An insurance theory based optimal cyber-insurance contract against moral hazard

Abstract As an important method of risk control in information systems and networks, cyber-insurance has attracted particular attention from both industry and academia. However, two prominent problems hamper the further growth of cyber-insurance. The correlated and interdependent properties of cyber-risks increase the economic risk of insurance companies considerably ; risk pooling can be impeded by these two properties. Further, this situation can be aggravated because cyber-insurance affects the investment for self-protection negatively. This phenomenon is regarded as the ex ante moral hazard. In this study, we establish a mathematical model based on a classic insurance theory to address the abovementioned problems, and propose an optimal cyber-insurance contract scheme that maximizes the expected utility of users. We also propose two personalized contract schemes to incentivize users to invest in self-protection under the no moral hazard and ex ante moral hazard conditions. Extensive experiments are conducted to evaluate the proposed approach, and the experimental results demonstrate the effectiveness and efficiency of the approach.

[1]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[2]  Jean C. Walrand,et al.  How Bad Are Selfish Investments in Network Security? , 2011, IEEE/ACM Transactions on Networking.

[3]  Jean C. Walrand,et al.  Can Competitive Insurers Improve Network Security? , 2010, TRUST.

[4]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[5]  Bo Li,et al.  Towards performance-centric fairness in datacenter networks , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[6]  S. Shankar Sastry,et al.  Cyber-insurance framework for large scale interdependent networks , 2014, HiCoNS.

[7]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[8]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[9]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[10]  Martin Eling,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[11]  Rainer Böhme,et al.  Security Games with Market Insurance , 2011, GameSec.

[12]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[13]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[14]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[15]  Aron Laszka,et al.  Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[16]  Dusit Niyato,et al.  A Scalable Approach to Joint Cyber Insurance and Security-as-a-Service Provisioning in Cloud Computing , 2019, IEEE Transactions on Dependable and Secure Computing.

[17]  Konstantinos Psounis,et al.  On a way to improve cyber-insurer profits when a security vendor becomes the cyber-insurer , 2013, 2013 IFIP Networking Conference.

[18]  Jianwei Huang,et al.  Competition of Wireless Providers for Atomic Users , 2010, IEEE/ACM Transactions on Networking.

[19]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[20]  John C. S. Lui,et al.  Security adoption and influence of cyber-insurance markets in heterogeneous networks , 2014, Perform. Evaluation.

[21]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[22]  Joseph G. Eisenhauer,et al.  DEMOGRAPHY OF RISK AVERSION , 2001 .

[23]  Ulas C. Kozat,et al.  Using insurance to increase internet security , 2008, NetEcon '08.

[24]  Konstantinos Psounis,et al.  Will cyber-insurance improve network security? A market analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[25]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[26]  Mingyan Liu,et al.  Designing Cyber Insurance Policies: The Role of Pre-Screening and Security Interdependence , 2018, IEEE Transactions on Information Forensics and Security.

[27]  H. Vincent Poor,et al.  Cloud Storage Defense Against Advanced Persistent Threats: A Prospect Theoretic Study , 2017, IEEE Journal on Selected Areas in Communications.

[28]  S. Shavell On Moral Hazard and Insurance , 1979 .

[29]  Leana Golubchik,et al.  Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[30]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.