Abstract
The rapid development of cyber insurance market brings forward the question about the effect of cyber insurance on cyber security. Some researchers believe that the effect should be positive as organisations will be forced to maintain a high level of security in order to pay lower premiums. On the other hand, other researchers conduct a theoretical analysis and demonstrate that availability of cyber insurance may result in lower investments in security.
In this paper we propose a mathematical analysis of a cyber-insurance model in a non-competitive market. We prove that with a right pricing strategy it is always possible to ensure that security investments are at least as high as without insurance. Our general theoretical analysis is confirmed by specific cases using CARA and CRRA utility functions.
This work was partially supported by projects H2020 MSCA NeCS 675320 and H2020 MSCA CyberSure 734815.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
We acknowledge that in reality effect of investments on probability of occurrence is more complex and an incident may occur more than once but we would like to underline that this standard (for cyber investment models [7, 8, 10, 13, 16] and general insurance [4]) modelling is an approximation of reality which reduces the complexity of computations and allows to analyse the core insights [7].
- 3.
Although, the Eq. 1 can be simplified, we leave it in this form to underline the similarity with the following step in the discussion.
- 4.
- 5.
See the proof in the Appendix.
- 6.
\(f'(I^{\star })\) is continuous on the interval \(I^{\star }\in [0;L]\) since neither \(pr'({x^{\star }})=0\) nor \((pr({x^{\star }})U'_{IL}+(1-pr({x^{\star }}))U'_{IN})=0\) for realistic values.
- 7.
First, we cut the considered interval into small pieces and found the pieces with border values of different signs. Then, we applied bisection method, cutting the piece in half and checking the signs of the function on border values, always leaving the half with different signs of the function on the border until the last half is shorter than the allowed error.
References
Anderson, R., Böhme, R., Claytin, R., Moore, T.: Security economics and the internal market, January 2008. https://www.enisa.europa.eu/publications/archive/economics-sec/at_download/fullReport. Accessed 15 Jan 2016
Böhme, R., Schwartz, G.: Modeling cyber-insurance: towards a unifying framework. In: Proceedings of the 9th Workshop on the Economics in Information Security (2010)
Bolot, J., Lelarge, M.: A new perspective on internet security using insurance. In: Proceedings of the 27th IEEE International Conference on Computer Communications, Phoenix, AZ, USA, pp. 1948–1956, April 2008
Ehrlich, I., Becker, G.S.: Market insurance, self-insurance, and self-protection. In: Dionne, G., Harrington, S.E. (eds.) Foundations of Insurance Economics, pp. 164–189. Springer, Dordrecht (1992). https://doi.org/10.1007/978-94-015-7957-5_8
ENISA: Incentives and barriers of the cyber insurance market in Europe, June 2012. goo.gl/BtNyj4. Accessed 12 Dec 2014
EY: Global insurance outlook (2015). goo.gl/uyFzQ4. Accessed 11 Aug 2015
Gordon, L., Loeb, M.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2003)
Laszka, A., Felegyhazi, M., Buttyan, L.: A survey of interdependent information security games. ACM Comput. Surv. 47(2), 23:1–23:38 (2014)
Laszka, A., Johnson, B., Grossklags, J., Felegyhazi, M.: Estimating systematic risk in real-world networks. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 417–435. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_27
Lelarge, M., Bolot, J.: Network externalities and the deployment of security features and protocols in the internet. SIGMETRICS Perform. Eval. Rev. 36(1), 37–48 (2008)
Lelarge, M., Bolot, J.: Economic incentives to increase security in the internet: the case for insurance. In: Proceedings of the 28th IEEE International Conference on Computer Communications, Rio de Janeiro, pp. 1494–1502, April 2009
Majuca, R.P., Yurcik, W., Kesan, J.P.: The evolution of cyberinsurance. The Computing Research Repository, pp. 1–16 (2006)
