Abstract
An insurer has to know the risks faced by a potential client to accurately determine an insurance premium offer. However, while the potential client might have a good understanding of its own security practices, it may also have an incentive not to disclose them honestly since the resulting information asymmetry could work in its favor. This information asymmetry engenders adverse selection, which can result in unfair premiums and reduced adoption of cyber-insurance. To overcome information asymmetry, insurers often require potential clients to self-report their risks. Still, clients do not have any incentive to perform thorough self-audits or to provide comprehensive reports. As a result, insurers have to complement self-reporting with external security audits to verify the clients’ reports. Since these audits can be very expensive, a key problem faced by insurers is to devise an auditing strategy that deters clients from dishonest reporting using a minimal number of audits. To solve this problem, we model the interactions between a potential client and an insurer as a two-player signaling game. One player represents the client, who knows its actual security-investment level, but may report any level to the insurer. The other player represents the insurer, who knows only the random distribution from which the security level was drawn, but may discover the actual level using an expensive audit. We study the players’ equilibrium strategies and provide numerical illustrations.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In fact, the cost of penetration testing, cyber-security risk assessment and related services is non-trivial and quickly increases with the size of an organization. See, for example, the pricing examples at: https://www.trustnetinc.com/pricing/.
- 2.
Randomness models the insurer’s a priori uncertainty regarding what type of organization it faces.
- 3.
These may be learned from statistics that are available to the insurer.
References
ABI: Cyber Risk Insurance. https://www.abi.org.uk/products-and-issues/products/business-insurance/cyber-risk-insurance/. Accessed 19 June 2017
Akerlof, G.: The market for “lemons”: quality uncertainty and the market mechanism. Q. J. Econ. 84, 488–500 (1970)
Baer, W., Parkinson, A.: Cyberinsurance in IT security management. IEEE Secur. Priv. 5(3), 50–56 (2007)
Bandyopadhyay, T., Mookerjee, V., Rao, R.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)
Bandyopadhyay, T., Mookerjee, V., Rao, R.: A model to analyze the unfulfilled promise of cyber insurance: the impact of secondary loss. Technical report, University of Texas at Dallas (2010)
Böhme, R.: Cyber-insurance revisited. In: Workshop on the Economics of Information Security (WEIS) (2005)
Böhme, R.: Security audits revisited. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 129–147. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_11
Böhme, R., Schwartz, G.: Modeling cyber-insurance: towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS) (2010)
Forbes: Worldwide cybersecurity spending increasing to \$170 billion by 2020. https://www.forbes.com/sites/stevemorgan/2016/03/09/worldwide-cybersecurity-spending-increasing-to-170-billion-by-2020/#5804298e6832. Accessed Mar 2016
Gordon, L., Loeb, M., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81–85 (2003)
HM-Government: UK cyber security: the role of insurance in managing and mitigating the risk. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf. Accessed June 2015
Hofmann, A.: Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks. Geneva Risk Insur. Rev. 32(1), 91–111 (2007)
Khalili, M.M., Naghizadeh, P., Liu, M.: Designing cyber insurance policies: the role of pre-screening and security interdependence. IEEE Trans. Inf. Forensics Secur. 13(9), 2226–2239 (2018)
KPMG: Seizing the cyber insurance opportunity. https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2017/07/cyber-insurance-report.pdf. Accessed July 2017
Laszka, A., Grossklags, J.: Should cyber-insurance providers invest in software security? In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 483–502. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_25
Laszka, A., Johnson, B., Grossklags, J., Felegyhazi, M.: Estimating systematic risk in real-world networks. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 417–435. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_27
Lelarge, M., Bolot, J.: Economic incentives to increase security in the internet: the case for insurance. In: Proceedings of the 28th IEEE International Conference on Computer Communications (INFOCOM), pp. 1494–1502. IEEE (2009)
Low, P.: Insuring against cyber-attacks. Comput. Fraud Secur. 2017(4), 18–20 (2017)
Schwartz, G., Shetty, N., Walrand, J.: Cyber-insurance: missing market driven by user heterogeneity. Technical report, UC Berkeley (2010)
Schwartz, G., Shetty, N., Walrand, J.: Why cyber-insurance contracts fail to reflect cyber-risks. In: Proceedings of the 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 781–787. IEEE (2013)
Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_12
Shetty, N., Schwartz, G., Walrand, J.: Can competitive insurers improve network security? In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) Trust 2010. LNCS, vol. 6101, pp. 308–322. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13869-0_23
Symantec: ISTR: Internet security threat report. https://www.symantec.com/security-center/threat-report. Accessed Apr 2017
Acknowledgement
We thank the anonymous reviewers for their comments. The research activities of Jens Grossklags are supported by DIVSI. Emmanouil Panaousis’ work is supported by the H2020-MSCA-RISE-2018 SECONDO project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Laszka, A., Panaousis, E., Grossklags, J. (2018). Cyber-Insurance as a Signaling Game: Self-reporting and External Security Audits. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-01554-1_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01553-4
Online ISBN: 978-3-030-01554-1
eBook Packages: Computer ScienceComputer Science (R0)