Skip to main content
SpringerLink
Log in
Book cover

International Conference on Decision and Game Theory for Security

GameSec 2018: Decision and Game Theory for Security pp 508–520Cite as

Cyber-Insurance as a Signaling Game: Self-reporting and External Security Audits

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11199))

Abstract

An insurer has to know the risks faced by a potential client to accurately determine an insurance premium offer. However, while the potential client might have a good understanding of its own security practices, it may also have an incentive not to disclose them honestly since the resulting information asymmetry could work in its favor. This information asymmetry engenders adverse selection, which can result in unfair premiums and reduced adoption of cyber-insurance. To overcome information asymmetry, insurers often require potential clients to self-report their risks. Still, clients do not have any incentive to perform thorough self-audits or to provide comprehensive reports. As a result, insurers have to complement self-reporting with external security audits to verify the clients’ reports. Since these audits can be very expensive, a key problem faced by insurers is to devise an auditing strategy that deters clients from dishonest reporting using a minimal number of audits. To solve this problem, we model the interactions between a potential client and an insurer as a two-player signaling game. One player represents the client, who knows its actual security-investment level, but may report any level to the insurer. The other player represents the insurer, who knows only the random distribution from which the security level was drawn, but may discover the actual level using an expensive audit. We study the players’ equilibrium strategies and provide numerical illustrations.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    In fact, the cost of penetration testing, cyber-security risk assessment and related services is non-trivial and quickly increases with the size of an organization. See, for example, the pricing examples at: https://www.trustnetinc.com/pricing/.

  2. 2.

    Randomness models the insurer’s a priori uncertainty regarding what type of organization it faces.

  3. 3.

    These may be learned from statistics that are available to the insurer.

References

  1. ABI: Cyber Risk Insurance. https://www.abi.org.uk/products-and-issues/products/business-insurance/cyber-risk-insurance/. Accessed 19 June 2017

  2. Akerlof, G.: The market for “lemons”: quality uncertainty and the market mechanism. Q. J. Econ. 84, 488–500 (1970)

    Article  Google Scholar 

  3. Baer, W., Parkinson, A.: Cyberinsurance in IT security management. IEEE Secur. Priv. 5(3), 50–56 (2007)

    Article  Google Scholar 

  4. Bandyopadhyay, T., Mookerjee, V., Rao, R.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)

    Article  Google Scholar 

  5. Bandyopadhyay, T., Mookerjee, V., Rao, R.: A model to analyze the unfulfilled promise of cyber insurance: the impact of secondary loss. Technical report, University of Texas at Dallas (2010)

    Google Scholar 

  6. Böhme, R.: Cyber-insurance revisited. In: Workshop on the Economics of Information Security (WEIS) (2005)

    Google Scholar 

  7. Böhme, R.: Security audits revisited. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 129–147. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_11

    Chapter  Google Scholar 

  8. Böhme, R., Schwartz, G.: Modeling cyber-insurance: towards a unifying framework. In: Workshop on the Economics of Information Security (WEIS) (2010)

    Google Scholar 

  9. Forbes: Worldwide cybersecurity spending increasing to \$170 billion by 2020. https://www.forbes.com/sites/stevemorgan/2016/03/09/worldwide-cybersecurity-spending-increasing-to-170-billion-by-2020/#5804298e6832. Accessed Mar 2016

  10. Gordon, L., Loeb, M., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81–85 (2003)

    Article  Google Scholar 

  11. HM-Government: UK cyber security: the role of insurance in managing and mitigating the risk. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415354/UK_Cyber_Security_Report_Final.pdf. Accessed June 2015

  12. Hofmann, A.: Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks. Geneva Risk Insur. Rev. 32(1), 91–111 (2007)

    Article  Google Scholar 

  13. Khalili, M.M., Naghizadeh, P., Liu, M.: Designing cyber insurance policies: the role of pre-screening and security interdependence. IEEE Trans. Inf. Forensics Secur. 13(9), 2226–2239 (2018)

    Article  Google Scholar 

  14. KPMG: Seizing the cyber insurance opportunity. https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2017/07/cyber-insurance-report.pdf. Accessed July 2017

  15. Laszka, A., Grossklags, J.: Should cyber-insurance providers invest in software security? In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 483–502. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_25

    Chapter  Google Scholar 

  16. Laszka, A., Johnson, B., Grossklags, J., Felegyhazi, M.: Estimating systematic risk in real-world networks. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 417–435. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_27

    Chapter  Google Scholar 

  17. Lelarge, M., Bolot, J.: Economic incentives to increase security in the internet: the case for insurance. In: Proceedings of the 28th IEEE International Conference on Computer Communications (INFOCOM), pp. 1494–1502. IEEE (2009)

    Google Scholar 

  18. Low, P.: Insuring against cyber-attacks. Comput. Fraud Secur. 2017(4), 18–20 (2017)

    Article  Google Scholar 

  19. Schwartz, G., Shetty, N., Walrand, J.: Cyber-insurance: missing market driven by user heterogeneity. Technical report, UC Berkeley (2010)

    Google Scholar 

  20. Schwartz, G., Shetty, N., Walrand, J.: Why cyber-insurance contracts fail to reflect cyber-risks. In: Proceedings of the 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 781–787. IEEE (2013)

    Google Scholar 

  21. Shetty, N., Schwartz, G., Felegyhazi, M., Walrand, J.: Competitive cyber-insurance and internet security. In: Moore, T., Pym, D., Ioannidis, C. (eds.) Economics of Information Security and Privacy. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-6967-5_12

    Chapter  Google Scholar 

  22. Shetty, N., Schwartz, G., Walrand, J.: Can competitive insurers improve network security? In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) Trust 2010. LNCS, vol. 6101, pp. 308–322. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13869-0_23

    Chapter  Google Scholar 

  23. Symantec: ISTR: Internet security threat report. https://www.symantec.com/security-center/threat-report. Accessed Apr 2017

Download references

Acknowledgement

We thank the anonymous reviewers for their comments. The research activities of Jens Grossklags are supported by DIVSI. Emmanouil Panaousis’ work is supported by the H2020-MSCA-RISE-2018 SECONDO project.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Houston, Houston, USA

    Aron Laszka

  2. Surrey Centre for Cyber Security, University of Surrey, Guildford, UK

    Emmanouil Panaousis

  3. Department of Informatics, Technical University of Munich, Munich, Germany

    Jens Grossklags

Authors
  1. Aron Laszka
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emmanouil Panaousis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jens Grossklags
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Emmanouil Panaousis .

Editor information

Editors and Affiliations

  1. University of Washington, Seattle, WA, USA

    Linda Bushnell

  2. University of Washington, Seattle, WA, USA

    Radha Poovendran

  3. University of Illinois at Urbana–Champaign, Urbana, IL, USA

    Tamer Başar

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Laszka, A., Panaousis, E., Grossklags, J. (2018). Cyber-Insurance as a Signaling Game: Self-reporting and External Security Audits. In: Bushnell, L., Poovendran, R., Başar, T. (eds) Decision and Game Theory for Security. GameSec 2018. Lecture Notes in Computer Science(), vol 11199. Springer, Cham. https://doi.org/10.1007/978-3-030-01554-1_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01554-1_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01553-4

  • Online ISBN: 978-3-030-01554-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation