论文信息 - Cyber-insurance framework for large scale interdependent networks

Cyber-insurance framework for large scale interdependent networks

This article presents a framework for managing cyber-risks in large-scale interdependent networks where cyber insurers are strategic players. In our earlier work, we imposed that breach probability of each network node (which we view as a player) is a function of two variables: first, player own security action and second, average security of all players. In this article, we formally derive the expression of breach probability from the standard assumptions. For a homogeneous interdependent network (identical users), we provide a solution for optimal security choice of each node in environments without and with cyber insurers present. Then, we introduce a general heterogeneous network (many user types), and derive the expression for network security. Lastly, we consider the network with two user types (normal and malicious), in which we allow one user type (malicious users) to subvert monitoring of the insurers, even if these insurers are able to perfectly enforce security levels of normal users (at zero cost). Our analysis confirms a discrepancy between informal arguments that favor cyber-insurance as a tool to improve network security, and formal models, which tend to view insurance as an instrument of managing risks only. In particular, our results support the case against cyber-insurance as the means of improving security. Our framework helps to identify the crucial network parameters for improving incentives to provide secure networks.

S. Shankar Sastry | Galina Schwartz | S. Sastry | G. Schwartz

[1] Ralph A. Winter. Optimal Insurance under Moral Hazard , 2000 .

[2] Srinivasan Raghunathan,et al. Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[3] H. Kunreuther,et al. Interdependent Security , 2003 .

[4] Jean C. Walrand,et al. Can Competitive Insurers Improve Network Security? , 2010, TRUST.

[5] Tyler Moore,et al. Security Economics and European Policy , 2008, WEIS.

[6] Rainer Böhme,et al. Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[7] Jean C. Walrand,et al. Why cyber-insurance contracts fail to reflect cyber-risks , 2013, 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[8] Annette Hofmann,et al. Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[9] Georges Dionne,et al. Handbook of insurance , 2000 .

[10] P. Dasgupta,et al. Equilibrium in Competitive Insurance Markets : An Essay on the Economics of Imperfect Information , 2007 .

[11] Georges Dionne,et al. Adverse Selection in Insurance Markets , 2000 .

[12] Jean C. Walrand,et al. Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[13] Anindya Ghose,et al. The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[14] Marc Lelarge,et al. Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.