Abstract
Managing security risks in the Internet has, so far, mostly involved methods to reduce the risks and the severity of the damages. Those methods (such as firewalls, intrusion detection and prevention, etc) reduce but do not eliminate risk, and the question remains on how to handle the residual risk. In this chapter, we consider the problem of whether buying insurance to protect the Internet and its users from security risks makes sense, and if so, identifying specific benefits of insurance and designing appropriate insurance policies.
Using insurance in the Internet raises several questions because entities in the Internet face correlated risks, which means that insurance claims will likely be correlated, making those entities less attractive to insurance companies. Furthermore, risks are interdependent, meaning that the decision by an entity to invest in security and self-protect affects the risk faced by others. We analyze the impact of these externalities on the security investments of the users using simple models that combine recent ideas from risk theory and network modeling.
Our key result is that using insurance would increase the security in the Internet. Specifically, we show that the adoption of security investments follows a threshold or tipping point dynamics, and that insurance is a powerful incentive mechanism which pushes entities over the threshold into a desirable state where they invest in self-protection.
Given its many benefits, we argue that insurance should become an important component of risk management in the Internet, and discuss its impact on Internet mechanisms and architecture.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anderson, R., and Moore, T., “The Economics of Information Security: A Survey and Open Questions,” Science (314), October 2006, pp. 610-613.
Aspnes, J., Feigenbaum, J., Mitzenmacher, M., and Parkes, D., “Towards Better Definitions and Measures of Internet Security,” in Proceedings of Workshop on Large-Scale-Network Security and Deployment Obstacles, Landsdowne, VA, March 2003.
Barnes, D.A. “Deworming the Internet,” Texas Law Review (83:1), 2004. Available at SSRN:http://ssrn.com/abstract=622364.
Bolot, J., and Lelarge, M. “A New Perspective on Internet Security using Insurance,” INFOCOM 08.
Bolot, J. and Lelarge, M., “Cyber Insuranceas an Incentivefor Internet Security,” in Proceedings of Workshop on the Economics of Information Security (WEIS), 2008.
Böhme, R. “Cyber-insurance Revisited,” in Proceedings of Workshop on the Economics of Information Security (WEIS), 2005.
Böhme, R., and Kataria, G., “Models and Measures for Correlation in Cyber-insurance,” in Proceedings of Workshop on the Economics of Information Security (WEIS), 2006.
Camp, L.J., and Wolfram, C., “Pricing Security,” in Proceedings of CERT Information Survivability Workshop, Boston, MA, pp. 24-26, Oct. 2000.
Chan, H., Dash, D., Perrig, A., and Zang, H., “Modeling Adoptability of Secure BGP Protocols,” in Proceedings of ACM Sigcomm 06, Pisa, Italy, September 2006.
Cheswick, W.R., Bellovin, S., and Rubin, A., Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Ed., Addison-Wesley, 2003.
Chen, P., Kataria, G., and Krishnan, R. “Software Diversityfor Information Security,” in Proceedings of the Workshop on Economic of Information Security 2005, Harvard, MA, June 2005.
Clark, D. “The Design Philosophy of the DARPA Internet Protocols,” in Proceedings of ACM Sigcomm 88, Stanford, CA, Aug 1988.
Clark, D., Wroclawski, J., Sollins, K., and Braden, R., “Tussle in Cyberspace: Defining Tomorrow’s Internet,” in Proceedings of ACM Sigcomm 02, Pittsburgh, PA, Aug. 2002.
Coffman Jr., E.G., Ge, Z., Misra, V., and Towsley, D. “Network Resilience: Exploring Cascading Failures within BGP,” in Proceedings of 40th Annual Allerton Conference on Communications, Computing and Control, October 2002.
Davie, G., Hardt, M., and Kelly, F., “Network Dimensioning, Service Costing, and Pricing in a Packet Switched Environment,” Telecommunications Policy (28), 2004, pp. 391-412.
Doyle, J., Alderson, D., Li, L., Low, S., Roughan, M., Shalunov, S., Tanaka, R., and Willinger, W. “The ‘Robust yet Fragile’ Nature of the Internet,” in Proceedings of National Academy Sciences (102-41), October 2005.
Ehrlich, I., and Becker, G.S., “Market Insurance, Self-insurance, and Self-protection,” The Journal of Political Economy (80:4), 1972, pp. 623-648.
Ganesh, A., Massoulie, L., and Towsley, D. “The Effect of Network Topology on the Spread of Epidemics,” in Proceedings of IEEE Infocom 2005, Miami, FL, March 2005.
Gollier, C., The Economics of Risk and Time, MIT Press, 2004.
Gong, J., and Srinagesh, P., “The Economics of Layered Networks,” Internet Economics, MIT Press, Cambridge, MA, 1997.
Gordon, L., and Loeb, M., “The Economics of Information Security Investment,” ACM Transaction Information Systems Security (5: 4), November 2002, pp. 438-457.
Gordon, L., and Loeb, M., Managing Cybersecurity Resources. McGraw-Hill, Sept. 2005.
Gordon, L., Loeb, M., and Sohail, T., “A Framework for Using Insurancefor Cyber-risk Management,” Communication of ACM (46:3), 2003, pp. 81-85.
