Competitive Cyber-Insurance and Internet Security

  • Nikhil Shetty
  • Galina Schwartz
  • Mark Felegyhazi
  • Jean Walrand
Conference paper


This paper investigates how competitive cyber-insurers affect network security and welfare of the networked society. In our model, a user's probability to incur damage (from being attacked) depends on both his security and the network security, with the latter taken by individual users as given. First, we consider cyberinsurers who cannot observe (and thus, affect) individual user security. This asymmetric information causes moral hazard. Then, for most parameters, no equilibrium exists: the insurance market is missing. Even if an equilibrium exists, the insurance contract covers only a minor fraction of the damage; network security worsens relative to the no-insurance equilibrium. Second, we consider insurers with perfect information about their users' security. Here, user security is perfectly enforceable (zero cost); each insurance contract stipulates the required user security. The unique equilibrium contract covers the entire user damage. Still, for most parameters, network security worsens relative to the no-insurance equilibrium. Although cyber-insurance improves user welfare, in general, competitive cyber-insurers fail to improve network security.


Nash Equilibrium Insurance Market Security Level Network Security Social Planner 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akerlof, G.A.: The market for ’lemons’: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84(3), 488–500 (1970). URL http://ideas.repec. org/a/tpr/qjecon/v84y1970i3p488-500.htmlGoogle Scholar
  2. 2.
    Anderson, R., Böehme, R., Clayton, R., Moore, T.: Security economics and european policy. In: Proceedings of WEIS’08. Hanover, USA (2008)Google Scholar
  3. 3.
    Baer, W.S., Parkinson, A.: Cyberinsurance in it security management. IEEE Security and Privacy 5(3), 50–56 (2007). DOI Scholar
  4. 4.
    Böhme, R.: Cyber-insurance revisited. In: Proceedings of WEIS’05. Cambridge, USA (2005)Google Scholar
  5. 5.
    Bolot, J., Lelarge, M.: A new perspective on internet security using insurance. INFOCOM 2008. The 27th Conference on Computer Communications. IEEE pp. 1948–1956 (2008). DOI 10.1109/INFOCOM.2008.259Google Scholar
  6. 6.
    Fisk, M.: Causes and remedies for social acceptance of network insecurity. In: Proceedings of WEIS’02. Berkeley, USA (2002)Google Scholar
  7. 7.
    Gordon, L.A., Loeb, M., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85 (2003)Google Scholar
  8. 8.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002). DOI Scholar
  9. 9.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: WWW ’08: Proceeding of the 17th international conference on World Wide Web, pp. 209–218. ACM, New York, NY, USA (2008). DOI Scholar
  10. 10.
    H. Ogut, N.M., Raghunathan, S.: Cyber insurance and it security investment: Impact of interdependent risk. In: Proceedings of WEIS’05. Cambridge, USA (2005)Google Scholar
  11. 11.
    Hausken, K.: Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8(5), 338–349 (2006). DOI Scholar
  12. 12.
    Hofmann, A.: Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks. Geneva Risk and Insurance Review 32(1), 91–111 (2007)Google Scholar
  13. 13.
    Honeyman, P., Schwartz, G., Assche, A.V.: Interdependence of reliability and security. In: Proceedings of WEIS’07. Pittsburg, PA (2007)Google Scholar
  14. 14.
    Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26(2-3), 231–49 (2003). URL v26y2003i2-3p231-49.htmlGoogle Scholar
  15. 15.
    Kunreuther, H.C., Michel-Kerjan, E.O.: Evaluating the effectiveness of terrorism risk financing solutions. NBER Working Papers 13359, National Bureau of Economic Research, Inc (2007). URL Scholar
  16. 16.
    Majuca, R.P., Yurcik, W., Kesan, J.P.: The evolution of cyberinsurance. Tech. Rep. CR/0601020, ACM Computing Research Repository (2006)Google Scholar
  17. 17.
    Rothschild, M., Stiglitz, J.E.: Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. The Quarterly Journal of Economics 90(4), 630–49 (1976). URL Scholar
  18. 49.
    v90y1976i4p630-htmlGoogle Scholar
  19. 18.
    Schechter, S.E.: Computer security strength and risk: a quantitative approach. Ph.D. thesis, Cambridge, MA, USA (2004). Adviser-Smith„ Michael D.Google Scholar
  20. 19.
    Soohoo, K.: How much is enough? a risk-management approach to computer security. Ph.D. thesis, Stanford UniversityGoogle Scholar
  21. 20.
    Stiglitz, J.E.: Information and the change in the paradigm in economics. American Economic Review 92(3), 460–501 (2002). URL v92y2002i3p460-501.htmlGoogle Scholar
  22. 21.
    Varian, H.: System reliability and free riding. In: Workshop on the Economics of Information 2002.Security, WEISCambridge, USA (2002)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Nikhil Shetty
    • 1
  • Galina Schwartz
    • 1
  • Mark Felegyhazi
    • 2
  • Jean Walrand
    • 1
  1. 1.UC BerkeleyBerkeleyUSA
  2. 2.ICSIBerkeleyUSA

Personalised recommendations