)
14
The Scenarios
Denial of service Physical damage to hardware location New virus brings down complete system Malicious employee Threats/extortion Theft of credit card numbers
![Page 15: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/15.jpg)
15
The Scenarios
Attack causes a degradation of performance or loss of service to web site
Not covered under current coverage Modeling assumption: site down for 3
hours Income loss/Customer value loss
Denial of service
![Page 16: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/16.jpg)
16
The Scenarios
Location of where hardware is kept is disabled
Covered under current insurance Modeling assumption: site down for 10
days Income loss/Customer value loss Client bank’s lost revenue
Physical damage to hardware location
![Page 17: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/17.jpg)
17
The Scenarios
Not covered under current coverage Model assumption: system down for 2
days Income loss/Customer loss
New virus brings down complete system
![Page 18: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/18.jpg)
18
The Scenarios
Destruction of important data or programs Cost of recovery process covered under
current coverage Not modeled Theft of policyholder info or other
intangible property Not covered under current coverage
Malicious Employee
![Page 19: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/19.jpg)
19
The Scenarios
Threat to commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company
Would be covered under current kidnap and ransom policies
Threats/extortion
![Page 20: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/20.jpg)
20
The Scenarios
CD universe and Salesgate (e-mall) No credit card numbers are stored
Theft of credit card numbers
![Page 21: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/21.jpg)
21
Results of analysis
Biggest risk business interruption
Third party loss is minimal at this time though in time the Internet will affect its client relationship
![Page 22: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/22.jpg)
22
Conclusions
Better quantification of risks Better able to make a purchase
decision Other risk management decisions What isn’t at risk is also important
![Page 23: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/23.jpg)
23
Postscript
The website is still in operation Strategy has been proven successful
![Page 24: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/24.jpg)
24
e-Commerce Risk
Bruce Schneier - Secrets and Lies (Wiley Computer Publishing, 2000)
“The insurance industry does this kind of thing all the time; it’s how they calculate premiums. They figure out the annual loss expectancy for a given risk, tack on some extra for their operational costs plus some profit and use the result”
![Page 25: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/25.jpg)
25
e-Commerce Risk
Bruce Schneier - Secrets and Lies (Wiley Computer Publishing, 2000)
“Of course there’s going to be a lot of guesswork in any of these; the particular risks we’re talking about are just too new and too poorly understood to be better quantized (sic).”
![Page 26: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/26.jpg)
26
e-Commerce Risk
Pricing e-Commerce Risk Determine Strategy Identify the Risks Collect Available Data Develop Model Price According to Strategy
![Page 27: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/27.jpg)
27
e-Commerce Risk
Determine Strategy “Guess and Confess” Loss Leader Self-Supporting Franklin Approach
![Page 28: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/28.jpg)
28
e-Commerce Risk
Determine Strategy - “Guess and Confess”
Insurer uses best available judgment (usually discovered deep in the bowels of the marketing department) as to the proper rate
Alternatively, rely on advice of career agents
![Page 29: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/29.jpg)
29
e-Commerce Risk
Determine Strategy - Loss Leader
Aptly named, this strategy is based upon the assumption that the best way to develop experience and expertise is to write a lot of exposure
![Page 30: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/30.jpg)
30
e-Commerce Risk
Determine Strategy - Self-Supporting
Goal is to cover losses and expenses, including start-up expenses, over some reasonable period of time. This is a radical strategy and has rarely been adopted in the property-casualty industry.
![Page 31: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/31.jpg)
31
e-Commerce Risk
Determine Strategy - Franklin Approach
Focuses on loss avoidance Underwrites against “undesirable” hazards, e.g.
large user base large asset base high public profile
![Page 32: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/32.jpg)
32
e-Commerce Risk
Identify the Risks
We have a good track record here Medical Malpractice Computer Leasing Asbestos and Environmental
![Page 33: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/33.jpg)
33
e-Commerce Risk
How many do you recognize? Daemon Data mining Digital wallet Extranet Luhn formula Smart card Thin client
![Page 34: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/34.jpg)
34
e-Commerce Risk
How many do you recognize? Daemon - a structured background
process
![Page 35: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/35.jpg)
35
e-Commerce Risk
How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data
patterns
![Page 36: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/36.jpg)
36
e-Commerce Risk
How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data
patterns Digital wallet - encryption software, user
ID
![Page 37: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/37.jpg)
37
e-Commerce Risk
How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data
patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available
intranet
![Page 38: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/38.jpg)
38
e-Commerce Risk
How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data
patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available
intranet Luhn formula - credit card verifying
algorithm
![Page 39: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/39.jpg)
39
e-Commerce Risk
Luhn formula
(1) Start with penultimate digit and, moving left, double the value of each alternating digit. If you get a two digit number, add the two digits.