Marotta, A., Martinelli, F., Nanni, S., Orlando, A., Yautsiukhin, A.: Cyber-insurance survey. Comput. Sci. Rev. 24, 35–61 (2017)
Naghizadeh, P., Liu, M.: Voluntary participation in cyber-insurance markets. In: Proceedings of the 2014 Workshop on Economics in Information Security (2014)
Ogut, H., Menon, N., Raghunathan, S.: Cyber insurance and it security investment: impact of interdependent risk. In: Proceedings of the 4-th Workshop on the Economics of Information Security (2005)
Pal, R., Golubchik, L., Psounis, K., Hui, P.: Will cyber-insurance improve network security? A market analysis. In: Proceedings of the 2014 INFOCOM, pp. 235–243. IEEE (2014)
Schneier, B.: Insurance and the computer industry. Commun. ACM 44(3), 114–115 (2001)
Schwartz, G., Shetty, N., Walrand, J.: Cyber-insurance: missing market driven by user heterogeneity. In: WEIS (2010)
Schwartz, G.A., Sastry, S.S.: Cyber-insurance framework for large scale interdependent networks. In: Proceedings of the 3rd International Conference on High Confidence Networked Systems, HiCoNS 2014, pp. 145–154. ACM (2014)
Shetty, N., Schwartz, G., Walrand, J.: Can competitive insurers improve network security? In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) Trust 2010. LNCS, vol. 6101, pp. 308–322. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13869-0_23
Vaughan, E.J., Vaughan, T.M.: Fundamentals of Risk and Insurance, 11th edn. Wiley, Hoboken (2014)
von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behaviour, 3rd edn. Princeston University Press, Princeston (1953)
World Economic Forum: Global risks 2014. 9th edn (2014). http://www.droughtmanagement.info/literature/WEF_global_risks_report_2014.pdf. Accessed 3 Jan 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
We prove that \(f'(I^{\star })|_{I^{\star }=0}<0\).
Proof
What we are interested in is the sign of the first derivative when \(I^{\star }=0\). Since the divisor is clearly grater than zero, we focus on the dividend only. \(U_{IL}|_{I^{\star }=0}=U_{NL}\) and \(U_{IN}|_{I^{\star }=0}=U_{NN}\) and derivatives. We reduce the first part of Eq. 48 by \(U'_{IL}\) inside the first brackets. The third part is 0, as well as all subparts with \(\frac{d\lambda }{dI^{\star }}\). In the last part we move out \(pr({x^{\star }})(1-(1+\lambda )pr({x^{\star }}))\). We get:
We know, that \(U'_{NL}>U'_{NL}\) and the first derivative is positive. Thus, the first summand is negative. Also \(U'_{NL}<U'_{NL}\) and utility function is always positive. Also, \(1>(1+\lambda )pr({x^{\star }})\), otherwise an insured should pay more premium than the identity it gets in case of an incident. The only part left for consideration is \((U''_{NL}U'_{NN}-U''_{NN}U'_{NL})\).
We would like to recall that for the utility functions in use a coefficient of absolute risk aversion is defined as:
Moreover, the experimental and empirical evidence mostly confirm the decreasing absolute risk aversion (DARA). For the sake of generality, here we assume non-increasing risk aversion (CARA and DARA):
In other words \(A(W_{NL})\ge A(W_{NN})\), where \(W_{NL}\) is the financial position of an insured in case of incident, while \(W_{NL}\) is the financial position of an insured in case no incident happens.
Thus, \((U''_{NL}U'_{NN}-U''_{NN}U'_{NL})=U'_{NN}U'_{NL}[A(W_{NN})-A(W_{NL})]\le 0\) and the second summand in the overall formula is negative or zero.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Martinelli, F., Orlando, A., Uuganbayar, G., Yautsiukhin, A. (2018). Preventing the Drop in Security Investments for Non-competitive Cyber-Insurance Market. In: Cuppens, N., Cuppens, F., Lanet, JL., Legay, A., Garcia-Alfaro, J. (eds) Risks and Security of Internet and Systems. CRiSIS 2017. Lecture Notes in Computer Science(), vol 10694. Springer, Cham. https://doi.org/10.1007/978-3-319-76687-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-76687-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76686-7
Online ISBN: 978-3-319-76687-4
eBook Packages: Computer ScienceComputer Science (R0)