Skip to main content
Springer Nature Link
Log in

Does Cyber-Insurance Benefit the Insured or the Attacker? – A Game of Cyber-Insurance

  • Conference paper
  • First Online:
Decision and Game Theory for Security (GameSec 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14167))

Included in the following conference series:

  • 504 Accesses

Abstract

Cyber-insurance is an insurance policy that protects the insured from a variety of cybersecurity incidents such as cyber-attacks, ransomware, and data breaches. The rapid expansion of cyber-insurance in recent years hints the strong demand for cyber-insurance and its benefits. However, the impacts of cyber-insurance practice on cybersecurity enhancement and cyber-attackers are largely unknown. In this paper we study the optimal cybersecurity investment and cyber-insurance decision-making systematically with special attention paid to the effects of the attacker’s strategies. The economic modeling analysis and simulation study suggest that although cyber-insurance may be beneficial for the insured from a financial perspective, cyber-insurance practice may not be optimal from the societal cybersecurity perspective. Purchasing cyber-insurance decreases organizations’ optimal cybersecurity investment and increases the attacker’s expected payoffs. Therefore, the attacker has a motive to manipulate cyber-insurance by selective cyber-attacks on organizations up to a critical point, beyond which we discovered that imposing further threat will force organizations to invest more in cybersecurity. The attacker is capable of “playing god” by controlling the probabilities of initiating cyber-attacks and acts strategically to influence organizations’ incentives to whether to purchase cyber-insurance to harvest benefits. This study of cyber-insurance’ effects on attackers and their strategic manipulation of cyber-insurance provides insights for the future of the cyber-insurance market.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Aziz, B.: A systematic literature review of cyber insurance challenges. In: Proceedings of International Conference on Information Technology Systems and Innovation (ICITSI), Bandung, Indonesia, pp. 357–363 (2020)

    Google Scholar 

  2. Bandyopadhyay, T., Mookerjee, V.: A model to analyze the challenge of using cyber insurance. Inf. Syst. Front. 21, 301–325 (2019)

    Article  Google Scholar 

  3. Bandyopadhyay, T., Mookerjee, V.S., Rao, R.C.: Why IT managers don’t go for cyber-insurance products. Commun. ACM 52(11), 68–73 (2009)

    Article  Google Scholar 

  4. Böhme, R., Schwartz, G.: Modeling cyber-insurance: towards a unifying framework. In: Proceedings of the 9th Workshop on the Economics of Information Security (WEIS), Cambridge, MA (2010)

    Google Scholar 

  5. Bolot, J.C., Lelarge, M.: Cyber insurance as an incentive for internet security. In: Proceedings of Workshop on the Economics of Information Security (WEIS), Hanover, NH, pp. 269–290 (2008)

    Google Scholar 

  6. Dambra, S., Bilge, L., Balzarotti, D.: SoK: cyber insurance - technical challenges and a system security roadmap. In: Proceedings of IEEE Symposium on Security and Privacy (SP), San Francisco, CA, pp. 1367–1383 (2020)

    Google Scholar 

  7. Ehrlich, I., Becker, G.S.: Market insurance, self-insurance, and self-protection. J. Polit. Econ. 80(4), 623–648 (1972)

    Article  Google Scholar 

  8. Schwartz, G., Shetty, N., Walrand, J.: Why cyber-insurance contracts fail to reflect cyber-risks. In: Proceedings of 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton), Monticello, IL, pp. 781–787 (2013)

    Google Scholar 

  9. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)

    Article  Google Scholar 

  10. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Zhou, L.: Increasing cybersecurity investments in private sector firms. J. Cybersecur. 1(1), 3–17 (2015)

    Google Scholar 

  11. Hayel, Y., Zhu, Q.: Attack-aware cyber insurance for risk sharing in computer networks. In: Proceedings of the sixth International Conference on Decision and Game Theory for Security (GameSec), London, UK, pp. 22–34 (2015)

    Google Scholar 

  12. Kesan, J.P., Majuca, R.P., Yurcik, W.: Cyber-insurance as a market-based solution to the problem of cybersecurity. In: Proceedings of the 4th Workshop on the Economics of Information Security (WEIS), Cambridge, MA (2005)

    Google Scholar 

  13. Khalili, M.M., Naghizadeh, P., Liu, M.: Designing cyber insurance policies: the role of pre-screening and security interdependence. IEEE Trans. Inf. Forensics Secur. 13(9), 2226–2239 (2018)

    Article  Google Scholar 

  14. Khalili, M.M., Zhang, X., Liu, M.: Effective premium discrimination for designing cyber insurance policies with rare losses. In: Proceedings of the 10th International Conference on Decision and Game Theory for Security (GameSec), Stockholm, Sweden, pp. 259–275 (2019)

    Google Scholar 

  15. Laszka, A., Panaousis, E., Grossklags, J.: Cyber-insurance as a signaling game: self-reporting and external security audits. In: Proceedings of the 9th Conference on Decision and Game Theory for Security (GameSec), Seattle, WA, pp. 508–520 (2018)

    Google Scholar 

  16. Lelarge, M., Bolot, J.C.: Economic incentives to increase security in the internet: the case for insurance. In: Proceedings of IEEE International Conference on Computer Communications (INFOCOM), Rio de Janeiro, Brazil, pp. 1494–1502 (2009)

