Cyber Insurance as an Incentive for Internet Security

Managing security risks in the Internet has so far mostly involved methods to reduce the risks and the severity of the damages. Those methods (such as firewalls, intrusion detection and prevention, etc) reduce but do not eliminate risk, and the question remains on how to handle the residual risk. In this paper, we consider the problem of whether buying insurance to protect the Internet and its users from security risks makes sense, and if so, of identifying specific benefits of insurance and designing appropriate insurance policies. Using insurance in the Internet raises several questions because entities in the Internet face correlated risks, which means that insurance claims will likely be correlated, making those entities less attractive to insurance companies. Furthermore, risks are interdependent, meaning that the decision by an entity to invest in security and self-protect affects the risk faced by others. We analyze the impact of these externalities on the security investments of the users using simple models that combine recent ideas from risk theory and network modeling. Our key result is that using insurance would increase the security in the Internet. Specifically, we show that the adoption of security investments follows a threshold or tipping point dynamics, and that insurance is a powerful incentive mechanism which pushes entities over the threshold into a desirable state where they invest in self-protection. Given its many benefits, we argue that insurance should become an important component of risk management in the Internet, and discuss its impact on Internet mechanisms and architecture. presented at: WEIS 2008, Seventh Workshop on the Economics of Information Security, Hanover NH (USA), June 25-28, 2008. shortened version presented at INFOCOM 08 (mini-Conference) [5].

[1]  J. Mossin Aspects of Rational Insurance Purchasing , 1968, Journal of Political Economy.

[2]  I. Ehrlich,et al.  Market Insurance, Self-Insurance, and Self-Protection , 1972, Journal of Political Economy.

[3]  Leonard Kleinrock Research areas in computer communication , 1974, CCRV.

[4]  Jeffrey K. MacKie-Mason,et al.  Pricing the Internet , 1995 .

[5]  Jiong Gong,et al.  The Economics of Layered Networks , 1995 .

[6]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[7]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[8]  Deborah Estrin,et al.  Pricing in Computer Networks: Reshaping the Research Agenda , 2020, The Internet and Telecommunications Policy.

[9]  B. Clifford Neuman,et al.  Endorsements, licensing, and insurance for distributed services , 1997 .

[10]  L. J. Camp Pricing Security , 2000 .

[11]  Bruce Schneier,et al.  Insurance and the computer industry , 2001, CACM.

[12]  C. Gollier The economics of risk and time , 2001 .

[13]  H. Varian,et al.  The Economics Of Information Technology , 2004 .

[14]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[15]  Stuart E. Schechter,et al.  Quantitatively Differentiating System Security , 2002 .

[16]  David Clark,et al.  Tussle in cyberspace: defining tomorrow's internet , 2002, SIGCOMM 2002.

[17]  Luis E. Ortiz,et al.  Algorithms for Interdependent Security Games , 2003, NIPS.

[18]  O. Assis,et al.  Towards Better Definitions and Measures of Internet Security , 2003 .

[19]  Andrew M. Odlyzko Economics, Psychology, and Sociology of Security , 2003, Financial Cryptography.

[20]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[21]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[22]  J. Kesan,et al.  The Economic Case for Cyberinsurance , 2004 .

[23]  Vern Paxson,et al.  A Worst-Case Worm , 2004 .

[24]  Douglas A. Barnes Deworming the Internet , 2004 .

[25]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[26]  Frank Kelly,et al.  Come the revolution—network dimensioning, service costing and pricing in a packet switched environment , 2004 .

[27]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[28]  Ramayya Krishnan,et al.  Software Diversity for Information Security , 2005, WEIS.

[29]  Donald F. Towsley,et al.  The effect of network topology on the spread of epidemics , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[30]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[31]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series) , 2005 .

[32]  S. Low,et al.  The "robust yet fragile" nature of the Internet. , 2005, Proceedings of the National Academy of Sciences of the United States of America.

[33]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[34]  William Yurcik,et al.  Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity , 2005, WEIS.

[35]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[36]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[37]  Thomas Mikosch,et al.  Non-Life Insurance Mathematics: An Introduction with Stochastic Processes , 2006 .

[38]  Adrian Perrig,et al.  Modeling adoptability of secure BGP protocols , 2006, SIGMETRICS '06/Performance '06.

[39]  Ross J. Anderson,et al.  The Economics of Information Security : A Survey and Open Questions , 2006 .

[40]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[41]  Vishal Misra,et al.  Network Resilience: Exploring Cascading Failures within BGP∗ , 2006 .

[42]  Marc Goovaerts,et al.  Insurance: Mathematics and Economics , 2006 .

[43]  Hemantha S. B. Herath,et al.  Cyber-Insurance: Copula Pricing Framework and Implication for Risk Management , 2007, WEIS.

[44]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[45]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[46]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[47]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[48]  A.J. Ganesh,et al.  On the Race of Worms, Alerts, and Patches , 2008, IEEE/ACM Transactions on Networking.