Modeling the Effect of Spending on Cyber Security by Using Surplus Process

Division of Banking and Finance, Nanyang Business School, Nanyang Technological University, 50 Nanyang Avenue, Singapore 639798 College of Mathematics and Statistics, Shenzhen University, Nanhai Ave 3688, Shenzhen, Guangdong 518060, China Shenzhen Key Laboratory of Advanced Machine Learning and Applications, Shenzhen University, Shenzhen, Guangdong 518060, China Department of Finance, Southern University of Science and Technology, 1088 Xueyuan Avenue, Shenzhen, Guangdong 518055, China


Introduction
Cyber risk has become a hot topic given the ever-increasing cyber breaches and resulting losses of data and business disruptions. Cyber risk differs from traditional insurance risks in that they are very much driven by human behaviours in terms of attacks and defenses. What quantitative tools can actuaries imply to offer insights in measuring and managing cyber risks? In this paper, we apply traditional ruin theory in an innovative way to assess the stochastic changes in the level of cyber security and derived interesting insights from this theoretical framework.
Traditional actuarial ruin theory was developed in modeling of insurance capital solvency, whereas the level of capital is influenced by two opposing forces: the upward drift driven by a stream of insurance premium income and the random downward jump driven by insurance claims. During our literature review for cyber risk analysis (mostly from the computer science literature), we noticed that in many of the quantitative models, the security level of a system could be assumed as a quantifiable amount, which is primarily affected by the amount of investment in security development. In addition, it is commonly assumed that the probability and the loss severity of a defense failure (a cyber breach) depend on the security development and the damage control scheme.
In this paper, we assume the security level of a system is a quantifiable metric and apply the ruin theoretic framework in assessing the defense failure frequencies. We assume that the security level of a system changes over time due to attack and defense. e security level is then modeled by a modified surplus process: the current security level of an information system can be viewed as the initial surplus; defense investment resulting in an increase in the security level can be viewed as the premium income; the cyberattack arrivals are modeled as a Poisson process, and the impact of attacks is modeled as losses on the security level using an assumed loss distribution. A cyberattack succeeds (or the defense fails) when ruin occurs. In other words, we apply the risk process to model the frequency of the cyber failure. Once the defense failed, an independent financial loss amount is incurred depending on the nature of data being breached. Our goal of this paper is to provide a framework for analyzing the economical relationship between IT security investment and the associated cyber breach losses and to use this framework to make optimal IT security investment decisions.
In Section 2, we provide a detailed description of the model. We then derive the formula for the distribution of defense failure frequency, which is a function depending on security investments and attack arrivals. Assuming the distribution of the loss severity from a cyber breach is known, we show that the optimal investment amount can be solved by minimizing the expected total cyber costs. In Section 3, we use numerical calculations to provide insights on the changes in expected total cyber costs and the optimal amount of cyber investment, under different assumptions of loss severity, attack arrival as well as time horizon. We also provide a literature review on cyber risk modeling in Section 4 and comment on future research in Section 5.
To our knowledge, this paper is the first attempt to model cyber risk by applying the ruin theory in the literature. e goal of this paper is not to propose a new actuarial model for cyber losses (in terms of frequency and severity distributions), but instead, we apply the ruin theoretical framework to the level of cyber security over the course of time, under opposing forces of attackers and defenders. We then use the framework to draw insights about optimal allocation of cyber security budget.

Surplus Process for the Cyber Security
Level over Time

Surplus Processes in the Classical Ruin eory.
We first review the classical insurance surplus process defined by where u � U 0 is the initial surplus, c is a constant rate of premium income per unit time, N t t ≥ 0 is a counting process for the number of claims, and X i ∞ i�1 is a sequence of i.i.d. random variables representing individual claim amounts with probability density function (p.d.f.) f(x) and cumulative distribution function (c.d.f.) F(x). Let T u be the time that surplus first falls below 0 given initial surplus u, and the ultimate ruin probability is defined as ψ(u) � Pr(T u < ∞). Under the classical risk model, it is common to to be the defective density function of T u and ω u (s) � ∞ 0 e − st ω u (t)dt, s ≥ 0, as the Laplace transform of ω u (t). e conditional density of T u |T u < ∞ is denoted as ω c u (t) � ω u (t)/ψ(u).

