On the Limits of Cyber-Insurance

It has been argued that cyber-insurance will create the right kind of security atmosphere on the Internet. It will provide incentive (through lowered premiums) to firms to better secure their network thus reducing the threat of first party as well as third party damage, promote gathering and sharing of information security related incidents thus aiding development of global information security standards and practices, and finally, increase the overall social welfare by decreasing the variance of losses faced by individual firms via risk pooling as in other kinds of insurance. However, a unique aspect of cyber-risks is the high level of correlation in risk (e.g. worms and viruses) that affects both the insurer and the insured. In this paper, we present a discussion on the factors that influence the correlation in cyber-risks both at a global level, i.e. correlation across independent firms in an insurer’s portfolio, and at a local level, i.e. correlation of risk within a single firm. While global risk correlation influences insurers’ decision in setting the premium, the internal correlation within a firm influences its decision to seek insurance. We study the combined dynamics of these two to determine when a market for cyber-insurance can exist. We address technical, managerial and policy choices influencing both kind of correlations and welfare implications thereof.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[3]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[4]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[5]  J. Pratt RISK AVERSION IN THE SMALL AND IN THE LARGE11This research was supported by the National Science Foundation (grant NSF-G24035). Reproduction in whole or in part is permitted for any purpose of the United States Government. , 1964 .

[6]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[7]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[8]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.

[9]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[10]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[11]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[12]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[13]  Gregory R. Ganger,et al.  On Correlated Failures in Survivable Storage Systems , 2002 .

[14]  Victor F. Nicola,et al.  Modeling of Correlated Failures and Community Error Recovery in Multiversion Software , 1990, IEEE Trans. Software Eng..

[15]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[16]  Ramayya Krishnan,et al.  Software Diversity for Information Security , 2005, WEIS.

[17]  Li Zhi-ping Survivable Information Storage Systems Based on PASIS Architecture , 2002 .

[18]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[19]  A. McNeil,et al.  The t Copula and Related Copulas , 2005 .

[20]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[21]  J. Corcoran Modelling Extremal Events for Insurance and Finance , 2002 .

[22]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[23]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[24]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[25]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.