Can Competitive Insurers Improve Network Security?
The interdependent nature of security on the Internet causes a negative externality that results in under-investment in technology-based defences. Previous research suggests that, in such an environment, cyber-insurance may serve as an important tool not only to manage risks but also to improve the incentives for investment in security. This paper investigates how competitive cyber-insurers affect network security and user welfare. We utilize a general setting, where the network is populated by identical users with arbitrary risk-aversion and network security is costly for the users. In our model, a user’s probability to incur damage (from being attacked) depends on both his security and the network security.
First, we consider cyber-insurers who cannot observe (and thus, affect) individual user security. This asymmetric information causes moral hazard. If an equilibrium exists, network security is always worse relative to the no-insurance equilibrium. Though user utility may rise due to a coverage of risks, total costs to society go up due to higher network insecurity.
Second, we consider insurers with full information about their users’ security. Here, user security is perfectly enforceable (zero cost). Each insurance contract stipulates the required user security and covers the entire user damage. Still, for a significant range of parameters, network security worsens relative to the no-insurance equilibrium. Thus, although cyber-insurance improves user welfare, in general, competitive cyber-insurers may fail to improve network security.
Unable to display preview. Download preview PDF.
- 1.Anderson, R., Böehme, R., Clayton, R., Moore, T.: Security economics and european policy. In: Proceedings of WEIS 2008, Hanover, USA, June 25-28 (2008)Google Scholar
- 2.Böhme, R.: Cyber-insurance revisited. In: Proceedings of WEIS 2005, Cambridge, USA (2005)Google Scholar
- 4.Majuca, R.P., Yurcik, W., Kesan, J.P.: The evolution of cyberinsurance. Technical Report CR/0601020, ACM Computing Research Repository (2006)Google Scholar
- 5.Soohoo, K.: How much is enough? A risk-management approach to computer security. PhD thesis, Stanford UniversityGoogle Scholar
- 6.Schechter, S.E.: Computer security strength and risk: a quantitative approach. PhD thesis, Cambridge, MA, USA, Adviser-Smith, Michael D (2004)Google Scholar
- 8.Boehme, R., Kataria, G.: Models and measures for correlation in cyber-insurance. In: Fifth Workshop on the Economics of Information Security (2006)Google Scholar
- 13.Varian, H.: System reliability and free riding. In: Workshop on the Economics of Information Security, WEIS 2002, Cambridge, USA (2002)Google Scholar
- 14.Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Proceedings of WEIS 2005, Cambridge, USA (2005)Google Scholar
- 17.Fisk, M.: Causes and remedies for social acceptance of network insecurity. In: Proceedings of WEIS 2002, Berkeley, USA (2002)Google Scholar
- 18.Honeyman, P., Schwartz, G., Assche, A.V.: Interdependence of reliability and security. In: Proceedings of WEIS 2007, Pittsburg, PA (2007)Google Scholar
- 19.Lelarge, M., Bolot, J.: Economic incentives to increase security in the internet: The case for insurance. In: INFOCOM 2009, April 2009, pp. 1494–1502. IEEE, Los Alamitos (2009)Google Scholar
- 20.Radosavac, S., Kempf, J., Kozat, U.: Using insurance to increase internet security. In: Proceedings of NetEcon 2008, Seattle, USA, August 22 (2008)Google Scholar
- 21.Shetty, N., Schwartz, G., Walrand, J.: Can Competitive Insurers improve Network Security (2010) (in preparation), www.eecs.berkeley.edu/~nikhils/SSW-Trust-Long.pdf
- 22.Schwartz, G., Shetty, N., Walrand, J.: Cyber Insurance with Interdepedent Security and Aysmmetric Information (2010) (in preparation), www.eecs.berkeley.edu/~nikhils/EconSec.pdf