Cyber Security Level Model Description. Gordon and
Loeb [1] defined a vulnerability term ], as the probability that an attack being successful. e observation is that the vulnerability of a security system is not static over time and it depends on the maintenance effort of the system administrator through time. Denote ] t as the vulnerability level of a security system at time t. In addition, we define the strength level of a security system at time t as u t , where ] t � g(u t ) and g(x) ∈ [0, 1], x ≥ 0, is a function that satisfies the following properties: (1) g ′ (x) < 0, i.e., the higher the u t is, the lower the vulnerability of the security system. (2) When x � 0, g(x) � 0, i.e., when the strength level is 0, the probability of an attack being successful is 1.
(3) When x → ∞, g(x) → 0, i.e., when the strength level is extremely high, the probability of an attack being successful tends to 0. Here we assume that the security system cannot be completely protected; however, the system administrator manages it. ere is always a probability of being breached.
One type of function that satisfies the above properties is where g(x) � e − αx , i.e., ] t � e − αu t , where α is a parameter that transforms the strength level measurement u t to a probability measurement ] t .
We now apply some of the surplus process ideas to model the security strength level process of a firm's information system. Assume that process u t t ≥ 0 represents the security strength at any time t ≥ 0 of the system and that u 0 represents the system's current security level.
Let ξ t ≥ 0 denote the monetary (e.g., dollar) investment in security to protect the system. e result of such investment will create changes in security strength level u t over time. For simplicity in our model, we assume that the investment is constant at ξ per unit of time and that the change We assume that when ξ t � 0, i.e., there is absolutely no effort in place on system maintenance, the process u t will have a natural downward drift. We assume this downward drift to be a constant − c ′ , c ′ > 0 until u t hits 0. is is justified by common observations in security system management: if the system does not perform regular updates, scans, and inspections, the system becomes more and more vulnerable over time.
Let ξ ′ be the amount of investment that is needed to counter affect the downward drift c ′ , and that the per unit time change in u t caused by such investment is 0. If ξ > ξ ′ , then the per unit time change in u t becomes c.
Mathematically, the above assumption can be summarized as the following conditions that need to be satisfied by function A(x): A(0) � − c ′ , A(x) � 0 for x � ξ ′ , and A(x) � c > 0 for x > ξ ′ . e increase in the security level is justified by continuous effort on fixing known vulnerabilities, strengthening authentication and encryption, etc. References on over hundreds of defense methods can be found in Cohen [2]. e counting process N t t ≥ 0 represents the number of attempted attacks during time (0, t]. When an attempted attack arrives at time t, we assume that the probability of that attack being successful is equal to ] t � e − αu t . However, whether the i th attempted attack is successful or not, we assume that the strength level of the system after the attempted attack will be damaged by a random variable X i . During an attack event, the hacker may gain some information about the system mechanism and authentication methods and that a certain level of security strength is lost.
is is modeled by losses X i ∞ i�1 in security level when attack arrives.
So far our security level process follows the fundamental works of a classical insurance surplus process. To further accommodate the modeling of cyber risks, we make two modifications on the process. First modification is that once ruin occurs, the surplus level returns to 0 immediately and the process continues. is implies that the security level does not remain at ruin state but restarts from 0 whenever a failure occurred. A realization of such process is shown in Figure 1. e reason for this is that it seems unrealistic to assume that the security level can remain negative. Even when a breach event occurs, the system engineers will continue to strengthen the system security over time by fixing exploited vulnerabilities and bugs.
Another modification is a loosening on the assumption for c such that the probability of ruin/breach event is not strictly less than 1 under our framework. More discussion on this modification can be found in Appendix A. Table 1 provides a comparison between surplus process definitions under traditional ruin theory versus our cyber security framework. In reality, the cyber environment is characterized as an arms race between attackers and defenders. Perpetrators are actively searching for weak points and new methods and tools (e.g., malware) for attacking. e results of attackers are quantified by X i ∞ i�1 which emerges over time. Defenders must vigilantly monitor and constantly invest in cyber security in terms of time, knowledge, and measures. e defense spending of amount $ξ gives c as the continuous security development rate. Our focus is on the time dimension of the arms race between attackers and defenders. In this paper, we investigate how company spending in beefing up cyber security level can help maintain/achieve a desirable security level.
Let the counting process of the number of ruin events between time (0, t] be NR u (t) t ≥ 0 , with initial surplus u, under the modified surplus process. Let T u,n to be the time of n th ruin event and ω u,n (t) to be the probability density function of T u,n . Define W u,n (t) � t 0 ω u,n (τ)dτ � Pr(T u,n ≤ t), we can then derive the probability function for NR u (t). For n � 0, we have that (2) Note that this also includes the probability that ruin never occurs and that by definition W u,1 (t) � W u (t). For n ≥ 1, Under our cyber risk model, we use NR u (t) as the counting process for breach events. Furthermore, let Y i ∞ i�1 be independent and identically distributed random variables representing the severity of financial loss due to a security breach. We assume that Y i ∞ i�1 depends on the nature of data breached and is independent of U t and NR u (t). e total financial loss due to defense failure between time (0, t] is then Since ξ is the amount of investment in cyber security per unit time, we denote L(u, ξ, t) to be the total cyber cost between (0, t] and we have e expected total cyber costs between (0, t] are then where the expected number of breaches before t can be found as follows: Taking the partial differentiation of E[L(u, ξ, t)] with respect to ξ, we have Since zW 0 (t)/zc < 0 and hence zW u,n (t)/zc < 0, and that A ′ (ξ) > 0, we see that there exists an ξ * such that represents the net premium for cyber insurance cover for losses from cyber breach. e higher the IT security spending, the lower the resulting net premium of cyber insurance. ere is an optimal amount of spending that minimizes the total cost to the firm. Using equation (5), firms can decide an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer. e total cyber cost function can be generalized to allow for expense loading of insurance covers. If the insurance premium is the expected financial loss ] plus a loading θ under the expected value principle, the total cyber cost function then becomes

