Economic Incentives to Increase Security in the Internet: The Case for Insurance

Entities in the Internet, ranging from individuals and enterprises to service providers, face a broad range of epidemic risks such as worms, viruses, and botnet-driven attacks. Those risks are interdependent risks, which means that the decision by an entity to invest in security and self-protect affects the risk faced by others (for example, the risk faced by an individual decreases when its providers increases its investments in security). As a result of this, entities tend to invest too little in self-protection, relative to the socially efficient level, by ignoring benefits conferred on by others. In this paper, we consider the problem of designing incentives to entities in the Internet so that they invest at a socially efficient level. In particular, we find that insurance is a powerful incentive mechanism which pushes agents to invest in self-protection. Thus, insurance increases the level of self-protection, and therefore the level of security, in the Internet. As a result, we believe that insurance should be considered as an important component of risk management in the Internet.

[1]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[2]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[3]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[4]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[5]  O. Assis,et al.  Towards Better Definitions and Measures of Internet Security , 2003 .

[6]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[7]  K. Schwalm National Strategy to Secure Cyberspace , 2006 .

[8]  S. Shavell On Moral Hazard and Insurance , 1979 .

[9]  Bruce Schneier,et al.  Insurance and the computer industry , 2001, CACM.

[10]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[11]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[12]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[13]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[14]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[15]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[16]  Jeffrey K. MacKie-Mason,et al.  Security when people matter: structuring incentives for user behavior , 2007, ICEC.

[17]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[18]  J. Mossin Aspects of Rational Insurance Purchasing , 1968, Journal of Political Economy.

[19]  Stefan Schmid,et al.  When selfish meets evil: byzantine players in a virus inoculation game , 2006, PODC '06.

[20]  C. Gollier The economics of risk and time , 2001 .

[21]  George W. Bush,et al.  National Strategy to Secure Cyberspace , 2003 .

[22]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[23]  J. Kesan,et al.  The Economic Case for Cyberinsurance , 2004 .

[24]  Christian Gollier,et al.  Some Aspects of the Economics of Catastrophe Risk Insurance , 2005, SSRN Electronic Journal.

[25]  Jean C. Walrand,et al.  Efficiency of selfish investments in network security , 2008, NetEcon '08.

[26]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.