On the Limits of Cyber-Insurance

  • Rainer Böhme
  • Gaurav Kataria
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4083)


It has been argued that cyber-insurance will create the right kind of security atmosphere on the Internet. It will provide incentive (through lowered premiums) to firms to better secure their network thus reducing the threat of first party as well as third party damage, promote gathering and sharing of information security related incidents thus aiding development of global information security standards and practices, and finally, increase the overall social welfare by decreasing the variance of losses faced by individual firms via risk pooling as in other kinds of insurance. However, a unique aspect of cyber-risks is the high level of correlation in risk (e.g. worms and viruses) that affects both the insurer and the insured. In this paper, we present a discussion on the factors that influence the correlation in cyber-risks both at a global level, i.e. correlation across independent firms in an insurer’s portfolio, and at a local level, i.e. correlation of risk within a single firm. While global risk correlation influences insurers’ decision in setting the premium, the internal correlation within a firm influences its decision to seek insurance. We study the combined dynamics of these two to determine when a market for cyber-insurance can exist. We address technical, managerial and policy choices influencing both kind of correlations and welfare implications thereof.


Information Security Global Correlation Extreme Value Theory Internal Correlation Information Asset 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Beattie, S., et al.: Timing the application of security patches for optimal uptime. In: Proceedings of LISA 2002: 16th Systems Administration Conference, pp. 233–242. USENIX Association, Berkeley (2002)Google Scholar
  2. 2.
    Geer, D., et al.: CyberInsecurity – The cost of monopoly (2003),
  3. 3.
    Chen, P.Y., Kataria, G., Krishnan, R.: Software diversity for information security. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005),
  4. 4.
    Soo Hoo, K.J.: How Much Is Enough? A Risk-Management Approach To Computer Security. PhD thesis, Stanford University, CA (2000),
  5. 5.
    Schechter, S.E., Smith, M.D.: How much security is enough to stop a thief? In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 122–137. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Arora, A., Hall, D., Pinto, C.A., Ramsey, D., Telang, R.: Measuring the risk-based value of IT security solutions. IEEE IT Professional Magazine 6, 35–42 (2004)CrossRefGoogle Scholar
  7. 7.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5, 438–457 (2002)CrossRefGoogle Scholar
  8. 8.
    Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46, 81–85 (2003)CrossRefGoogle Scholar
  9. 9.
    Majuca, R.P., Yurcik, W., Kesan, J.P.: The evolution of cyberinsurance. In: ACM Computing Research Repository (CoRR), Technical Report cs.CR/0601020 (2006)Google Scholar
  10. 10.
    Ogut, H., Menon, N., Ragunathan, S.: Cyber insurance and IT security investment: Impact of independent risk. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005),
  11. 11.
    Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26, 231–249 (2003)zbMATHCrossRefGoogle Scholar
  12. 12.
    Böhme, R.: Cyber-insurance revisited. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005),
  13. 13.
    Embrechts, P., Klüppelberg, C., Mikosch, T.: Modelling Extremal Events for Insurance and Finance, 2nd edn. Springer, Heidelberg (1999)Google Scholar
  14. 14.
    Schultz, E.E.: A framework for understanding and predicting insider attacks. In: Proc. of Compsec, London, UK, pp. 526–531 (2002)Google Scholar
  15. 15.
    Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II) (2003)Google Scholar
  16. 16.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI) (2004)Google Scholar
  17. 17.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatic signature generation for polymorphic worms. In: Proceedings of the IEEE Security and Privacy Symposium (2005)Google Scholar
  18. 18.
    Bakkaloglu, M., Wylie, J., Wang, C., Ganger, G.: On correlated failures in survivable storage systems, Technical Report CMU-CS-02-129, Carnegie Mellon University, School of Computer Science (2002)Google Scholar
  19. 19.
    Nicola, V.F., Goyal, A.: Modeling of correlated failures and community error recovery in multiversion software. IEEE Transactions on Software Engineering 16, 350–359 (1990)CrossRefGoogle Scholar
  20. 20.
    Demarta, S., McNeil, A.J.: The t copula and related copulas. International Statistical Review 71, 111–129 (2005)Google Scholar
  21. 21.
    Böhme, R., Kataria, G.: Models and measures for correlation in cyber-insurance. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006), Google Scholar
  22. 22.
    Wylie, J.J., et al.: Survivable information storage systems. IEEE Computer 33, 61–68 (2000)Google Scholar
  23. 23.
    Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Rabin, M.O.: Efficient dispersal of information for security, load balancing and fault tolerance. Journal of the ACM 32, 335–348 (1989)CrossRefMathSciNetGoogle Scholar
  25. 25.
    Pratt, J.W.: Risk aversion in the small and in the large. Econometrica 32, 122–136 (1964)zbMATHCrossRefGoogle Scholar
  26. 26.
    Ehrlich, I., Becker, G.S.: Market insurance, self-insurance, and self-protection. Journal of Political Economy 80, 623–648 (1972)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Rainer Böhme
    • 1
  • Gaurav Kataria
    • 2
  1. 1.Institute for System ArchitectureTechnische Universität Dresden 
  2. 2.Heinz School of Policy and ManagementCarnegie Mellon University 

Personalised recommendations