WEIS 2009
Competitive Cyber-Insurance and Internet Security
- Nikhil Shetty, UC Berkeley
- Galina Schwartz, UC Berkeley
- Mark Felegyhazi, ICSI Berkeley
- Jean Walrand, UC Berkeley
Abstract
- This paper investigates how competitive cyber-insurers affect network
security and welfare of the networked society. In our model, a user’s probability
to incur damage (from being attacked) depends on both his security
and the network security, with the latter taken by individual users as given.
First, we consider cyber-insurers who cannot observe (and thus, affect) individual
user security. This asymmetric information causes moral hazard.
Then, for most parameters, no equilibrium exists: the insurance market is
missing. Even if an equilibrium exists, the insurance contract covers only
a minor fraction of the damage; network security worsens relative to the
no-insurance equilibrium. Second, we consider insurers with perfect information
about their users’ security. Here, user security is perfectly enforceable
(zero cost); each insurance contract stipulates the required user security.
The unique equilibrium contract covers the entire user damage. Still,
for most parameters, network security worsens relative to the no-insurance
equilibrium. Although cyber-insurance improves user welfare, in general,
competitive cyber-insurers fail to improve network security.
Files
Return to the previous page.
