Insurance and the computer industry
Communications of the ACM
Secrets & Lies: Digital Security in a Networked World
Secrets & Lies: Digital Security in a Networked World
Why Information Security is Hard-An Economic Perspective
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Network externalities and the deployment of security features and protocols in the internet
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Security and insurance management in networks with heterogeneous agents
Proceedings of the 9th ACM conference on Electronic commerce
A local mean field analysis of security investments in networks
Proceedings of the 3rd international workshop on Economics of networked systems
Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
How bad are selfish investments in network security?
IEEE/ACM Transactions on Networking (TON)
Security adoption and influence of cyber-insurance markets in heterogeneous networks
Performance Evaluation
| Hi-index | 0.00 |
Recent works on Internet risk management have proposed the idea of cyber-insurance to eliminate risks due to security threats, which cannot be tackled through traditional means such as by using antivirus and antivirus softwares. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.). These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as traditional optimal contracts, i.e., contracts for security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as non-security related failures. We propose Aegis, a simple and novel cyber-insurance model in which the user accepts a fraction (strictly positive) of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that only under conditions when buying cyber-insurance is mandatory, given an option, risk-averse Internet users would prefer Aegis contracts to traditional cyber-insurance contracts, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users. We also derive an interesting counterintuitive result related to the Aegis framework: we show that an increase(decrease) in the premium of an Aegis contract may not always lead to decrease(increase) in its user demand. In the process, we also state the conditions under which the latter trend and its converse emerge. Our work proposes a new model of cyber-insurance for Internet security that extends all previous related models by accounting for the extra dimension of non-insurable risks. Aegis also incentivizes Internet users to take up more personal responsibility for protecting their systems.