Cyber-Insurance as a Signaling Game: Self-reporting and External Security Audits

An insurer has to know the risks faced by a potential client to accurately determine an insurance premium offer. However, while the potential client might have a good understanding of its own security practices, it may also have an incentive not to disclose them honestly since the resulting information asymmetry could work in its favor. This information asymmetry engenders adverse selection, which can result in unfair premiums and reduced adoption of cyber-insurance. To overcome information asymmetry, insurers often require potential clients to self-report their risks. Still, clients do not have any incentive to perform thorough self-audits or to provide comprehensive reports. As a result, insurers have to complement self-reporting with external security audits to verify the clients’ reports. Since these audits can be very expensive, a key problem faced by insurers is to devise an auditing strategy that deters clients from dishonest reporting using a minimal number of audits. To solve this problem, we model the interactions between a potential client and an insurer as a two-player signaling game. One player represents the client, who knows its actual security-investment level, but may report any level to the insurer. The other player represents the insurer, who knows only the random distribution from which the security level was drawn, but may discover the actual level using an expensive audit. We study the players’ equilibrium strategies and provide numerical illustrations.

[1]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[2]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[3]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[4]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[5]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[6]  Tridib Bandyopadhyay,et al.  A Model to Analyze the Unfulfilled Promise of Cyber Insurance : The Impact of Secondary Loss , 2008 .

[7]  Jean C. Walrand,et al.  Why cyber-insurance contracts fail to reflect cyber-risks , 2013, 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[8]  Rainer Böhme,et al.  Security Audits Revisited , 2012, Financial Cryptography.

[9]  Aron Laszka,et al.  Should Cyber-Insurance Providers Invest in Software Security? , 2015, ESORICS.

[10]  Aron Laszka,et al.  Estimating Systematic Risk in Real-World Networks , 2014, Financial Cryptography.

[11]  Jean C. Walrand,et al.  Can Competitive Insurers Improve Network Security? , 2010, TRUST.

[12]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[13]  Mingyan Liu,et al.  Designing Cyber Insurance Policies: The Role of Pre-Screening and Security Interdependence , 2018, IEEE Transactions on Information Forensics and Security.

[14]  George A. Akerlof The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[15]  Philip Low,et al.  Insuring against cyber-attacks , 2017 .

[16]  Walter S. Baer,et al.  Cyberinsurance in IT Security Management , 2007, IEEE Security & Privacy.

[17]  J. Walrand,et al.  Cyber-Insurance: Missing Market Driven by User Heterogeneity , 2010 .

[18]  Jean C. Walrand,et al.  Competitive Cyber-Insurance and Internet Security , 2009, WEIS.