Should Cyber-Insurance Providers Invest in Software Security?
Insurance is based on the diversifiability of individual risks: if an insurance provider maintains a large portfolio of customers, the probability of an event involving a large portion of the customers is negligible. However, in the case of cyber-insurance, not all risks are diversifiable due to software monocultures. If a vulnerability is discovered in a widely used software product, it can be used to compromise a multitude of targets until it is eventually patched, leading to a catastrophic event for the insurance provider. To lower their exposure to non-diversifiable risks, insurance providers may try to influence the security of widely used software products in their customer population, for example, through vulnerability reward programs.
We explore the proposal that insurance providers should take a proactive role in improving software security, and provide evidence that this approach is viable for a monopolistic provider. We develop a model which captures the supply and demand sides of insurance, provide computational complexity results on the provider’s investment decisions, and propose different heuristic investment strategies. We demonstrate that investments can reduce non-diversifiable risks and can lead to a more profitable cyber-insurance market. Finally, we detail the relative merits of the different heuristic strategies with numerical results.
KeywordsEconomics of security Cyber-insurance Software security Vulnerability discovery
We thank the reviewers for their comments. We gratefully acknowledge the support by the National Science Foundation under Award CNS-1238959, and by the Penn State Institute for CyberScience.
- 5.Böhme, R.: Towards insurable network architectures. IT - Inf. Technol. 52(5), 290–293 (2010)Google Scholar
- 6.Böhme, R., Kataria, G.: Models and measures for correlation in cyber-insurance. In: Proceedings of the 5th Workshop on the Economics of Information Security (WEIS) (2006)Google Scholar
- 7.Böhme, R., Schwartz, G.: Modeling cyber-insurance: Towards a unifying framework. In: Proceedings of the 9th Workshop on the Economics of Information Security (WEIS) (2010)Google Scholar
- 8.Brodkin, J.: Google and Samsung soar into list of top 10 Linux contributors (2013). http://arstechnica.com/information-technology/2013/09/google-and-samsung-soar-into-list-of-top-10-linux-contributors/
- 10.Egelman, S., Herley, C., van Oorschot, P.: Markets for zero-day exploits: ethics and implications. In: Proceedings of the 2013 New Security Paradigms Workshop (NSPW), Banff, Canada, pp. 41–46 (2013)Google Scholar
- 11.Finifter, M., Akhawe, D., Wagner, D.: An empirical study of vulnerability rewards programs. In: Proceedings of the 22nd USENIX Security Symposium, Washington, DC, August 2013Google Scholar
- 12.Geer, D., Pfleeger, C., Schneier, B., Quarterman, J., Metzger, P., Bace, R., Gutmann, P.: Cyberinsecurity: The cost of monopoly. How the dominance of Microsoft’s products poses a risk to society (2003)Google Scholar
- 13.Grossklags, J., Christin, N., Chuang, J.: Secure or insure?: a game-theoretic analysis of information security games. In: Proceedings of the 17th International World Wide Web Conference, pp. 209–218 (2008)Google Scholar
- 15.Hoffer, D.: A survey of economically targeted investments: opportunities for public pension funds (2004). http://www.vermonttreasurer.gov/sites/treasurer/files/pdf/misc/econTargetInvestReport20040216.pdf
- 18.Johnson, B., Laszka, A., Grossklags, J.: The complexity of estimating systematic risk in networks. In: Proceedings of the 27th IEEE Computer Security Foundations Symposium (CSF), pp. 325–336 (2014)Google Scholar
- 19.Johnson, B., Laszka, A., Grossklags, J.: How many down? toward understanding systematic risk in networks. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 495–500 (2014)Google Scholar
- 21.Laszka, A., Johnson, B., Grossklags, J., Felegyhazi, M.: Estimating systematic risk in real-world networks. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 412–430. Springer, Heidelberg (2014) Google Scholar
- 23.Lelarge, M., Bolot, J.: Economic incentives to increase security in the internet: the case for insurance. In: Proceedings of the 33rd IEEE International Conference on Computer Communications (INFOCOM), pp. 1494–1502 (2009)Google Scholar
- 24.Ozment, A.: Bug auctions: vulnerability markets reconsidered. In: Proceedings of the 3rd Workshop on the Economics of Information Security (WEIS), Minneapolis, MN, May 2004Google Scholar
- 25.Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, MA, June 2005Google Scholar
- 27.Schneier, B.: Schneier on security: liability changes everything (2003). https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html
- 28.Varian, H.: System reliability and free riding. In: Camp, J., Lewis, S. (eds.) Economics of Information Security, pp. 1–15. Kluwer Academic Publishers, Dordrecht (2004)Google Scholar
- 29.Zhao, M., Grossklags, J., Chen, K.: An exploratory study of white hat behaviors in a web vulnerability disclosure program. In: Proceedings of the 2014 ACM Workshop on Security Information Workers (SIW), pp. 51–58 (2014)Google Scholar
Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (http://creativecommons.org/licenses/by-nc/2.5/), which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.