Security by Insurance for Services

摘要

It is hard to guarantee proper protection in the Service Oriented Architecture (SOA), when a client outsources a part of its business or sends private data to a services provider. Various solutions proposed so far mostly require evidences of proper protection (e.g., source code for verification or execution traces for monitoring), which are to be provided by the service provider itself, and thus are not fully trusted by the client. In this paper we describe both conceptually and formally an approach for guaranteeing proper protection of outsourced data or business using cyber insurance. We discuss several variants of applications of the approach depending on the degree of involvement of different parties. We provide mathematical evidences of benefits of the approach for both client and provider and show how the parameters for the interactions should be computed.