Abstract
Recent works on Internet risk management have proposed the idea of cyber-insurance to eliminate risks due to security threats, which cannot be tackled through traditional means such as by using antivirus and antivirus softwares. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.). These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as traditional optimal contracts, i.e., contracts for security attacks only, might prove to be sub-optimal for himself.
In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as non-security related failures. We propose Aegis, a simple and novel cyber-insurance model in which the user accepts a fraction (strictly positive) of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that only under conditions when buying cyber-insurance is mandatory, given an option, risk-averse Internet users would prefer Aegis contracts to traditional cyber-insurance contracts, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users. We also derive an interesting counterintuitive result related to the Aegis framework: we show that an increase(decrease) in the premium of an Aegis contract may not always lead to decrease(increase) in its user demand. In the process, we also state the conditions under which the latter trend and its converse emerge. Our work proposes a new model of cyber-insurance for Internet security that extends all previous related models by accounting for the extra dimension of non-insurable risks. Aegis also incentivizes Internet users to take up more personal responsibility for protecting their systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons (2001)
Anderson, R.: Why Information Security is Hard - An Economic Perspective. In: Annual Computer Security Applications Conference (2001)
Anderson, R., Moore, T.: Information Security Economics and Beyond. Information Security Summit (2008)
Varian, H.: Managing Online Security Risks. The New York Times (June 1, 2000)
Kunreuther, H., Heal, G.: Interdependent Security. Journal of Risk and Uncertainty 26 (2002)
Grossklags, J., Christin, G., Chuang, J.: Security and Insurance Management in Networks with Heterogenous Agents. In: ACM EC (2008)
Jiang, L., Ananthram, V., Walrand, J.: How Bad are Selfish Investments in Network Security. IEEE Transactions On Networking (2010)
Ko-Miura, A.R., Yolken, B., Bambos, N., Mitchell, J.: Security Investment Games of Interdependent Organizations. Allerton (2008)
Omic, J., Orda, A., Mieghem, V.P.: Protecting Against Network Infections: A Game-Theoretic Perspective. In: IEEE INFOCOM (2009)
Katz, M., Shapiro, C.: Network Externalities, Competition, and Compatibility. The American Economic Review 75(3) (1985)
Kesan, J., Majuca, R., Yurcik, W.: The Economic Case for Cyber-Insurance: In Securing Privacy in the Internet Age. Stanford University Press (2005)
Kesan, J., Majuca, R., Yurcik, W.: Cyberinsurance As A Market-Based Solution To The Problem of Cyber-Security: A Case Study. In: WEIS (2005)
Scheier, B.: Its The Economics Stupid. In: WEIS (2002)
Yurcik, W., Doss, D.: Cyberinsurance: A Market Solution To The Internet Security Market Failure. In: WEIS (2002)
Lelarge, M., Bolot, J.: Cyberinsurance As An Incentive for Internet Security. In: WEIS (2008)
Lelarge, M., Bolot, J.: Economic Incentives to Increase Security in the Internet: The Case for Insurance. In: IEEE INFOCOM (2009)
Majuca, R.P., Yurcik, W., Kesan, J.P.: The Evolution of Cyberinsurance. Information Systems Frontier (2005)
Schneier, B.: Insurance and the Computer Industry. Communications of the ACM 44(3) (2001)
Honeyman, P., Schwarz, G.: Interdependence of Reliability and Security. In: WEIS (2007)
Neumann, J.V., Morgenstern, O.: Theory of Games and Economic Behavior. Princeton University Press (2009)
Mascollel, A., Winston, M.D., Green, J.R.: Microeconomic Theory. Oxford University Press (1985)
Hau, A.: When is A Coinsurance-Type Insurance Policy Inferior or Even Giffen. Journal of Risk and Insurance 75(2) (2008)
Lelarge, M., Bolot, J.: A Local Mean Field Analysis of Security Investments in Networks. In: ACM NetEcon (2008)
Lelarge, M., Bolot, J.: Network Externalities and The Deployment of Security Features and Protocols in the Internet. In: ACM SIGMETRICS (2008)
Internet Wikipedia Source. Information Asymmetry
Varian, H.R.: Microeconomic Analysis. Norton (1992)
Pal, R., Golubchik, L.: Analyzing Self-Defense Investments In The Internet Under Cyberinsurance Coverage. In: IEEE ICDCS (2010)
Bohme, R., Schwartz, G.: Modeling Cyberinsurance: Towards A Unifying Framework. In: WEIS (2010)
Shetty, N., Schwarz, G., Feleghyazi, M., Walrand, J.: Competitive Cyberinsurance and Internet Security. In: WEIS (2009)
Pal, R., Golubchik, L.: Pricing and Investments in Internet Security. Arxiv (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pal, R., Golubchik, L., Psounis, K. (2011). Aegis A Novel Cyber-Insurance Model. In: Baras, J.S., Katz, J., Altman, E. (eds) Decision and Game Theory for Security. GameSec 2011. Lecture Notes in Computer Science, vol 7037. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25280-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-25280-8_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25279-2
Online ISBN: 978-3-642-25280-8
eBook Packages: Computer ScienceComputer Science (R0)