Insights from the Framework
In this section, we assume a baseline scenario that N t t ≥ 0 follows a Poisson process with parameter λ � 1, and X i ∞ i�1 follows an exponential distribution with parameter α � 1. e initial security level is u � U 0 � 3. We also assume that the construction rate c � A(ξ) � ln(ξ + 1), where ξ is the amount of investment on security development. Note that under this assumption A(0) � 0, A ′ (ξ) > 0 and A ″ (ξ) > 0 for ξ > 0. e expected loss when breach occurs is assumed to be E(Y i ) � $20 and the time horizon is t � 2. Some analytical results are given in Appendix B under these assumptions.
To further clarify the notation used, u, λ, α, and c are numerical metrics corresponding to the security level process, whereas ξ, E(Y i ), and E[L(u, ξ, t)] represent the monetary amounts associated with security investments and costs of cyber breaches.
In the following examples, we change various assumptions and study the impact on the expected total cyber cost E[L(u, ξ, t)]. Under each scenario, we find the optimal investment level ξ * such that the expected cyber cost is minimized given the specific time horizon.
3.1. Impact of Loss Severity. In this example, we assume an alternative scenario with E(Y i ) � $40. Clearly in our baseline scenario where E(Y i ) � $20, the average severity of loss in an event of cyber breach is relatively low compared with E(Y i ) � $40. Note that with ξ * � $1.02, the corresponding c � 0.70 < λ/α. is indicates that under the given conditions above, it is actually less optimal to maintain c > λ/α, which is a condition needed for ψ(u) < 1.
For E(Y i ) � $40, the minimum expected cost is $11.65 with ξ * � $1.94. e optimal security investment is higher compared with the previous case. Table 2 provides a summary of the results above.
Insights: in the case of higher average loss severity, it is better to invest more in security defense to reduce the expected number of breach events.

