Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks

Fabio Massacci; Joseph Swierzbinski; Julian Williams

Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks

Fabio Massacci, Joseph Swierzbinski, Julian Williams

Economics

Research output: Contribution to conference › Unpublished paper › peer-review

Abstract

Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to ﬁrms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination beneﬁts, and may in fact erode the aggregate level of security investment undertaken by targets.

Original language	English
Pages	1-38
Number of pages	38
Publication status	Published - 29 May 2017
Event	16th Annual Workshop on the Economics of Information Security: Weiss 2017 - Rady School of Management, UC San Diego, La Jolla, United States Duration: 25 Jun 2017 → 27 Jun 2017 https://weis2017.econinfosec.org/

Conference

Conference	16th Annual Workshop on the Economics of Information Security
Country/Territory	United States
City	La Jolla
Period	25/06/17 → 27/06/17
Internet address	https://weis2017.econinfosec.org/

Bibliographical note

The authors would like to thank Luca Allodi from the University of Trento,
Vadim Kotov from Bromium, and the members of the Computer Laboratory in Cambrige (in particular Ross Anderson, Richard Clayton, Daniel Thomas, and Sultan Kus) for very useful discussions and insights on hackers’ technology and markets. We would like also to thank the participants to the Lorentz’ Adversarial Risk Analysis seminar (in particular Milind Tambe, Wolter Pieters, Vivian Jacobs, David Banks, Dieter Gollmann, Andr Hoogstrate, and Christian Probst) for useful discussions on the use of game theory techniques for security, Angela Sasse and her group at UCL, Alex Ashby from Oxford, Christos Ioannidis from the University of Bath, and the seminar participants at the University of Durham (in particular Parantap Basu, Abderrahim Taamouti, Hugo Kruiniger, Leslie Reinhorn, Xiaogang Che, and Damian Damianov) for useful comments. Any remaining mistakes are the sole responsibilities of the authors.

Keywords

Insurance
Cyber-Security
Public Economics
Optimal Investment Allocations

Cite this

@conference{c2859ee79f2945c2a216c33afa60f515,

title = "Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks",

abstract = "Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of {\textquoteleft}Cyberinsurance{\textquoteright} as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to ﬁrms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination beneﬁts, and may in fact erode the aggregate level of security investment undertaken by targets.",

keywords = "Insurance, Cyber-Security, Public Economics, Optimal Investment Allocations",

author = "Fabio Massacci and Joseph Swierzbinski and Julian Williams",

note = "The authors would like to thank Luca Allodi from the University of Trento, Vadim Kotov from Bromium, and the members of the Computer Laboratory in Cambrige (in particular Ross Anderson, Richard Clayton, Daniel Thomas, and Sultan Kus) for very useful discussions and insights on hackers{\textquoteright} technology and markets. We would like also to thank the participants to the Lorentz{\textquoteright} Adversarial Risk Analysis seminar (in particular Milind Tambe, Wolter Pieters, Vivian Jacobs, David Banks, Dieter Gollmann, Andr Hoogstrate, and Christian Probst) for useful discussions on the use of game theory techniques for security, Angela Sasse and her group at UCL, Alex Ashby from Oxford, Christos Ioannidis from the University of Bath, and the seminar participants at the University of Durham (in particular Parantap Basu, Abderrahim Taamouti, Hugo Kruiniger, Leslie Reinhorn, Xiaogang Che, and Damian Damianov) for useful comments. Any remaining mistakes are the sole responsibilities of the authors.; 16th Annual Workshop on the Economics of Information Security : Weiss 2017 ; Conference date: 25-06-2017 Through 27-06-2017",

year = "2017",

month = may,

day = "29",

language = "English",

pages = "1--38",

url = "https://weis2017.econinfosec.org/",

}

TY - CONF

T1 - Cyberinsurance and Public Policy

T2 - 16th Annual Workshop on the Economics of Information Security

AU - Massacci, Fabio

AU - Swierzbinski, Joseph

AU - Williams, Julian

N1 - The authors would like to thank Luca Allodi from the University of Trento, Vadim Kotov from Bromium, and the members of the Computer Laboratory in Cambrige (in particular Ross Anderson, Richard Clayton, Daniel Thomas, and Sultan Kus) for very useful discussions and insights on hackers’ technology and markets. We would like also to thank the participants to the Lorentz’ Adversarial Risk Analysis seminar (in particular Milind Tambe, Wolter Pieters, Vivian Jacobs, David Banks, Dieter Gollmann, Andr Hoogstrate, and Christian Probst) for useful discussions on the use of game theory techniques for security, Angela Sasse and her group at UCL, Alex Ashby from Oxford, Christos Ioannidis from the University of Bath, and the seminar participants at the University of Durham (in particular Parantap Basu, Abderrahim Taamouti, Hugo Kruiniger, Leslie Reinhorn, Xiaogang Che, and Damian Damianov) for useful comments. Any remaining mistakes are the sole responsibilities of the authors.

PY - 2017/5/29

Y1 - 2017/5/29

N2 - Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to ﬁrms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination beneﬁts, and may in fact erode the aggregate level of security investment undertaken by targets.

AB - Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to ﬁrms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination beneﬁts, and may in fact erode the aggregate level of security investment undertaken by targets.

KW - Insurance

KW - Cyber-Security

KW - Public Economics

KW - Optimal Investment Allocations

UR - https://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_14.pdf

M3 - Unpublished paper

SP - 1

EP - 38

Y2 - 25 June 2017 through 27 June 2017

ER -

Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks

Abstract

Conference

Bibliographical note

Keywords

Other files and links

Fingerprint

Cite this