Abstract
This paper investigates how competitive cyber-insurers affect network security and welfare of the networked society. In our model, a user's probability to incur damage (from being attacked) depends on both his security and the network security, with the latter taken by individual users as given. First, we consider cyberinsurers who cannot observe (and thus, affect) individual user security. This asymmetric information causes moral hazard. Then, for most parameters, no equilibrium exists: the insurance market is missing. Even if an equilibrium exists, the insurance contract covers only a minor fraction of the damage; network security worsens relative to the no-insurance equilibrium. Second, we consider insurers with perfect information about their users' security. Here, user security is perfectly enforceable (zero cost); each insurance contract stipulates the required user security. The unique equilibrium contract covers the entire user damage. Still, for most parameters, network security worsens relative to the no-insurance equilibrium. Although cyber-insurance improves user welfare, in general, competitive cyber-insurers fail to improve network security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Akerlof, G.A.: The market for ’lemons’: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84(3), 488–500 (1970). URL http://ideas.repec. org/a/tpr/qjecon/v84y1970i3p488-500.html
Anderson, R., Böehme, R., Clayton, R., Moore, T.: Security economics and european policy. In: Proceedings of WEIS’08. Hanover, USA (2008)
Baer, W.S., Parkinson, A.: Cyberinsurance in it security management. IEEE Security and Privacy 5(3), 50–56 (2007). DOI http://dx.doi.org/10.1109/MSP.2007.57
Böhme, R.: Cyber-insurance revisited. In: Proceedings of WEIS’05. Cambridge, USA (2005)
Bolot, J., Lelarge, M.: A new perspective on internet security using insurance. INFOCOM 2008. The 27th Conference on Computer Communications. IEEE pp. 1948–1956 (2008). DOI 10.1109/INFOCOM.2008.259
Fisk, M.: Causes and remedies for social acceptance of network insecurity. In: Proceedings of WEIS’02. Berkeley, USA (2002)
Gordon, L.A., Loeb, M., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85 (2003)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002). DOI http://doi.acm.org/10.1145/581271.581274
Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: WWW ’08: Proceeding of the 17th international conference on World Wide Web, pp. 209–218. ACM, New York, NY, USA (2008). DOI http://doi.acm.org/10.1145/1367497.1367526
H. Ogut, N.M., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Proceedings of WEIS’05. Cambridge, USA (2005)
Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006). DOI http://dx.doi.org/10.1007/s10796-006-9011-6
Hofmann, A.: Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks. Geneva Risk and Insurance Review 32(1), 91–111 (2007)
Honeyman, P., Schwartz, G., Assche, A.V.: Interdependence of reliability and security. In: Proceedings of WEIS’07. Pittsburg, PA (2007)
Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–49 (2003). URL http://ideas.repec.org/a/kap/jrisku/ v26y2003i2-3p231-49.html
Kunreuther, H.C., Michel-Kerjan, E.O.: Evaluating the effectiveness of terrorism risk financing solutions. NBER Working Papers 13359, National Bureau of Economic Research, Inc (2007). URL http://ideas.repec.org/p/nbr/nberwo/13359.html
Majuca, R.P., Yurcik, W., Kesan, J.P.: The evolution of cyberinsurance. Tech. Rep. CR/0601020, ACM Computing Research Repository (2006)
Rothschild, M., Stiglitz, J.E.: Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. The Quarterly Journal of Economics 90(4), 630–49 (1976). URL http://ideas.repec.org/a/tpr/qjecon/
v90y1976i4p630-html
Schechter, S.E.: Computer security strength and risk: a quantitative approach. Ph.D. thesis, Cambridge, MA, USA (2004). Adviser-Smith„ Michael D.
Soohoo, K.: How much is enough? a risk-management approach to computer security. Ph.D. thesis, Stanford University
Stiglitz, J.E.: Information and the change in the paradigm in economics. American Economic Review 92(3), 460–501 (2002). URL http://ideas.repec.org/a/aea/aecrev/ v92y2002i3p460-501.html
Varian, H.: System reliability and free riding. In: Workshop on the Economics of Information 2002.Security, WEISCambridge, USA (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J. (2010). Competitive Cyber-Insurance and Internet Security. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_12
Download citation
DOI: https://doi.org/10.1007/978-1-4419-6967-5_12
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-6966-8
Online ISBN: 978-1-4419-6967-5
eBook Packages: Computer ScienceComputer Science (R0)