Modeling Cyber-Insurance

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Modeling Cyber-Insurance: Towards A Unified Framework

Full Citation

Rainer Bohme and Galina Schwartz, Modeling Cyber-Insurance: Towards A Unified Framework, Workshop on the Economics of Information Security, Harvard University, Cambridge, MA (June 2010). Web



Key Words

Botnet, Disclosure Policy, Interdependencies, Phishing, Risk Modeling, SPAM, Worm


The paper proposes a comprehensive formal framework to classify all market models of cyber-insurance we are aware of. The framework features a common terminology and deals with the specific properties of cyber-risk in a unified way: interdependent security, correlated risk, and information asymmetries. A survey of existing models, tabulated according to our framework, reveals a discrepancy between informal arguments in favor of cyber-insurance as a tool to align incentives for better network security, and analytical results questioning the viability of a market for cyber-insurance. Using our framework, we show which parameters should be considered and endogenized in future models to close this gap.

A General Framework for Modeling Cyber-Insurance Markets

The unifying framework proposed by the authors permits to classify the literature and identify areas that have not been covered by the existing models. Their objectives are to take stock, systematize in a common terminology, and give a structured account of a growing field with contributions spread over disperse communities. Ultimately, such a unifying framework should help navigate the literature and stimulates research that results in a more formal basis for policy recommendations involving cyber-risk reallocation.

In addition, the authors suggest that this framework can be used to partly standardize the exposition of cyber-insurance papers, thus simplifying the tasks of authors’ presentation and evaluation of the results by the research community. One key theme in designing such a framework is to identify factors specific to cyber-risk and cyber-insurance. This clarifies where novel contributions are needed.

The framework breaks the modeling decisions down to five key components:

  • network environment,
  • demand side,
  • supply side,
  • information structure,
  • organizational environment.

Each component covers several model attributes, which imply specific modeling decisions. All attributes are discussed, including their common formalization, with particular emphasis on attributes that are specific to cyberrisk. For less cyber-specific attributes, references to the standard economic literature on indemnity insurance are provided.

The framework introduces a unified way of dealing with both interdependent security and correlated risk, two obstacles to the development of a cyber-insurance market that so far have been studied only separately. The remaining subsections of Sect. 2 describe the standard economic approach to insurance, augmented to cyber-risk where specific properties arise.

Using the Framework for a Literature Survey, and Concluding Remarks

Section 3 applies the framework by classifying the relevant literature along the framework’s key components. The authors demonstrate the general usefulness of our framework and its suitability to ease comparisons between different models in a standardized terminology. The framework further permits to pinpoint the driving forces behind the results of models in the literature. Our hope is that this framework will serve as starting point for more systematic extensions in future work by both economists and security engineers. General remarks on the state of the research field and possible directions are discussed in the concluding Section 4.

Additional Notes and Highlights

Expertise Requires: Economics - High


 1. Introduction
 2. A General Framework for Modeling Cyber-Insurance Markets
   2.1 Network Environment: Connected Nodes
     2.1.1 Defense Function
     2.1.2 Network Topology
     2.1.3 Risk Arrival
     2.1.4 Attacker Model
   2.2 Demand Side: Agents
     2.2.1 Node Control
     2.2.2 Heterogeneity
     2.2.3 Agents’ Risk Aversion
     2.2.4 Action Space
     2.2.5 Time
   2.3 Supply Side: Insurers
     2.3.1 Market Structure
     2.3.2 Insurers’ Risk Aversion
     2.3.3 Markup
     2.3.4 Contract Design
     2.3.5 Higher-Order Risk Transfer
   2.4 Information Structure
     2.4.1 Information Asymmetries in the Conventional Insurance Literature
     2.4.2 Information Asymmetries Specific to Cyber-Insurance
     2.4.3 Timing
   2.5 Organizational Environment
     2.5.1 Regulator
     2.5.2 ICT Manufacturers
     2.5.3 Network Intermediaries
     2.5.4 Security Service Providers
 3 Using the Framework for a Literature Survey
   3.1 Market Models
     3.1.1 Comparison Across Models
     3.1.2 Discussion of Individual Models
   3.2 Related Topics
 4 Concluding Remarks