Security Games with Market Insurance

Security games are characterized by multiple players who strategically adjust their defenses against an abstract attacker, represented by realizations of nature. The defense strategies include both actions where security generates positive externalities and actions that do not. When the players are assumed to be risk averse, market insurance enters as a third strategic option. We formulate a one-shot security game with market insurance, characterize its pure equilibria, and describe how the equilibria compare to established results. Simplifying assumptions include homogeneous players, fair insurance premiums, and complete information except for realizations of nature. The results add more realism to the interpretation of analytical models of security games and might inform policy makers on adjusting incentives to improve network security and foster the development of a market for cyber-insurance.

[1]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[2]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[3]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[4]  Nicolas Christin,et al.  Security and insurance management in networks with heterogeneous agents , 2008, EC '08.

[5]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[6]  Jens Grossklags,et al.  Secure or insure: an economic analysis of security interdependencies and investment types , 2009 .

[7]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.

[8]  J. Pratt RISK AVERSION IN THE SMALL AND IN THE LARGE11This research was supported by the National Science Foundation (grant NSF-G24035). Reproduction in whole or in part is permitted for any purpose of the United States Government. , 1964 .

[9]  Joseph G. Eisenhauer,et al.  DEMOGRAPHY OF RISK AVERSION , 2001 .

[10]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[11]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[12]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[13]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[14]  Alvaro A. Cárdenas,et al.  Nudge: Intermediaries' Role in Interdependent Network Security , 2010, TRUST.

[15]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[16]  Rainer Böhme Towards Insurable Network Architectures , 2010, it Inf. Technol..

[17]  J. Kesan,et al.  The Economic Case for Cyberinsurance , 2004 .

[18]  Roland Kirstein Risk Neutrality and Strategic Insurance , 2000 .

[19]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[20]  Gianluca Stringhini,et al.  The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns , 2011, LEET.

[21]  Jean C. Walrand,et al.  Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[22]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[23]  L. Camp Economics of Information Security , 2006 .

[24]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.