Impact of Different Attack Arrivals.
In this example, we look at the impact of different attack arrivals on expected cyber losses and optimal investment level ξ * . We adopt the same baseline scenario such that u � 3, λ � 1 and α � 1, c � A(ξ) � ln(ξ + 1), t � 2, and E(Y i ) � $20. We assume two alternative sets of parameters for attack arrivals: for the first alternative scenario (scenario 2), we assume λ � 0.5 and α � 0.5, which represents the case where the attack frequency is halved, but the expected impact is doubled due to more sophisticated attacks. For the second alternative scenario (scenario 3), we assume λ � 10 and α � 10, which represents a high-frequency but low-impact (less sophisticated) attack for the attack arrivals. Figure 3 shows the change in the expected number of breaches E[NR 3 (2)] given ξ assuming different attack arrivals as above. We see that for scenario 3, E[NR 3 (2)] decreases quickly with small increase in ξ. A small amount of investment can reduce the expected number of breaches significantly. For scenario 2, the investment is less efficient because A ″ (ξ) < 0 such that each additional unit spending of ξ causes smaller additional c and that high impact of the attacks overpowers the security improvement.
We then calculate the expected total cyber costs under the assumed three scenarios, and Figure 4 shows the changes in E[L (3, ξ, 2)] with respect to changes in ξ. e optimal investment ξ * is then calculated for each scenario with corresponding results shown in Table 3.
For the baseline scenario, the optimal ξ * is $1.02 with the minimum expected cyber costs at $7.22. For scenario 2, the optimal ξ * � $0.38 is smaller than the baseline scenario, with the minimum expected cyber costs higher at $7.31. Under this scenario, the system manager actually opts to invest less due to the comparatively inefficient cyber investment. For scenario 3, the optimal ξ * � $0.49 is lower than the baseline scenario but higher than scenario 2. However, we see that the optimal expected cyber costs decreased significantly from $7.22 and $7.31, compared with the baseline scenario and scenario 2, respectively.
Insights: for a given expected loss amount as the product of frequency and severity, if a company's computer system is facing more frequent but less severe attacks, it is optimal for the company to invest less amount in security improvement.
Intuitively, as t increases, the expected total cyber cost shifts upward. Our interest lies in the changes in optimal investment amount when looking at different time horizons. Table 4 shows the optimal ξ * for t � 1, t � 2, and t � 5, respectively. We also calculate the corresponding E(L) * /t and E[NR 3 (t)] * /t, which represent the expected cyber cost and expected number of breaches per time unit, respectively, given ξ * . ere are a few observations from the results as follows. Firstly, as we look at longer time horizon, it is optimal to invest more in security development to reduce the total expected cyber costs. Next, the E(L) * is not linearly related to t as t changes. is is because at the end of one year, the security level may be lower or higher than the start of the year and the optimal level of investment will change accordingly for the next year. In addition, the optimal average expected number of breaches per time unit also changes when we consider different time horizons.
Insights: the choice of time horizon has important implications when deciding the optimal security spending.

Impact of Initial Security Level.
In this example, we look at the impact of different initial security level u. We assume λ � 1, α � 1, c � A(ξ) � ln(ξ + 1), t � 2, and E(Y i ) � $20. Figure 6 illustrates the changes in E[L(u, ξ, 2)] with changes in ξ, given u � 1, u � 3, and u � 5. We see that when ξ is small, the differences in expected cyber cost are relatively large when u changes. As ξ becomes larger, the gaps between the three lines become smaller and almost remain constant for large ξ.
In Table 5, we provide the optimal investment ξ * and corresponding expected cyber costs. When u � 1, the optimal ξ * is $2.46 with minimum expected cyber costs at $16.33. When u � 5, the optimal ξ * � $0.16 and the minimum expected cyber cost is $2.87.
Assume we can invest ξ b a , a < b, to instantly increase U t from a to b. We also assume that ξ b a ≥ A − 1 (b − a). is implies that if we want to increase U t from a to b instantly, it will cost more than develop U t from a to b during 1 unit time. If at time t � 0 and u � a, the expected total cyber cost under previous settings will be E [L(a, ξ, t)]. Suppose we decide to invest ξ b a such that the initial u increases to b    L(b, ξ, t)]. From the table above, we see that ξ 3 1 ≥ $6.39. If ξ 3 1 ≤ $9.11, the firm can actually reduce the total expected cyber cost by a one-off investment to boost the initial security level from 1 to 3.
Insights: it may be worthwhile for a company to spend one-off investment from time to time to boost cyber security level to a desirable standard.

