Skip to main content
Springer Nature Link
Log in

On the Limits of Cyber-Insurance

  • Conference paper
Trust and Privacy in Digital Business (TrustBus 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4083))

  • 1117 Accesses

Abstract

It has been argued that cyber-insurance will create the right kind of security atmosphere on the Internet. It will provide incentive (through lowered premiums) to firms to better secure their network thus reducing the threat of first party as well as third party damage, promote gathering and sharing of information security related incidents thus aiding development of global information security standards and practices, and finally, increase the overall social welfare by decreasing the variance of losses faced by individual firms via risk pooling as in other kinds of insurance. However, a unique aspect of cyber-risks is the high level of correlation in risk (e.g. worms and viruses) that affects both the insurer and the insured. In this paper, we present a discussion on the factors that influence the correlation in cyber-risks both at a global level, i.e. correlation across independent firms in an insurer’s portfolio, and at a local level, i.e. correlation of risk within a single firm. While global risk correlation influences insurers’ decision in setting the premium, the internal correlation within a firm influences its decision to seek insurance. We study the combined dynamics of these two to determine when a market for cyber-insurance can exist. We address technical, managerial and policy choices influencing both kind of correlations and welfare implications thereof.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Beattie, S., et al.: Timing the application of security patches for optimal uptime. In: Proceedings of LISA 2002: 16th Systems Administration Conference, pp. 233–242. USENIX Association, Berkeley (2002)

    Google Scholar 

  2. Geer, D., et al.: CyberInsecurity – The cost of monopoly (2003), http://www.ccianet.org/papers/cyberinsecurity.pdf

  3. Chen, P.Y., Kataria, G., Krishnan, R.: Software diversity for information security. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005), http://infosecon.net/workshop/pdf/47.pdf

  4. Soo Hoo, K.J.: How Much Is Enough? A Risk-Management Approach To Computer Security. PhD thesis, Stanford University, CA (2000), http://cisac.stanford.edu/publications/11900/

  5. Schechter, S.E., Smith, M.D.: How much security is enough to stop a thief? In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 122–137. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  6. Arora, A., Hall, D., Pinto, C.A., Ramsey, D., Telang, R.: Measuring the risk-based value of IT security solutions. IEEE IT Professional Magazine 6, 35–42 (2004)

    Article  Google Scholar 

  7. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Transactions on Information and System Security 5, 438–457 (2002)

    Article  Google Scholar 

  8. Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46, 81–85 (2003)

    Article  Google Scholar 

  9. Majuca, R.P., Yurcik, W., Kesan, J.P.: The evolution of cyberinsurance. In: ACM Computing Research Repository (CoRR), Technical Report cs.CR/0601020 (2006)

    Google Scholar 

  10. Ogut, H., Menon, N., Ragunathan, S.: Cyber insurance and IT security investment: Impact of independent risk. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005), http://infosecon.net/workshop/pdf/56.pdf

  11. Kunreuther, H., Heal, G.: Interdependent security. Journal of Risk and Uncertainty 26, 231–249 (2003)

    Article  MATH  Google Scholar 

  12. Böhme, R.: Cyber-insurance revisited. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005), http://infosecon.net/workshop/pdf/15.pdf

  13. Embrechts, P., Klüppelberg, C., Mikosch, T.: Modelling Extremal Events for Insurance and Finance, 2nd edn. Springer, Heidelberg (1999)

    Google Scholar 

  14. Schultz, E.E.: A framework for understanding and predicting insider attacks. In: Proc. of Compsec, London, UK, pp. 526–531 (2002)

    Google Scholar 

  15. Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II) (2003)

    Google Scholar 

  16. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI) (2004)

    Google Scholar 

  17. Newsome, J., Karp, B., Song, D.: Polygraph: Automatic signature generation for polymorphic worms. In: Proceedings of the IEEE Security and Privacy Symposium (2005)

    Google Scholar 

  18. Bakkaloglu, M., Wylie, J., Wang, C., Ganger, G.: On correlated failures in survivable storage systems, Technical Report CMU-CS-02-129, Carnegie Mellon University, School of Computer Science (2002)

    Google Scholar 

  19. Nicola, V.F., Goyal, A.: Modeling of correlated failures and community error recovery in multiversion software. IEEE Transactions on Software Engineering 16, 350–359 (1990)

    Article  Google Scholar 

  20. Demarta, S., McNeil, A.J.: The t copula and related copulas. International Statistical Review 71, 111–129 (2005)

    Google Scholar 

  21. Böhme, R., Kataria, G.: Models and measures for correlation in cyber-insurance. In: Workshop on the Economics of Information Security (WEIS). University of Cambridge, UK (2006), http://weis2006.econinfosec.org/docs/16.pdf

    Google Scholar 

  22. Wylie, J.J., et al.: Survivable information storage systems. IEEE Computer 33, 61–68 (2000)

    Google Scholar 

  23. Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)

    Article  MATH  MathSciNet  Google Scholar 

  24. Rabin, M.O.: Efficient dispersal of information for security, load balancing and fault tolerance. Journal of the ACM 32, 335–348 (1989)

    Article  MathSciNet  Google Scholar 

  25. Pratt, J.W.: Risk aversion in the small and in the large. Econometrica 32, 122–136 (1964)

    Article  MATH  Google Scholar 

  26. Ehrlich, I., Becker, G.S.: Market insurance, self-insurance, and self-protection. Journal of Political Economy 80, 623–648 (1972)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for System Architecture, Technische Universität Dresden,  

    Rainer Böhme

  2. Heinz School of Policy and Management, Carnegie Mellon University,  

    Gaurav Kataria

Authors
  1. Rainer Böhme
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gaurav Kataria
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Karlstad University, Universitetsgatan 2, 651 88, Karlstad, Sweden

    Simone Fischer-Hübner

  2. School of Computing, Communications and Electronics, Network Research Group, University of Plymouth, PL4 8AA, Plymouth, UK

    Stevel Furnell

  3. Laboratory of Information and Communication Systems Security Department of Information and Communication Systems Engineering, University of the Aegean, GR-83200, Samos, Karlovassi, Greece

    Costas Lambrinoudakis

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Böhme, R., Kataria, G. (2006). On the Limits of Cyber-Insurance. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (eds) Trust and Privacy in Digital Business. TrustBus 2006. Lecture Notes in Computer Science, vol 4083. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11824633_4

Download citation

  • DOI: https://doi.org/10.1007/11824633_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-37750-4

  • Online ISBN: 978-3-540-37752-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation