Pricing and Investments in Internet Security: A Cyber-Insurance Perspective

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important research problem is the analysis of optimal user self-defense investments and cyber-insurance contracts under the Internet environment. In this paper, we investigate two problems and their relationship: 1) analyzing optimal self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective and 2) designing optimal cyber-insurance contracts for Internet users, where a contract is a (premium, coverage) pair

Coordination in Network Security Games: a Monotone Comparative Statics Approach

Malicious softwares or malwares for short have become a major security threat. While originating in criminal behavior, their impact are also influenced by the decisions of legitimate end users. Getting agents in the Internet, and in networks in general, to invest in and deploy security features and protocols is a challenge, in particular because of economic reasons arising from the presence of network externalities. In this paper, we focus on the question of incentive alignment for agents of a large network towards a better security. We start with an economic model for a single agent, that determines the optimal amount to invest in protection. The model takes into account the vulnerability of the agent to a security breach and the potential loss if a security breach occurs. We derive conditions on the quality of the protection to ensure that the optimal amount spent on security is an increasing function of the agent's vulnerability and potential loss. We also show that for a large class of risks, only a small fraction of the expected loss should be invested. Building on these results, we study a network of interconnected agents subject to epidemic risks. We derive conditions to ensure that the incentives of all agents are aligned towards a better security. When agents are strategic, we show that security investments are always socially inefficient due to the network externalities. Moreover alignment of incentives typically implies a coordination problem, leading to an equilibrium with a very high price of anarchy.Comment: 10 pages, to appear in IEEE JSA

Do market failures hamper the perspectives of broadband?

This report analyses the broadband market and asks whether a specific role of government is necessary. As broadband telecommunication is seen as a source of productivity gains, the European Union and other regions are encouraging the deployment of a secure broadband infrastructure. In the Netherlands, there is some concern whether the supply of broadband capacity will meet the strongly increasing demand. The main conclusions are that presently, given current broadband policy, no considerable market failures exist. Firms have adequate incentives to invest in broadband, partly induced by specific regulation of access to the local copper loop. Hence, there is no need for changes in current broadband policy. Market failures in terms of knowledge spillovers are taken care of by other policies. As the broadband markets are very dynamic, unforeseen developments may emerge such as the appearance of new dominant techniques and market players. The best strategy for the government, in particular the competition authority, is to continuously monitor these markets, making timely intervention easier when needed.