research-article

Public Access

Designing cyber insurance policies in the presence of security interdependence

Authors:

Mohammad Mahdi Khalili,

Parinaz Naghizadeh,

Mingyan LiuAuthors Info & Claims

NetEcon '17: Proceedings of the 12th workshop on the Economics of Networks, Systems and Computation

Article No.: 7, Pages 1 - 6

https://doi.org/10.1145/3106723.3106730

Published: 27 June 2017 Publication History

Abstract

Cyber insurance is a method for risk transfer but may or may not improve the state of network security. In this work, we consider a profit-maximizing insurer with voluntarily participating insureds. We are particularly interested in two features of cybersecurity and their impact on the contract design problem. The first is the interdependent nature of cybersecurity, whereby one entity's state of security depends on its own effort and others' effort. The second is our ability to perform accurate quantitative assessment of security posture at a firm level by combining recent advances in Internet measurement and machine learning techniques. We observe that security interdependency leads to a "profit opportunity" for the insurer, created by the inefficient effort levels exerted by agents who do not account for risk externalities when insurance is not available; this is in addition to risk transfer that an insurer profits from. Security pre-screening allows the insurer to take advantage of this opportunity by designing appropriate contracts which incentivize agents to increase their effort levels, allowing the insurer to effectively "sell commitment" to interdependent agents, in addition to risk transfer. We identify conditions under which this type of contracts lead to an improved state of network security.

References

[1]

Online Appendix. Available at https://www.dropbox.com/sh/ek4p20ornmcio56/AADjDafFU1CbbHtMB4tX7qDea?dl=0.

[2]

Rainer Böhme. 2005. Cyber-insurance revisited. In Proceedings of the Workshop on the Economics of Information Security (WEIS).

[3]

Rainer Böhme. 2012. Security audits revisited. In International Conference on Financial Cryptography and Data Security. Springer, 129--147.

[4]

Jean Bolot and Marc Lelarge. 2009. Cyber insurance as an incentive for Internet security. In Managing information risk and the economics of security. Springer.

[5]

Annette Hofmann. 2007. Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks. The Geneva Risk and Insurance Review 32, 1 (2007), 91--111.

[6]

Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang. 2010. Are security experts useful? Bayesian Nash equilibria for network security games with limited information. In European Symposium on Research in Computer Security. Springer, 588--606.

Digital Library

[7]

Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang. 2010. Uncertainty in interdependent security games. In International Conference on Decision and Game Theory for Security. Springer, 234--244.

Digital Library

[8]

Jay P. Kesan, Ruperto P. Majuca, and William Yurcik. 2005. Cyber-insurance as a market-based solution to the problem of cybersecurity-a case study. In Proceedings of the Workshop on the Economics of Information Security (WEIS).

[9]

Mohammad Mahdi Khalili, Parinaz Naghizadeh, and Mingyan Liu. 2017. Designing cyber insurance policies: Mitigating moral hazard through security pre-screening. In the 5th International Conference on Game Theory for Networks (GameNets). IEEE.

[10]

Marc Lelarge. 2012. Coordination in network security games: a monotone comparative statics approach. IEEE Journal on Selected Areas in Communications 30, 11 (2012), 2210--2219.

[11]

Marc Lelarge and Jean Bolot. 2009. Economic incentives to increase security in the Internet: The case for insurance. In Proceedings of IEEE INFOCOM. 1494--1502.

[12]

Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. In Proceedings of the 24th USENIX Security Symposium.

Digital Library

[13]

Andreu Mas-Colell, Michael Dennis Whinston, and Jerry R. Green. 1995. Microeconomic theory. Oxford University press, New York.

[14]

R. Ann Miura-Ko, Benjamin Yolken, Nicholas Bambos, and John Mitchell. 2008. Security investment games of interdependent organizations. In Proceedings of 46th Annual Allerton Conference on Communication, Control, and Computing. 252--260.

[15]

Hulisi Ogut, Nirup Menon, and Srinivasan Raghunathan. 2005. Cyber insurance and IT security investment: Impact of interdependence risk. In Proceedings of the Workshop on the Economics of Information Security (WEIS).

[16]

Ranjan Pal, Leana Golubchik, Konstantinos Psounis, and Pan Hui. 2014. Will cyber-insurance improve network security? A market analysis. In Proceedings of IEEE INFOCOM. 235--243.

[17]

Galina A Schwartz and S Shankar Sastry. 2014. Cyber-insurance framework for large scale interdependent networks. In Proceedings of the 3rd international conference on high confidence networked systems. ACM, 145--154.

Digital Library

[18]

Nikhil Shetty, Galina Schwartz, Mark Felegyhazi, and Jean Walrand. 2010. Competitive cyber-insurance and internet security. In Economics of Information Security and Privacy. Springer, 229--247.

[19]

Nikhil Shetty, Galina Schwartz, and Jean Walrand. 2010. Can competitive insurers improve network security?. In International Conference on Trust and Trustworthy Computing. Springer, 308--322.

Digital Library

[20]

Zichao Yang and John CS Lui. 2014. Security adoption and influence of cyber-insurance markets in heterogeneous networks. Performance Evaluation 74 (2014), 1--17.

