Should Cyber-Insurance Providers Invest in Software Security?

Insurance is based on the diversifiability of individual risks: if an insurance provider maintains a large portfolio of customers, the probability of an event involving a large portion of the customers is negligible. However, in the case of cyber-insurance, not all risks are diversifiable due to software monocultures. If a vulnerability is discovered in a widely used software product, it can be used to compromise a multitude of targets until it is eventually patched, leading to a catastrophic event for the insurance provider. To lower their exposure to non-diversifiable risks, insurance providers may try to influence the security of widely used software products in their customer population, for example, through vulnerability reward programs. We explore the proposal that insurance providers should take a proactive role in improving software security, and provide evidence that this approach is viable for a monopolistic provider. We develop a model which captures the supply and demand sides of insurance, provide computational complexity results on the provider's investment decisions, and propose different heuristic investment strategies. We demonstrate that investments can reduce non-diversifiable risks and can lead to a more profitable cyber-insurance market. Finally, we detail the relative merits of the different heuristic strategies with numerical results.

[1]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[2]  Aron Laszka,et al.  Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[3]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[4]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[5]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[6]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[7]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[8]  Serge Egelman,et al.  Markets for zero-day exploits: ethics and implications , 2013, NSPW '13.

[9]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[10]  Kai Chen,et al.  An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program , 2014, SIW '14.

[11]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[12]  Kenneth P. Birman,et al.  The Monoculture Risk Put into Context , 2009, IEEE Security & Privacy Magazine.

[13]  Jen-Hung Huang,et al.  Herding in online product choice , 2006 .

[14]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[15]  Ramayya Krishnan,et al.  Correlated Failures, Diversification, and Information Security Risk Management , 2011, MIS Q..

[16]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[17]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[18]  Rainer Böhme Towards Insurable Network Architectures , 2010, it Inf. Technol..

[19]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[20]  D. Jeanne Patterson PUBLIC PENSION FUNDS AND ECONOMICALLY TARGETED INVESTMENTS , 1994 .

[21]  Terrence August,et al.  Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments , 2011, WEIS.

[22]  Aron Laszka,et al.  The Complexity of Estimating Systematic Risk in Networks , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[23]  Aron Laszka,et al.  How many down?: toward understanding systematic risk in networks , 2014, AsiaCCS.

[24]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[25]  Rainer Böhme,et al.  Managing the Weakest Link - A Game-Theoretic Approach for the Mitigation of Insider Threats , 2013, ESORICS.

[26]  Ward Hanson,et al.  Hits and misses: Herd behavior and online product popularity , 1996 .