Literature Review on Cyber Risk Modeling
In this section, we provide a brief literature review on cyber risk modeling. e computer information system (CIS) risk had always been one of the key concerns for computer engineers. In the era of digitization, big data, and global connectivity, the requirements for cyber risks management escalate and become a key element in the risk management framework. In the computer science literature, the analysis of CIS risks has been split into development risks and security risks. Rigorous analysis methods and frameworks were designed to identify and manage critical risk factors in system development [3]. For security risks, the authors in [2,4] provided extensive lists of potential attacks, defenses, threats, and consequences. With the effort to quantitatively analyze system security, network topology and graph are used together with epidemic models and become more popular in recent years. Li et al. [5] applied a stochastic model upon a complex network graph that includes sets of nodes and sets of edges over which direct attack can be carried out in the network. A stochastic abstraction of the interactions between the attacker and the defender in the network is considered to derive the probability that a    uniformly chosen node is compromised (or attacked) in the steady state. Xu and Xu [6] later extended this model by weakening some strong assumptions and provided analytical results for the desired steady-state probabilities. In 2015, Xu et al. [7] incorporated copulas in the cyber epidemic models to accommodate the dependences between the cyberattack events. Pastor-Satoras et al. [8] gave a detailed review of the vast research activity concerning cyber epidemic processes, detailing the successful theoretical approaches as well as making their limits and assumptions clear.
Another stream of research focused on economic models of security investments. For example, Gordon and Loeb [1] studied the optimal protection of information, which varies with the information set's vulnerability. Dillon and Pate-Cornell [9] developed a theoretical framework that uses a utility function to explicitly examine the tradeoffs between minimization of the probability of an IS project's failure and maximization of the expected benefits from its performance. Bohme and Moore [10] developed a dynamic model to reflect the interaction between a defender and an attacker and showed how the defender's knowledge about prospective attacks and the sunk costs incurred when upgrading defenses reactively affects the optimal security investment strategy. Many more literature studies can be found in Gordon and Loeb [11] and Wang [12]. In response to the escalating demands from companies to seek better cyber risk management, the market for insurance has emerged and evolved in recent years to provide covers on cyber-related losses. However, the industry has seen a slower pace in market expansion than anticipated due to a number of challenges. e first question is the insurability of cyber risks. Biener et al. [13] focused extensively on this matter by applying Berliner's [14] insurability framework together with empirical analysis. e first insurability criterion is the randomness of the loss occurrence and the conclusion is that it is problematic due to a number of reasons. eir paper also showed that the average loss in different industries differs due to different awareness levels and therefore different resources devoted to self-protection, and the nature of the asset being protected, for example, whether the data include sensitive personal information. e higher the expected loss, the more valuable the breached information must be and the higher the gain for the attacker. Higher frequency for attacks may be correlated to high potential loss. As a result, it may be optimal for a potential victim to spend more on security development, such that the expected total cyber cost is minimized.
Unlike traditional insured risks where the losses emerge from random events, the majority of known cyber loss events are usually consequences of failure in IS defense against intentional attacks. e losses from these attacks are quite profound, for example, the theft and leakage of SONY's internal data in 2014 caused an estimated USD 35 million loss. It is commonly believed that the company's investment on security development plays a key role in reducing the possibility of such loss [10]. Xu and Hua [15] developed a framework to model and price cyber security risk. Due to the constantly evolving technologies of both the attackers and defenders, the attempt to estimate the likelihood and severity of a cyber loss becomes even more challenging. Another obstacle for cyber insurance is the lack of historical loss data attributed to cyber losses that can be used to estimate probabilities of loss and calculate loss values [16]. e data scarcity problem has been addressed by the industry and there have been many attempts to pool relevant data for analytical purposes. Romanosky [17] used a unique dataset of over 12,000 cyber incidents recorded over the years 2004 and 2015 in the USA and examined the costs and causes of cyber incidents. It later went on to discuss the amount of capital a firm should spend on IT security.
Alternatively, one can possibly obtain data other than insurance losses for the purpose of studying cyber risks. Organizations usually have many sources of information about attacks that may be incident upon their networks [18]. One important source is firewall logs. Most, if not all, corporate networks will run a firewall that limits the traffic in and out of the corporate intranet according to some set of rules. Firewalls also log the network activity that they see, particularly the network traffic that is being dropped. Security teams examine firewall logs to get an indication of what attacks are occurring. e log files may show particular IP addresses that are running scans or particular network ports that are being attacked. A network intrusion detection system may be able to monitor and record abnormalities observed for future analysis of attack rates. Alternatively, some research studies focused on analyzing the honeypot-  captured cyberattacks to better understand the attack behaviours, for example, Spitzner [19], Almotairi et al. [20], and Zhan et al. [21].