Digital Library

Cited By

Pal RLiu M(2025)Cyber-Insurance MarketEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1636(524-529)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1636
Pal RLiu M(2022)Cyber-Insurance MarketEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_1636-1(1-6)Online publication date: 26-Mar-2022
https://doi.org/10.1007/978-3-642-27739-9_1636-1
Zhang RZhu Q(2020)$\mathtt{FlipIn}$ : A Game-Theoretic Cyber Insurance Framework for Incentive-Compatible Cyber Risk Management of Internet of ThingsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.295589115(2026-2041)Online publication date: 2020
https://doi.org/10.1109/TIFS.2019.2955891
Show More Cited By

Index Terms

Designing cyber insurance policies in the presence of security interdependence
1. Networks
  1. Network algorithms
    1. Network economics
2. Security and privacy
  1. Network security

Recommendations

Improving Cyber-Security via Profitable Insurance Markets

Recent work in security has illustrated that solutions aimed at detection and elimination of security threats alone are unlikely to result in a robust cyberspace. As an orthogonal approach to mitigating security problems, some researchers have pursued ...
Effective Premium Discrimination for Designing Cyber Insurance Policies with Rare Losses
Decision and Game Theory for Security
Abstract
Cyber insurance like other types of insurance is a method of risk transfer, where the insured pays a premium in exchange for coverage in the event of a loss. As a result of the reduced risk for the insured and the lack of information on the ...
Cyber Insurance and Post-Breach Services: A Normative Analysis
Service Science/Stochastic Systems Joint Special Issue
Cyber insurance is becoming an essential tool for managing cybersecurity risks. In this study, we analyze how having the option to subscribe to cyber insurance services affects firms’ risk prevention and mitigation decisions. We model the scenario where ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

NetEcon '17: Proceedings of the 12th workshop on the Economics of Networks, Systems and Computation

June 2017

47 pages

ISBN:9781450350891

DOI:10.1145/3106723

Program Chairs:
Vincent Conitzer
Duke University
,
Roch Guérin
Washington University in Saint Louis

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGecom: Special Interest Group on Economics and Computation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

EC '17

Sponsor:

SIGecom

EC '17: ACM Conference on Economics and Computation

June 27, 2017

Massachusetts, Cambridge

Acceptance Rates

Overall Acceptance Rate 10 of 18 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
734
Total Downloads

Downloads (Last 12 months)178
Downloads (Last 6 weeks)79

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pal RLiu M(2025)Cyber-Insurance MarketEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1636(524-529)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1636
Pal RLiu M(2022)Cyber-Insurance MarketEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-642-27739-9_1636-1(1-6)Online publication date: 26-Mar-2022
https://doi.org/10.1007/978-3-642-27739-9_1636-1
Zhang RZhu Q(2020)$\mathtt{FlipIn}$ : A Game-Theoretic Cyber Insurance Framework for Incentive-Compatible Cyber Risk Management of Internet of ThingsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.295589115(2026-2041)Online publication date: 2020
https://doi.org/10.1109/TIFS.2019.2955891
Aziz BSuhardi Kurnia (2020)A systematic literature review of cyber insurance challenges2020 International Conference on Information Technology Systems and Innovation (ICITSI)10.1109/ICITSI50517.2020.9264966(357-363)Online publication date: 19-Oct-2020
https://doi.org/10.1109/ICITSI50517.2020.9264966
Khalili MZhang XLiu MLucier BPradelski BTuffin B(2019)Incentivizing effort in interdependent security games using resource poolingProceedings of the 14th Workshop on the Economics of Networks, Systems and Computation10.1145/3338506.3340272(1-6)Online publication date: 28-Jun-2019
https://dl.acm.org/doi/10.1145/3338506.3340272
Vakilinia ISengupta S(2019)A Coalitional Cyber-Insurance Framework for a Common PlatformIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.288169414:6(1526-1538)Online publication date: Jun-2019
https://doi.org/10.1109/TIFS.2018.2881694
Uuganbayar GMassacci FYautsiukhin AMartinelli F(2019)Cyber Insurance and Time-to-Compromise: An Integrated Approach2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA)10.1109/CyberSA.2019.8899442(1-8)Online publication date: Jun-2019
https://doi.org/10.1109/CyberSA.2019.8899442
Vakilinia ISengupta S(2019)Fair and private rewarding in a coalitional game of cybersecurity information sharingIET Information Security10.1049/iet-ifs.2018.5079Online publication date: 9-Apr-2019
https://doi.org/10.1049/iet-ifs.2018.5079
Vakilinia IBadsha SSengupta S(2018)Crowdfunding the Insurance of a Cyber-Product Using Blockchain2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON)10.1109/UEMCON.2018.8796515(964-970)Online publication date: Nov-2018
https://doi.org/10.1109/UEMCON.2018.8796515
Khalili MNaghizadeh PLiu M(2018)Designing Cyber Insurance Policies: The Role of Pre-Screening and Security InterdependenceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.281220513:9(2226-2239)Online publication date: Sep-2018
https://doi.org/10.1109/TIFS.2018.2812205
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten