Security Games with Market Insurance

  • Benjamin Johnson
  • Rainer Böhme
  • Jens Grossklags
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7037)


Security games are characterized by multiple players who strategically adjust their defenses against an abstract attacker, represented by realizations of nature. The defense strategies include both actions where security generates positive externalities and actions that do not. When the players are assumed to be risk averse, market insurance enters as a third strategic option. We formulate a one-shot security game with market insurance, characterize its pure equilibria, and describe how the equilibria compare to established results. Simplifying assumptions include homogeneous players, fair insurance premiums, and complete information except for realizations of nature. The results add more realism to the interpretation of analytical models of security games and might inform policy makers on adjusting incentives to improve network security and foster the development of a market for cyber-insurance.


Game theory Security Externalities Protection Self-insurance Market insurance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bandyopadhyay, T., Mookerjee, V., Rao, R.: Why IT managers don’t go for cyber-insurance products. Communications of the ACM 52(11), 68–73 (2009)CrossRefGoogle Scholar
  2. 2.
    Böhme, R.: Cyber-insurance revisited. In: Workshop on the Economics of Information Security (WEIS), Cambridge, MA (2005)Google Scholar
  3. 3.
    Böhme, R.: Towards insurable network architectures. it - Information Technology 52(5), 290–293 (2010)CrossRefGoogle Scholar
  4. 4.
    Böhme, R., Kataria, G.: Models and measures for correlation in cyber-insurance. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006)Google Scholar
  5. 5.
    Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2010)Google Scholar
  6. 6.
    Ehrlich, I., Becker, G.S.: Market insurance, self-insurance, and self-protection. Journal of Political Economy 80(4), 623–648 (1972)CrossRefGoogle Scholar
  7. 7.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 2008 World Wide Web Conference (WWW 2008), Beijing, China, pp. 209–218 (April 2008)Google Scholar
  8. 8.
    Grossklags, J., Christin, N., Chuang, J.: Security and insurance management in networks with heterogeneous agents. In: Proceedings of the 9th ACM Conference on Electronic Commerce (EC 2008), Chicago, IL, pp. 160–169 (July 2008)Google Scholar
  9. 9.
    Grossklags, J., Radosavac, S., Cárdenas, A.A., Chuang, J.: Nudge: Intermediaries’ Role in Interdependent Network Security. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 323–336. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Grossklags, J.: Secure or Insure: An Economic Analysis of Security Interdependence and Investment Types. PhD thesis, University of California, Berkeley (2009)Google Scholar
  11. 11.
    Halek, M., Eisenhauer, J.: Demography of risk aversion. The Journal of Risk and Insurance 68(1), 1–24 (2001)CrossRefGoogle Scholar
  12. 12.
    Hirshleifer, J.: From weakest-link to best-shot: The voluntary provision of public goods. Public Choice 41(3), 371–386 (1983)CrossRefGoogle Scholar
  13. 13.
    Hofmann, A.: Internalizing externalities of loss prevention through insurance monopoly: An analysis of interdependent risks. Geneva Risk and Insurance Review 32(1), 91–111 (2007)CrossRefGoogle Scholar
  14. 14.
    Holz, T., Engelberth, M., Freiling, F.: Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the Conference on Computer and Communications Security (CCS), Alexandria, VA (October 2008)Google Scholar
  16. 16.
    Kesan, J., Majuca, R., Yurcik, W.: The economic case for cyberinsurance. In: Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS), Cambridge, MA (June 2005)Google Scholar
  17. 17.
    Kirstein, R.: Risk neutrality and strategic insurance. The Geneva Papers on Risk and Insurance 25, 251–261 (2000)CrossRefGoogle Scholar
  18. 18.
    Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and IT security investment: Impact of interdependent risk. In: Fourth Workshop on the Economics of Information Security (WEIS), Cambridge, MA (June 2005)Google Scholar
  19. 19.
    Pratt, J.: Risk aversion in the small and in the large. Econometrica 32(1-2), 122–136 (1964)CrossRefzbMATHGoogle Scholar
  20. 20.
    Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive Cyber-Insurance and Internet Security. In: Workshop on Economics of Information Security 2009. University College London, England (2009)Google Scholar
  21. 21.
    Stone-Gross, B., Holz, T., Stringhini, G., Vigna, G.: The underground economy of spam: A botmaster’s perspective of coordinating large-scale spam campaigns. In: Proceedings of the 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, MA (March 2011)Google Scholar
  22. 22.
    Varian, H.: System reliability and free riding. In: Camp, J., Lewis, S. (eds.) Economics of Information Security. Advances in Information Security, vol. 12, pp. 1–15. Kluwer Academic Publishers, Dordrecht (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Benjamin Johnson
    • 1
  • Rainer Böhme
    • 2
  • Jens Grossklags
    • 3
  1. 1.Department of MathematicsUCBerkeleyUSA
  2. 2.Department of Information SystemsUniversity of MünsterGermany
  3. 3.College of Information Sciences and TechnologyPenn State UniversityUSA

Personalised recommendations