Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks

Fabio Massacci, Joseph Swierzbinski, Julian Williams

Research output: Contribution to conferencePaper

Abstract

Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to firms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination benefits, and may in fact erode the aggregate level of security investment undertaken by targets.
Original languageEnglish
Pages1-38
Number of pages38
Publication statusPublished - 29 May 2017
Event16th Annual Workshop on the Economics of Information Security: Weiss 2017 - Rady School of Management, UC San Diego, La Jolla, United States
Duration: 25 Jun 201727 Jun 2017
https://weis2017.econinfosec.org/

Conference

Conference16th Annual Workshop on the Economics of Information Security
CountryUnited States
CityLa Jolla
Period25/06/1727/06/17
Internet address

Fingerprint

Liability
Self-protection
Public policy
Self-insurance
Risk mitigation
Breach
Policy tools
Clearinghouse
Information security
Insurance companies
Insurance contract
Modeling
Guidance

Keywords

  • Insurance
  • Cyber-Security
  • Public Economics
  • Optimal Investment Allocations

Cite this

Massacci, F., Swierzbinski, J., & Williams, J. (2017). Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks. 1-38. Paper presented at 16th Annual Workshop on the Economics of Information Security, La Jolla, United States.

Cyberinsurance and Public Policy : Self-Protection and Insurance with Endogenous Security Risks. / Massacci, Fabio; Swierzbinski, Joseph; Williams, Julian.

2017. 1-38 Paper presented at 16th Annual Workshop on the Economics of Information Security, La Jolla, United States.

Research output: Contribution to conferencePaper

Massacci, F, Swierzbinski, J & Williams, J 2017, 'Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks' Paper presented at 16th Annual Workshop on the Economics of Information Security, La Jolla, United States, 25/06/17 - 27/06/17, pp. 1-38.
Massacci F, Swierzbinski J, Williams J. Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks. 2017. Paper presented at 16th Annual Workshop on the Economics of Information Security, La Jolla, United States.
Massacci, Fabio ; Swierzbinski, Joseph ; Williams, Julian. / Cyberinsurance and Public Policy : Self-Protection and Insurance with Endogenous Security Risks. Paper presented at 16th Annual Workshop on the Economics of Information Security, La Jolla, United States.38 p.
@conference{c2859ee79f2945c2a216c33afa60f515,
title = "Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks",
abstract = "Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to firms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination benefits, and may in fact erode the aggregate level of security investment undertaken by targets.",
keywords = "Insurance, Cyber-Security, Public Economics, Optimal Investment Allocations",
author = "Fabio Massacci and Joseph Swierzbinski and Julian Williams",
note = "The authors would like to thank Luca Allodi from the University of Trento, Vadim Kotov from Bromium, and the members of the Computer Laboratory in Cambrige (in particular Ross Anderson, Richard Clayton, Daniel Thomas, and Sultan Kus) for very useful discussions and insights on hackers’ technology and markets. We would like also to thank the participants to the Lorentz’ Adversarial Risk Analysis seminar (in particular Milind Tambe, Wolter Pieters, Vivian Jacobs, David Banks, Dieter Gollmann, Andr Hoogstrate, and Christian Probst) for useful discussions on the use of game theory techniques for security, Angela Sasse and her group at UCL, Alex Ashby from Oxford, Christos Ioannidis from the University of Bath, and the seminar participants at the University of Durham (in particular Parantap Basu, Abderrahim Taamouti, Hugo Kruiniger, Leslie Reinhorn, Xiaogang Che, and Damian Damianov) for useful comments. Any remaining mistakes are the sole responsibilities of the authors.; 16th Annual Workshop on the Economics of Information Security : Weiss 2017 ; Conference date: 25-06-2017 Through 27-06-2017",
year = "2017",
month = "5",
day = "29",
language = "English",
pages = "1--38",
url = "https://weis2017.econinfosec.org/",

}

TY - CONF

T1 - Cyberinsurance and Public Policy

T2 - Self-Protection and Insurance with Endogenous Security Risks

AU - Massacci, Fabio

AU - Swierzbinski, Joseph

AU - Williams, Julian

N1 - The authors would like to thank Luca Allodi from the University of Trento, Vadim Kotov from Bromium, and the members of the Computer Laboratory in Cambrige (in particular Ross Anderson, Richard Clayton, Daniel Thomas, and Sultan Kus) for very useful discussions and insights on hackers’ technology and markets. We would like also to thank the participants to the Lorentz’ Adversarial Risk Analysis seminar (in particular Milind Tambe, Wolter Pieters, Vivian Jacobs, David Banks, Dieter Gollmann, Andr Hoogstrate, and Christian Probst) for useful discussions on the use of game theory techniques for security, Angela Sasse and her group at UCL, Alex Ashby from Oxford, Christos Ioannidis from the University of Bath, and the seminar participants at the University of Durham (in particular Parantap Basu, Abderrahim Taamouti, Hugo Kruiniger, Leslie Reinhorn, Xiaogang Che, and Damian Damianov) for useful comments. Any remaining mistakes are the sole responsibilities of the authors.

PY - 2017/5/29

Y1 - 2017/5/29

N2 - Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to firms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination benefits, and may in fact erode the aggregate level of security investment undertaken by targets.

AB - Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to firms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination benefits, and may in fact erode the aggregate level of security investment undertaken by targets.

KW - Insurance

KW - Cyber-Security

KW - Public Economics

KW - Optimal Investment Allocations

UR - https://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_14.pdf

M3 - Paper

SP - 1

EP - 38

ER -