(2) Add up all digits. Result must be zero mod 10
![Page 40: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/40.jpg)
40
e-Commerce Risk
Luhn formula
1234 567890 12347 1438 537790 14387 1+4+3+8+5+3+7+7+9+0+1+4+3+8+7
=70
![Page 41: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/41.jpg)
41
e-Commerce Risk
How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card
![Page 42: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/42.jpg)
42
e-Commerce Risk
How many do you recognize? Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card Thin client - network computer w/o hard drive
![Page 43: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/43.jpg)
43
e-Commerce Risk
Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company
“The court finds that ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality.”
![Page 44: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/44.jpg)
44
e-Commerce Risk
Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company
“Restricting the policy’s language to that proposed by American [i.e.that contained in the policy] would be archaic.”
![Page 45: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/45.jpg)
45
e-Commerce Risk
TD Waterhouse fined $225,000 for repeated outages which left customers unable to trade
11 online brokers reported 88 outages for 1st 9 months 1999 (12th firm reported so many outages it didn’t keep track).
![Page 46: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/46.jpg)
46
e-Commerce Risk
Collect Available Data
Exposure base not well-defined Economic costs of losses not disclosed Industry is young and evolving Threat base is also evolving
![Page 47: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/47.jpg)
47
e-Commerce Risk
Collect Available Data
Remember, “Lloyd’s List” was started in 1696 but it wasn’t until 75 years later that the Society of Lloyd’s was formed
![Page 48: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/48.jpg)
48
e-Commerce Risk
Develop Model
Identify major processes Identify major threats Relate threats to processes Determine (or guess at) parameters
![Page 49: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/49.jpg)
49
e-Commerce Risk
Example - Distributed Denial of Service (DDoS)
![Page 50: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/50.jpg)
50
e-Commerce Risk
“Attack of the Zombies” - February,2000 Monday, February 7
- Yahoo! portal rendered inaccessible for 3 hours Tuesday, February 8
- Buy.com 90% inaccessible- eBay incapacitated- CNN 95% inaccessible - Amazon.com slowed to 5 minute access time
Wednesday, February 9
- ZDNet.com unreachable- E*Trade slowed “to a crawl”- Excite 60% inaccessible
![Page 51: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/51.jpg)
51
e-Commerce Risk
How DDoS Works Goal is to render system inoperable One attacker controls multiple servers
Method: Break into numerous sites, install “attack script” and orchestrate coordinated attack
![Page 52: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/52.jpg)
52
e-Commerce Risk
USER PCs
HACKER
UNWITTINGHOST
“ZOMBIE”
OTHERNETWORK
COMPUTERS
VICTIM’SSERVER
![Page 53: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/53.jpg)
53
Hypothetical DDoS Costs
$0
$5,000,000
$10,000,000
$15,000,000
$20,000,000
$25,000,000
1 61 121 181 241 301 361 421 481 541
Minutes of Outage
Market Cap Loss
Security Costs
Revenue Loss
![Page 54: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/54.jpg)
54
Hypothetical Cumulative DDoS Frequency
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
0 60 120 180 240 300 360 420 480 540 600
Minutes of Outage
![Page 55: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/55.jpg)
55
e-Commerce Risk
Price According to Strategy Frequency will vary with
Popularity
Profile
Potential
![Page 56: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/56.jpg)
56
e-Commerce Risk
Price According to Strategy Severity will vary
eToys v. E*Trade
![Page 57: 1 Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001.](https://reader030.fdocuments.in/reader030/viewer/2022032702/56649cca5503460f94992b33/html5/thumbnails/57.jpg)
57
e-Commerce Risk
“You gotta be careful if you don’t know where you’re going ‘cause you might not get there.”
- Yogi Berra