An Optimal Investment Strategy Against Information Security Risks

  • Bing-ning Pan
  • Jing XieEmail author
Conference paper


Information risks generally become a great challenge for individuals and organizations around the world. Managing information risks has involved various tools and approaches, among which self-protection and cyber insurance are two important methods to control the residual risk and improve security level. This paper analyzes these companies’ investment strategies on self-protection and insurance respectively, and presents a company’s best choice in both the weakest-link case and the partial-correlation case. The result shows that for most parameter settings Nash equilibrium could be reached and that the companies’ strategies have an obvious impact on each other.


Information security Insurance Interdependent risks Self-protection 


  1. 1.
    H. Varian, System reliability and free riding. Economics of Information Security Kluwer, (2004), pp. 1–15Google Scholar
  2. 2.
    J. Grossklags, N. Christin, J. Chuang, Secure or insure?: a game-theoretic analysis of information security games, in International Conference on World Wide Web, WWW 2008, Beijing, China, April DBLP, (2008), pp. 209–218Google Scholar
  3. 3.
    H. Kunreuther, G. Heal, Interdependent security: the case of identical agents. SSRN Electron. J. (2002)Google Scholar
  4. 4.
    G. Heal, H. Kunreuther, Interdependent security: a general model, in National Bureau of Economic Research, Inc (2004)Google Scholar
  5. 5.
    J. Kesan, R. Majuca, W. Yurcik, The economic case for cyberinsurance, University of Illinois Legal Working Paper (2004)Google Scholar
  6. 6.
    J. Bolot, M. Lelarge, Cyber insurance as an incentive for Internet security, in Managing Information Risk and the Economics of Security, (Springer, US, 2009), pp. 269–290Google Scholar
  7. 7.
    M. Lelarge, J. Bolot, Economic incentives to increase security in the Internet: the case for insurance, in Infocom IEEE, (2009), pp. 1494–1502Google Scholar
  8. 8.
    H. Ogut, N. Menon, S. Raghunathan, Cyber insurance and IT security investment: impact of interdependent risk, in Proceedings of Weis’ (2005)Google Scholar
  9. 9.
    H. Ogut, S. Raghunathan, N.M. Menon, Information security risk management through self-protection and insurance, in 2014 25th International Workshop on Database and Expert Systems Applications (DEXA) IEEE Computer Society, (2005), pp. 296–300Google Scholar
  10. 10.
    R.P. Majuca, W. Yurcik, J.P. Kesan, The evolution of cyberinsurance. ACM Computing Research Repository (CoRR) (2006)Google Scholar
  11. 11.
    J. C. Bolot, and M. Lelarge, A new perspective on Internet security using insurance, Proceedings—IEEE INFOCOM, (2008), pp. 1948–1956Google Scholar
  12. 12.
    X. Zhao, L. Xue, A.B. Whinston, Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements. J. Manag. Inf. Sys. 30(1), 123–152 (2013)CrossRefGoogle Scholar
  13. 13.
    R. Pal et al., Will cyber-insurance improve network security? a market analysis, in IEEE INFOCOM 2014—IEEE Conference on Computer Communications, (2014), pp. 235–243Google Scholar
  14. 14.
    N, Christin, J. Grossklags, J. Chuang, Near rationality and competitive equilibria in networked systems, in ACM SIGCOMM Workshop on Practice and Theory of Incentives in Networked Systems ACM,(2014), pp. 213–219Google Scholar
  15. 15.
    A. Acquisti, J. Grossklags, Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33 (2005)CrossRefGoogle Scholar
  16. 16.
    G. Danezis, R. Anderson, The economics of resisting censorship. IEEE Secur. Priv. Mag. 3(1), 45–50 (2005)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.College of Management and EconomicsTianjin UniversityTianjinChina

Personalised recommendations