A Novel Cyber-Insurance for Internet Security

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, and botnets. To reduce the probability of risk, an Internet user generally invests in self-defense mechanisms like antivirus and antispam software. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.) . These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as standard optimal contracts, i.e., contracts under security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as non-security related failures. We propose \emph{Aegis}, a novel cyber-insurance model in which the user accepts a fraction \emph{(strictly positive)} of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that given an option, Internet users would prefer Aegis contracts to traditional cyber-insurance contracts, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users.

[1]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[2]  Jean C. Walrand,et al.  Competitive Cyber-Insurance and Internet Security , 2009, WEIS.

[3]  Peter Honeyman,et al.  Interdependence of Reliability and Security , 2007, WEIS.

[4]  Marc Lelarge,et al.  Cyber Insurance as an Incentivefor Internet Security , 2009, Managing Information Risk and the Economics of Security.

[5]  Anupam Chander,et al.  Securing Privacy in the Internet Age , 2008 .

[6]  Nicolas Christin,et al.  Security and insurance management in networks with heterogeneous agents , 2008, EC '08.

[7]  Leana Golubchik,et al.  Pricing and Investments in Internet Security: A Cyber-Insurance Perspective , 2011, ArXiv.

[8]  Jean C. Walrand,et al.  How Bad Are Selfish Investments in Network Security? , 2011, IEEE/ACM Transactions on Networking.

[9]  Bruce Schneier,et al.  DIGITAL SECURITY IN A NETWORKED WORLD , 2013 .

[10]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[11]  Bruce Schneier,et al.  Insurance and the computer industry , 2001, CACM.

[12]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[13]  Piet Van Mieghem,et al.  Protecting Against Network Infections: A Game Theoretic Perspective , 2009, IEEE INFOCOM 2009.

[14]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[15]  J. Neumann,et al.  Theory of games and economic behavior , 1945, 100 Years of Math Milestones.

[16]  Marc Lelarge,et al.  Economic Incentives to Increase Security in the Internet: The Case for Insurance , 2009, IEEE INFOCOM 2009.

[17]  A. Mas-Colell,et al.  Microeconomic Theory , 1995 .

[18]  J. Bolot Cyber Insurance as an Incentive for Internet Security , 2008 .

[19]  Leana Golubchik,et al.  Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[20]  William Yurcik,et al.  Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity , 2005, WEIS.

[21]  W. Marsden I and J , 2012 .

[22]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[23]  Marc Lelarge,et al.  A local mean field analysis of security investments in networks , 2008, NetEcon '08.

[24]  N. Bambos,et al.  Security investment games of interdependent organizations , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.

[25]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[26]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[27]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .