Preventing the Drop in Security Investments for Non-competitive Cyber-Insurance Market

Abstract

The rapid development of cyber insurance market brings forward the question about the effect of cyber insurance on cyber security. Some researchers believe that the effect should be positive as organisations will be forced to maintain a high level of security in order to pay lower premiums. On the other hand, other researchers conduct a theoretical analysis and demonstrate that availability of cyber insurance may result in lower investments in security.

In this paper we propose a mathematical analysis of a cyber-insurance model in a non-competitive market. We prove that with a right pricing strategy it is always possible to ensure that security investments are at least as high as without insurance. Our general theoretical analysis is confirmed by specific cases using CARA and CRRA utility functions.

This work was partially supported by projects H2020 MSCA NeCS 675320 and H2020 MSCA CyberSure 734815.

Appendix

We prove that \(f'(I^{\star })|_{I^{\star }=0}<0\).

Proof

$$\begin{aligned} \frac{df}{dI^{\star }}&\nonumber \\&=\frac{\left[ (1-(1+\lambda )pr({x^{\star }})-pr({x^{\star }})I\frac{d\lambda }{dI^{\star }})U'_{IL} -U'_{IL}\right] \left[ pr({x^{\star }})U'_{IL}+(1-pr({x^{\star }}))U'_{IN}\right] }{(pr({x^{\star }}))U'_{IL}+(1-pr({x^{\star }}))U'_{IN})^{2}}\nonumber \\&+\frac{\left[ (1+\lambda )pr({x^{\star }})+pr({x^{\star }})I\frac{d\lambda }{dI^{\star }})\right] U'_{IN}\left[ pr({x^{\star }})U'_{IL}+(1-pr({x^{\star }}))U'_{IN}\right] }{(pr({x^{\star }}))U'_{IL}+(1-pr({x^{\star }}))U'_{IN})^{2}}\nonumber \\&-\frac{I^{\star }\left[ 1-(1+\lambda )pr({x^{\star }})-pr({x^{\star }})I\frac{d\lambda }{dI^{\star }}\right] U''_{IL}\left[ pr({x^{\star }})U'_{IL}+(1-pr({x^{\star }}))U'_{IN}\right] }{(pr({x^{\star }}))U'_{IL}+(1-pr({x^{\star }}))U'_{IN})^{2}}\nonumber \\&-\frac{\left[ U_{IL}-U_{IN}-I^{\star }U'_{IL}\right] pr({x^{\star }})\left[ 1-(1+\lambda )pr({x^{\star }})-pr({x^{\star }})I\frac{d\lambda }{dI^{\star }}\right] U''_{IL}}{(pr({x^{\star }}))U'_{IL}+(1-pr({x^{\star }}))U'_{IN})^{2}}\nonumber \\&-\frac{\left[ U_{IL}-U_{IN}-I^{\star }U'_{IL}\right] pr({x^{\star }})(1-pr({x^{\star }}))\left[ -(1+\lambda )pr({x^{\star }})-pr({x^{\star }})I\frac{d\lambda }{dI^{\star }}\right] U''_{IN}}{(pr({x^{\star }}))U'_{IL}+(1-pr({x^{\star }}))U'_{IN})^{2}}. \end{aligned}$$

(48)

What we are interested in is the sign of the first derivative when \(I^{\star }=0\). Since the divisor is clearly grater than zero, we focus on the dividend only. \(U_{IL}|_{I^{\star }=0}=U_{NL}\) and \(U_{IN}|_{I^{\star }=0}=U_{NN}\) and derivatives. We reduce the first part of Eq. 48 by \(U'_{IL}\) inside the first brackets. The third part is 0, as well as all subparts with \(\frac{d\lambda }{dI^{\star }}\). In the last part we move out \(pr({x^{\star }})(1-(1+\lambda )pr({x^{\star }}))\). We get:

$$\begin{aligned}&(1+\lambda )pr({x^{\star }})(-U'_{NL}+U'_{NN})(pr({x^{\star }})U'_{NL}+(1-pr({x^{\star }}))U'_{NN})\nonumber \\&+(U_{NN}-U_{NL})pr({x^{\star }})(1-(1+\lambda )pr({x^{\star }}))[ (U''_{NL}-\frac{(1-pr({x^{\star }}))(1+\lambda )}{(1-(1+\lambda )pr({x^{\star }}))}U''_{NN})]\nonumber \\&=(1+\lambda )pr({x^{\star }})(-U'_{NL}+U'_{NN})(pr({x^{\star }})U'_{NL}+(1-pr({x^{\star }}))U'_{NN})\nonumber \\&+(U_{NN}-U_{NL})pr({x^{\star }})(1-(1+\lambda )pr({x^{\star }}))[ (U''_{NL}U'_{NN}-U''_{NN}U'_{NL})]\frac{1}{U'_{NN}}. \end{aligned}$$

(49)

We know, that \(U'_{NL}>U'_{NL}\) and the first derivative is positive. Thus, the first summand is negative. Also \(U'_{NL}<U'_{NL}\) and utility function is always positive. Also, \(1>(1+\lambda )pr({x^{\star }})\), otherwise an insured should pay more premium than the identity it gets in case of an incident. The only part left for consideration is \((U''_{NL}U'_{NN}-U''_{NN}U'_{NL})\).

We would like to recall that for the utility functions in use a coefficient of absolute risk aversion is defined as:

$$\begin{aligned} A(\varvec{W})=-\frac{{U}''({\varvec{W}})}{{U}'({\varvec{W}})}. \end{aligned}$$

(50)

Moreover, the experimental and empirical evidence mostly confirm the decreasing absolute risk aversion (DARA). For the sake of generality, here we assume non-increasing risk aversion (CARA and DARA):

$$\begin{aligned} \frac{\partial A(\varvec{W})}{\partial \varvec{W}}\le 0. \end{aligned}$$

(51)

In other words \(A(W_{NL})\ge A(W_{NN})\), where \(W_{NL}\) is the financial position of an insured in case of incident, while \(W_{NL}\) is the financial position of an insured in case no incident happens.

Thus, \((U''_{NL}U'_{NN}-U''_{NN}U'_{NL})=U'_{NN}U'_{NL}[A(W_{NN})-A(W_{NL})]\le 0\) and the second summand in the overall formula is negative or zero.