Hofmann, A., “Internalizing Externalitiesof Loss Prevention through InsuranceMonopoly,” in Proceedings of Annual Meeting of American Risk and Insurance Association, Washington DC, Aug 2006.
Jung, J., Paxson, V., Berger, A., and Balakrishnan, H. “Fast Portscan Detection Using Sequential Hypothesis Testing,” in Proceedings of IEEE Symposium Security and Privacy, 2004.
Kearns, M., and Ortiz, L.E., “Algorithms for Interdependent SecurityGames,” in Advances in Neural Information Processing Systems, Thrun, S., Saul, L. K., and Schoikopf, B. (Eds.), MIT Press, Cambridge, 2004.
Kesan, J., Majuca, R., and Yurcik, W., “The Economic Case for Cyberinsurance,” In Securing Privacy in the Internet Age, Chander, A. et al. (Eds.), Stanford University Press, 2005.
Kesan, J., Majuca, R., and Yurcik, W. “Cyberinsurance as a Market-based Solution to the Problem of Cybersecurity: a Case Study,” in Proceedings of Workshop on the Economics of Information Security 2005, Harvard, MA, June 2005.
Kleinrock, L., “Research Areas in Computer Communications,” Computer Communication Review (4:3), July 1974, pp. 1-4.
Kunreuther, H. and Heal, G., “Interdependent Security: the Case of Identical Agents,” Journal of Risk and Uncertainty (26:2), 2003, pp. 231-249.
Lelarge, M., and Bolot, J. “Network Externalitiesand the Deployment of Security Features and Protocols in the Internet,” in Proceedings of the 2008 ACM SIGMETRICS International Conference, pp. 37-48.
Lelarge, M., and Bolot, J. “A Local Mean Field Analysis of Security Investments in Networks”, ACM NetEcon 08, available at: http://arxiv.org/abs/0803.3455
Lai, C., Medvinsky, G., and Neuman, G.C., “Endorsments, Licensing, and Insurancefor Distributed Systems Services,” in Proceedings of 2nd ACM Conference Computer and Communication Security (CCS), Fairfax, VA, November 1994.
MacKie-Mason, J., and Varian, H. “Pricing the Internet,” in Kahin, B. and Keller, J. (Eds.), Public Access to the Internet, MIT Press, 1995.
Majuca, R.P., Yurcik, W., and Kesan, J.P. “The Evolution of Cyberinsurance,” available at: arxiv:cs/060120
Mossin, J., “Aspects of Rational InsurancePurchasing,” Journal of Political Economy (76), 1968, pp. 553-568.
Odlyzko, A. “Economics, Psychology, and Sociology of Security,” in Proceedings of Financial Cryptography 2003, Wright, R.N. (Ed.), LNCS #2742, Springer, April 2003.
Ogut, H., Menon, N., and Raghunathan, S., “Cyber Insuranceand IT Security Investment: Impact of Interdependent Risk,” in Proceedings of Workshop on the Economics of Information Security (WEIS), 2005.
Ozment, A., and Schechter, S., “Bootstrapping the Adoption of Internet Security Protocols,” in Proceedings of Workshop of the Economics on Information Security, Cambridge, June 2006.
Saniford, S., Moore, D., Paxson, V., and Weaver, N. “The Top Speed of Flash Worms,” in Proceedings of ACM Workshop Rapid Malcode WORM’04, Fairfax, VA, October 2004.
Schechter, S., “Quantitatively Differentiating System Security,” in Proceedings of Workshop on the Economics of Information Security (WEIS), Berkeley, CA, May 2002.
Schneier, B., “Insuranceand the Computer Industry,” Communications of ACM (44:3), March 2001, pp. 114-115.
Schneier, B. “Computer Security: It’s the Economics, Stupid,” in Proceedings of Workshop on the Economics of Information Security (WEIS), Berkeley, CA, May 2002.
Shenker, S., Clark, D., Estrin, D., and Herzog, S., “Pricing in Computer Networks: Reshaping the Research Agenda,” ACM CCR (26), April 1996, pp. 19-43.
Varian, H., Farrell, J., and Shapiro, C. The Economics of Information Technology. Cambridge University Press, Dec. 2004.
Vojnovic, M., and Ganesh, A., “On the Race of Worms, Alerts and Patches,” in Proceedings of ACM Workshop on Rapid Malcode WORM05, Fairfax, VA, Nov. 2005.
Weaver, N., and Paxson, V., “A Worst-case Worm,” in Proceedings of 3rd Workshop on the Economics of Information Security, Univ. Minnesota, May 2004. See web site for opinion by S. Saniford.
Zou, C.,Gong, W., and Towsley, D., “Code Red Worm Propagation Modeling and Analysis,” in Proceedings of 9th ACM Conference Computer Communication Security CCS’02, Washington, DC, Nov 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Bolot, J., Lelarge, M. (2009). Cyber Insurance as an Incentivefor Internet Security. In: Johnson, M.E. (eds) Managing Information Risk and the Economics of Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09762-6_13
Download citation
DOI: https://doi.org/10.1007/978-0-387-09762-6_13
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09761-9
Online ISBN: 978-0-387-09762-6
eBook Packages: Computer ScienceComputer Science (R0)