Conclusion and Future Research
In this paper, we assume the security level of a system is a quantifiable metric and apply the ruin theoretic framework in assessing the defense failure frequencies. We assume that the security level of a system changes over time due to attack and defense. e security level is then modeled by a modified surplus process: the current security level of an information system can be viewed as the initial surplus; defense investment resulting in an increase in the security level can be viewed as the premium income; the cyberattack arrivals are modeled as a Poisson process; and the impact of attacks is modeled as losses on the security level using an assumed loss distribution. A cyberattack succeeds (or the defense fails) when ruin occurs. In other words, we apply the risk process to model the frequency of the cyber failure. Once the defense failed, an independent financial loss amount is incurred depending on the nature of data being breached. To our knowledge, this is the first attempt in the literature to apply the ruin theory on IT security investments and risk modeling. Instead of modeling cyber incidence directly, we assume that attacks can occur but unsuccessful if higher security level (strong defense) is in place. We also assume that the security level erodes even if unsuccessful attack happened. is is based on our assumption that the dark web (or cyber criminals) is capable of learning from their past attempts, which leads to a decrease in security level without active upgrading on the defense side. is paper is not meant to propose a new actuarial model for cyber risks, but instead using an actuarial ruin theory framework to gain insights about optimal allocation of cyber security budget.
One important insight derived from this theoretical framework is that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer. is has an implication in insurance product design: insurers may consider offer a combination of IT risk management services and risk transfer. e IT risk management services can be jointly offered with or outsourced to IT security firms. e security level is modeled as a numerical level in this paper. In practice, one can develop extensive IT risk assessment framework to produce numeric ratings. However, this is beyond the scope of this paper. When modeling the security level, we used simple models for attack frequencies (Poisson arrivals) and severity (exponentially distributed), as well as the security construction rate (constant) which may be over simplifications of what the reality represents. However, our aim for this paper is to use a theoretical framework to derive insights on cyber security budgeting. A few possibilities to alter these assumptions for future research are listed as follows: (1) e attacks may be modeled as nonhomogeneous Poisson process. IT security level could potentially also influence the attack behaviour. e attack frequencies might be high for a period of time and low if several attempts were unsuccessful. Alternatively, one can consider using a dependent risk process model to reflect some actual dependencies between attack frequencies and severity, and such model has been studied in the studies of Peng and Wang [22] and Hu and Zhang [23]. On the other hand, some more complicated risk models can be used to model the cyber risk, such as Markov-modulated risk model, Levy risk model, and MAP risk model. Many references can be found in the studies of Asmussen and Albrecher [24], Li et al. [25], Li et al. [26], Zhang et al. [27], Cheung and Feng [28], Yu et al. [29], etc. (2) Instead of continuous observation of the process, the security officer may wish to adopt a periodic checkup strategy and place occasional boost-ups for the security level. is strategy can then be seen as a risk process that is periodically observed with some occasional capital injections (see Yu et al. [30] and Zhang et al. [31]). (3) We assumed that the surplus level returns to 0 immediately after breach. Further research may alter this assumption since it may require some time to clear the virus or repair the equipment. (4) Empirical calibration of model parameters using actual data.

B. Some Analytical Results
In this section, we derive some analytical results assuming that N t t ≥ 0 follows a Poisson process with parameter λ, and f(x) � αe − αx . It is a well-known result [36] that the Laplace transform of T u is found as follows: where − R s < 0 is a root of the characteristic equation: Note that the derivation was done under the assumption that c > λE(X), but equation (B.1) is not affected if we relax this assumption.
is is because E[e − sT u I(T u < ∞)] � E[e − sT u ] � ω u (s), and that the derivation of ω u (s) and ω u (t) does not depend on the condition that c > λE(X). Dickson and Li [37] showed that the defective/proper density of T u satisfies the following equation: where ω j * 0 (t) is the j-fold convolution of ω 0 (t). From Nie et al. [38], we have  Note that for c ≤ λE(x), Pr(T u,n < ∞) � 1 and equation (B.7) becomes a proper density function. For c > λE(X), we have Pr(T u,n < ∞) � ψ(u)ψ(0) n− 1 and that the conditional density function of T u,n |T u,n < ∞ becomes ω u,n (t)/ψ(u)ψ(0) n− 1 .

Data Availability
No real data were used in this manuscript.

Conflicts of Interest
e authors declare that they have no conflicts of interest.