A New Perspective on Internet Security using Insurance

Managing security risks in the Internet has so far mostly involved methods to reduce the risks and the severity of the damages. Those methods (such as firewalls, intrusion detection and prevention, etc) reduce but do not eliminate risk, and the question remains on how to handle the residual risk. In this paper, we take a new approach to the problem of Internet security and advocate managing this residual risk by buying insurance against it, in other words by transferring the risk to an insurance company in return for a fee, namely the insurance premium. We consider the problem of whether buying insurance to protect the Internet and its users from security risks makes sense, and if so, of identifying specific benefits of insurance and designing appropriate insurance policies. Using insurance in the Internet raises several questions because entities in the Internet face correlated risks, which means that insurance claims will likely be correlated, making those entities less attractive to insurance companies. Furthermore, risks are interdependent, meaning that the decision by an entity to invest in security and self-protect affects the risk faced by others. We analyze the impact of these externalities on the security investments of the users using simple models that combine recent ideas from risk theory and network modeling. Our key result is that using insurance would increase the security in the Internet. Specifically, we show that the adoption of security investments follows a threshold or tipping point dynamics, and that insurance is a powerful incentive mechanism which pushes entities over the threshold into a desirable state where they invest in self-protection. Given its many benefits, we argue that insurance should become an important component of risk management in the Internet, and discuss its impact on Internet mechanisms and architecture

Top Manager’s Perspectives on Cyberinsurance Risk Management for Reducing Cybersecurity Risks

The vulnerability of organizations to security breaches and the severity of these breaches have become key issues in organizations. The cost incurred from the breaches can be damaging and difficult to recover from. Cyberinsurance has been portrayed as a risk management strategy that aims to protect organizations from the crippling cost of security breaches. Thus, this study is interested in understanding the factors affecting the intent to purchase cyberinsurance from the perspective of top managers. Not only do we want to understand the factors affecting top manager’s intent to purchase cyberinsurance as a protective approach, of interest also, is the examination of its effect on the organization’s security posture. We seek to empirical test this observed but largely untested phenomenon using the protection motivation theory which has successfully been used to study the effect of threat and coping appraisals on protective behaviors

Coordination in Network Security Games: a Monotone Comparative Statics Approach

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. In this paper, we focus on the question of incentive alignment for agents of a large network towards a better security. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover alignment of incentives typically implies a coordination problem, leading to an equilibrium with a very high price of anarchy.Comment: 10 pages, to appear in IEEE JSA

INFORMATION SECURITY RISK AND BOUNDARY CHANGING BEHAVIOR

The escalating information security threats and their impacts have made firms pay careful attention to potential risks they face and the actions they can take to mitigate such risks. We explore if and how the information security risk perceptions of firms shape their boundary-changing behaviors. We argue that organizations have risk transfer, risk avoidance, risk reduction, risk acceptance options, and combine these options in their attempts to reduce the perceived effects of information security risks. Organizations through risk transfer could transfer some effects of information security risks to third parties, while boundary changing behaviors could alter the potential vulnerabilities of a firm, and hence decisions to alter firm boundaries are likely to be shaped by risk perceptions. By fine-tuning 11 state-of-the-art NLP models with causal extraction, we find that organizations’ information security risk perception is positively associated with their information security risk transfer behavior, and less-risky boundary changing actions

Economics of malware: Epidemic risks model, network externalities and incentives

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. Our goal in this paper is to model and quantify the impact of such externalities on the investment in security features in a network. We study a network of interconnected agents, which are subject to epidemic risks such as those caused by propagating viruses and worms. Each agent can decide whether or not to invest some amount to self-protect and deploy security solutions which decreases the probability of contagion. Borrowing ideas from random graphs theory, we solve explicitly this ’micro’-model and compute the fulfilled expectations equilibria. We are able to compute the network externalities as a function of the parameters of the epidemic. We show that the network externalities have a public part and a private one. As a result of this separation, some counter-intuitive phenomena can occur: there are situations where the incentive to invest in self-protection decreases as the fraction of the population investing in self-protection increases. In a situation where the protection is strong and ensures that the protected agent cannot be harmed by the decision of others, we show that the situation is similar to a free-rider problem. In a situation where the protection is weaker, then we show that the network can exhibit critical mass. We also look at interaction with the security supplier. In the case where security is provided by a monopolist, we show that the monopolist is taking advantage of these positive network externalities by providing a low quality protection