The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
A framework for using insurance for cyber-risk management
Communications of the ACM
Computer security strength and risk: a quantitative approach
Computer security strength and risk: a quantitative approach
Cyberinsurance in IT Security Management
IEEE Security and Privacy
Secure or insure?: a game-theoretic analysis of information security games
Proceedings of the 17th international conference on World Wide Web
Using insurance to increase internet security
Proceedings of the 3rd international workshop on Economics of networked systems
Can competitive insurers improve network security?
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Can competitive insurers improve network security?
TRUST'10 Proceedings of the 3rd international conference on Trust and trustworthy computing
Hi-index | 0.01 |
The interdependent nature of security on the Internet causes a negative externality that results in under-investment in technology-based defences. Previous research suggests that, in such an environment, cyber-insurance may serve as an important tool not only to manage risks but also to improve the incentives for investment in security. This paper investigates how competitive cyber-insurers affect network security and user welfare. We utilize a general setting, where the network is populated by identical users with arbitrary risk-aversion and network security is costly for the users. In our model, a user's probability to incur damage (from being attacked) depends on both his security and the network security. First, we consider cyber-insurers who cannot observe (and thus, affect) individual user security. This asymmetric information causes moral hazard. If an equilibrium exists, network security is always worse relative to the no-insurance equilibrium. Though user utility may rise due to a coverage of risks, total costs to society go up due to higher network insecurity. Second, we consider insurers with full information about their users' security. Here, user security is perfectly enforceable (zero cost). Each insurance contract stipulates the required user security and covers the entire user damage. Still, for a significant range of parameters, network security worsens relative to the no-insurance equilibrium. Thus, although cyber-insurance improves user welfare, in general, competitive cyber-insurers may fail to improve network security.