论文信息 - Post-Incident Audits on Cyber Insurance Discounts

Post-Incident Audits on Cyber Insurance Discounts

We introduce a game-theoretic model to investigate the strategic interaction between a cyber insurance policyholder whose premium depends on her self-reported security level and an insurer with the power to audit the security level upon receiving an indemnity claim. Audits can reveal fraudulent (or simply careless) policyholders not following reported security procedures, in which case the insurer can refuse to indemnify the policyholder. However, the insurer has to bear an audit cost even when the policyholders have followed the prescribed security procedures. As audits can be expensive, a key problem insurers face is to devise an auditing strategy to deter policyholders from misrepresenting their security levels to gain a premium discount. This decision-making problem was motivated by conducting interviews with underwriters and reviewing regulatory filings in the U.S.; we discovered that premiums are determined by security posture, yet this is often self-reported and insurers are concerned by whether security procedures are practised as reported by the policyholders. To address this problem, we model this interaction as a Bayesian game of incomplete information and devise optimal auditing strategies for the insurers considering the possibility that the policyholder may misrepresent her security level. To the best of our knowledge, this work is the first theoretical consideration of post-incident claims management in cyber security. Our model captures the trade-off between the incentive to exaggerate security posture during the application process and the possibility of punishment for non-compliance with reported security policies. Simulations demonstrate that common sense techniques are not as efficient at providing effective cyber insurance audit decisions as the ones computed using game theory.

[1] Marc Lelarge,et al. A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[2] M. Angela Sasse,et al. The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[3] Robert Gibbons,et al. A primer in game theory , 1992 .

[4] Rainer Böhme,et al. Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[5] Sasha Romanosky,et al. Examining the costs and causes of cyber incidents , 2016, J. Cybersecur..

[6] Levente Buttyán,et al. A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[7] Elio Rossi,et al. Policy , 2007, Evidence-based Complementary and Alternative Medicine : eCAM.

[8] Daniel W. Woods,et al. Policy Measures and Cyber Insurance: A Framework , 2017 .

[9] H. Kunreuther,et al. Interdependent Security , 2003 .

[10] William Yurcik,et al. Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity , 2005, WEIS.

[11] P. Picard,et al. Auditing claims in the insurance market with fraud: The credibility issue , 1996 .

[12] Rainer Böhme,et al. Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[13] Aron Laszka,et al. Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[14] Jean C. Walrand,et al. Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[15] Ulrik Franke,et al. The cyber insurance market in Sweden , 2017, Comput. Secur..

[16] Tyler Moore,et al. On the harms arising from the Equifax data breach of 2017 , 2017, Int. J. Crit. Infrastructure Prot..

[17] Walter S. Baer,et al. Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[19] Rob Thoyts,et al. Insurance Theory and Practice , 2010 .

[20] Aron Laszka,et al. Cyber-Insurance as a Signaling Game: Self-reporting and External Security Audits , 2018, GameSec.

[21] Srinivasan Raghunathan,et al. Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[22] Andreas Kuehn,et al. Content Analysis of Cyber Insurance Policies: How Do Carriers Write Policies and Price Cyber Risk? , 2017 .

[23] Ross J. Anderson. Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[24] Aron Laszka,et al. Should Cyber-Insurance Providers Invest in Software Security? , 2015, ESORICS.

[25] Andrew C. Simpson,et al. Policy, Statistics, and Questions: Reflections on UK Cyber Security Disclosures , 2016, WEIS.

[26] Mingyan Liu,et al. Embracing and controlling risk dependency in cyber-insurance policy underwriting , 2019, J. Cybersecur..

[27] Sadie Creese,et al. Mapping the coverage of security controls in cyber insurance proposal forms , 2017, Journal of Internet Services and Applications.

[28] Tridib Bandyopadhyay,et al. Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[29] Daniel W. Woods,et al. Monte Carlo methods to investigate how aggregated cyber insurance claims data impacts security investments , 2018 .

[30] Jean C. Walrand,et al. Why cyber-insurance contracts fail to reflect cyber-risks , 2013, 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[31] P. Picard,et al. Economic Analysis of Insurance Fraud , 2013 .