    Google Scholar 

  17. Massaccia, F., Swierzbinskic, J., Williams, J.: Cyberinsurance and public policy: self-protection and insurance with endogenous adversaries. In: Proceedings of 16th Annual Workshop on the Economics of Information Security (WEIS), La Jolla, CA, pp. 1–38 (2017)

    Google Scholar 

  18. Nurse, J.R., Axon, L., Erola, A., Agrafiotis, I., Goldsmith, M., Creese, S.: The data that drives cyber insurance: a study into the underwriting and claims processes. In: Proceedings of 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Ireland, pp. 1–8. (2020)

    Google Scholar 

  19. Pal, R., Golubchik, L., Psounis, K.: Aegis - a novel cyber-insurance model. In: Proceedings of Conference on Decision and Game Theory for Security (GameSec), College Park, Maryland, pp. 131–150 (2011)

    Google Scholar 

  20. Pal, R., Golubchik, L., Psounis, K., Hui, P.: Will cyber-insurance improve network security? A market analysis. In: Proceedings of IEEE Conference on Computer Communications (INFOCOM), Toronto, Canada, pp. 235–243 (2014)

    Google Scholar 

  21. Pal, R., Golubchik, L., Psounis, K., Hui, P.: The technologization of insurance: an empirical analysis of big data and artificial intelligence’s impact on cybersecurity and privacy. ACM SIGMETRICS Perform. Eval. Rev. 45(4), 7–15 (2018)

    Article  Google Scholar 

  22. Panda, S., Woods, D.W., Laszka, A., Fielder, A., Panaousis, E.: Post-incident audits on cyber insurance discounts. Comput. Secur. 87, 101593 (2019)

    Article  Google Scholar 

  23. Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content analysis of cyber insurance policies: how do carriers price cyber risk? J. Cybersecur. 5(1), 1–19 (2019)

    Article  Google Scholar 

  24. Shetty, N., Schwartz, G., Walrand, J.: Can competitive insurers improve network security? In: Proceedings of the Third International Conference on Trust and Trustworthy Computing (TRUST), Berlin, Germany, pp. 308–322 (2010)

    Google Scholar 

  25. Talesh, S.A.: Data breach, privacy, and cyber insurance: how insurance companies act as “compliance managers” for businesses. Law Soc. Inquiry 43(2), 417–440 (2018)

    Google Scholar 

  26. Talesh, S.A., Cunningham, B.: The technologization of insurance: an empirical analysis of big data and artificial intelligence’s impact on cybersecurity and privacy. Utah Law Rev. 2021(5), 967–1027 (2021)

    Google Scholar 

  27. Tosh, D.K., et al.: Three layer game theoretic decision framework for cyber-investment and cyber-insurance. In: Proceedings of the 8th International Conference on Decision and Game Theory for Security (GameSec), Vienna, Austria, pp. 519–532 (2017)

    Google Scholar 

  28. Tsohou, A., Diamantopoulou, V., Gritzalis, S., Lambrinoudakis, C.: Cyber insurance: state of the art, trends and future directions. Int. J. Inf. Secur. 1–12 (2023)

    Google Scholar 

  29. Uuganbayar, G., Yautsiukhin, A., Martinelli, F.: Cyber insurance and security interdependence: friends or foes? In: Proceedings of 2018 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA), Glasgow, UK, pp. 1–4 (2018)

    Google Scholar 

  30. Uuganbayar, G., Yautsiukhin, A., Martinelli, F., Massacci, F.: Optimisation of cyber insurance coverage with selection of cost effective security controls. Comput. Secur. 101(102121), 1–21 (2021)

    Google Scholar 

  31. Wolff, J.: Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks. The MIT Press, Cambridge (2022)

    Book  Google Scholar 

  32. Woods, D.W., Böhme, R.: How cyber insurance shapes incident response: a mixed methods study. In: Proceedings of the 20th Annual Workshop on the Economics of Information Security (WEIS), pp. 1–35 (2021)

    Google Scholar 

  33. Woods, D.W., Moore, T.: Does insurance have a future in governing cybersecurity? IEEE Secur. Priv. 18(1), 21–27 (2020)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Economics and Management, Albion College, Albion, USA

    Zhen Li

  2. Department of Computer Science, Central Michigan University, Mount Pleasant, USA

    Qi Liao

Authors
  1. Zhen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qi Liao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qi Liao .

Editor information

Editors and Affiliations

  1. University of Florida, Gainesville, FL, USA

    Jie Fu

  2. Czech Technical University in Prague, Prague, Czech Republic

    Tomas Kroupa

  3. University of Avignon, Avignon, France

    Yezekael Hayel

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, Z., Liao, Q. (2023). Does Cyber-Insurance Benefit the Insured or the Attacker? – A Game of Cyber-Insurance. In: Fu, J., Kroupa, T., Hayel, Y. (eds) Decision and Game Theory for Security. GameSec 2023. Lecture Notes in Computer Science, vol 14167. Springer, Cham. https://doi.org/10.1007/978-3-031-50670-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-50670-3_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-50669-7

  • Online ISBN: 978-3-031-50670-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics