Managing Interdependent Information Security Risks: A Study of Cyberinsurance, Managed Security Service and Risk Pooling

The interdependency of information security risks poses a significant challenge for firms to manage security. Firms may over- or under-invest in security because security investments generate network externalities. In this paper, we explore how firms can use three risk management approaches, third-party cyberinsurance, managed security service (MSS) and risk pooling arrangement (RPA), to address the issue of investment inefficiency. We show that compared with cyberinsurance, MSS is more effective in mitigating the security investment inefficiency because the MSS provider (MSSP) serving multiple firms can endogenize the externalities of security investments. However, the investment externalities may discourage a for-profit MSSP from serving all firms even on a monopoly market. We then show that firms can use RPA as a complement to cyberinsurance to address risk interdependency for all firms. However, the adoption of RPA is incentive-compatible for firms only when the security investments generate negative externalities

Cyberinsurance Policy

Why cyberinsurance has not improved cybersecurity and what governments can do to make it a more effective tool for cyber risk management. As cybersecurity incidents—ranging from data breaches and denial-of-service attacks to computer fraud and ransomware—become more common, a cyberinsurance industry has emerged to provide coverage for any resulting liability, business interruption, extortion payments, regulatory fines, or repairs. In this book, Josephine Wolff offers the first comprehensive history of cyberinsurance, from the early “Internet Security Liability” policies in the late 1990s to the expansive coverage offered today. Drawing on legal records, government reports, cyberinsurance policies, and interviews with regulators and insurers, Wolff finds that cyberinsurance has not improved cybersecurity or reduced cyber risks. Wolff examines the development of cyberinsurance, comparing it to other insurance sectors, including car and flood insurance; explores legal disputes between insurers and policyholders about whether cyber-related losses were covered under policies designed for liability, crime, or property and casualty losses; and traces the trend toward standalone cyberinsurance policies and government efforts to regulate and promote the industry. Cyberinsurance, she argues, is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms, whereas the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable. An industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood

Pricing and Investments in Internet Security: A Cyber-Insurance Perspective

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important research problem is the analysis of optimal user self-defense investments and cyber-insurance contracts under the Internet environment. In this paper, we investigate two problems and their relationship: 1) analyzing optimal self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective and 2) designing optimal cyber-insurance contracts for Internet users, where a contract is a (premium, coverage) pair

Organizational Adoption of Cyber Insurance Instruments in IT Security Risk Management– A Modeling Approach

Cyber insurance can be an effective instrument to transfer cyber risk and complement the benefits from technological controls that guard the IS (information and network) assets in organizations. This research attempts to identify the factors that could explain the proclivity of adoption of cyber insurance in managing cyber risk of an organization. Grounded on the context based TOE framework of adoption of innovation, we propose a research model that integrates technology, organizational and environmental factors surrounding the adoption of cyber insurance. We begin with the insights from TOE literature, and contextualize them with the specificities of cyber insurance in order to formulate a set of relevant hypotheses, empirical validation of which could provide valuable insight into organizational adoption (or the observed lack) of cyber insurance. This research attempts to explain the contextual factors that affect successful organizational adoption of cyber insurance and extend the TOE adoption of innovation theory in the area of IT security risk management

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

The interdependency of information security risks often induces firms to invest inefficiently in information technology security management. Cyberinsurance has been proposed as a promising solution to help firms optimize security spending. However, cyberinsurance is ineffective in addressing the investment inefficiency caused by risk interdependency. In this paper, we examine two alternative risk management approaches: risk pooling arrangements (RPAs) and managed security services (MSSs). We show that firms can use an RPA as a complement to cyberinsurance to address the overinvestment issue caused by negative externalities of security investments; however, the adoption of an RPA is not incentive-compatible for firms when the security investments generate positive externalities. We then show that the MSS provider serving multiple firms can internalize the externalities of security investments and mitigate the security investment inefficiency. As a result of risk interdependency, collective outsourcing arises as an equilibrium only when the total number of firms is small