Presentation is loading. Please wait.

Presentation is loading. Please wait.

Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyTRUST 2009 Presentation.

Published byVirgil Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyTRUST 2009 Presentation."— Presentation transcript:

1 Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyTRUST 2009 Presentation

2 Cyber-insurers as car dealers: trading lemons? Have you heard of Akerloff (1970) “Market for Lemons” Financial Services Industry = manage financial risks (reallocate, redistribute, reduce) Irony: Financial institutions are subject to network insecurity risks, and cry for help in managing these risks (via technology) EECS, UC Berkeley Slide 2 of 25

3 Plan of talk: Insecurity as Risk Model [no-insurance] Model + insurance, if user security –I. non-contractible –II. contractible Main results –In many cases, missing cyber-insurance market (if I.) –In general, network security worsens with cyber-insurers Discussion EECS, UC Berkeley Slide 3 of 25

4 Model [no-insurance] Players: Identical users –W - Wealth –D - Damage (if successful attack) –If successful attack, wealth is W- D –p – probability of successful attack –Risk-averse users EECS, UC Berkeley Slide 4 of 25

5 Probability of successful attack [interdependent security] Probability p depends on – user security (“private good”) AND –network security (“public good”) [externality] Interdependent security = externality: –Individual users: no effect on network security, BUT –Users’ security choices affect network security EECS, UC BerkeleySlide 5 of 25

6 Network Security Popular security models – based on Varian (2002) (weakest link, best shot, total effort) Our assumptions about network security: –Idea: network security is a function of average user security –This paper: network security = average user security EECS, UC Berkeley Slide 6 of 25

7 User Utility User’s trade-off : Security vs convenience (usability) EECS, UC Berkeley Slide 7 of 25

8 Optimized User Utility A companion paper - similar results for general functions (f & h). This paper: After users optimize applications: EECS, UC Berkeley Slide 8 of 25

9 Nash Equil. vs Social Optimum [No-Insurance ] User Utility Nash equilibrium vs Social Optimum If D/W is small, security is zero (or close to 0) EECS, UC Berkeley Slide 9 of 25

10 Security: Nash vs Social Optimum EECS, UC Berkeley Slide 10 of 25

11 Competitive cyber-insurers (cont.) Insurers: –free entry –zero operating costs –take network security as given Cases: if user security is I. Non-contractible – Contract prohibits purchasing extra coverage II. Contractible EECS, UC Berkeley Slide 11 of 25

12 Model of competitive cyber-insurers We follow Rothschild & Stiglitz (1976) Each insurer offers a single contract. Nash equilibrium is a set of admissible contracts –i) each insurer’s profit is non-negative For a given set of offered contracts –ii) no entrant-insurer can enter and make a strictly positive profit –iii) no incumbent-insurer can increase his profit by altering his contract EECS, UC Berkeley Slide 12 of 25

13 Competitive cyber-insurers Insurers are risk neutral & each maximizes his profit Perfectly competitive insurers  zero profits We consider 2 cases. If user security is: –I. Non-contractible –II. Contractible – EECS, UC Berkeley Slide 13 of 25

14 Equilibrium with cyber-insurers From insurer competition: User chooses from which insurer to buy a contract  In equilibrium, all contracts give a user identical utility Only contracts maximizing user utility attract users  In equilibrium, all contracts maximize user utility User participation constraint must hold EECS, UC Berkeley Slide 14 of 25

15 I. non-contractible v ; extra coverage is prohibited If D < 8/9 W - Missing cyber-insurance market [no equilibrium with positive insurance coverage exists] If D > 8/9 W - equilibrium contract may exist EECS, UC Berkeley Slide 15 of 25

16 Equilibrium security [I. non-contractible v ] When equilibrium with positive coverage exists, security worsens relative to no-insurance Nash Why security is worse? user’s incentives to invest in security worsen (risk is covered!) With insurance [& non-contractible v] –utility is higher than with no-insurance –but aggregate damage is higher too EECS, UC Berkeley Slide 16 of 25

17 II. contractible v EECS, UC Berkeley Slide 17 of 25

18 Equilibrium [II. contractible v ] In equilibrium, no user deviates to no insurance –If not, some insurer will offer contract with a deviating security level (with insurance, user utility is higher) Entire damage D is covered –If not, some insurer will offer a contract with a higher coverage  EECS, UC Berkeley Slide 18 of 25

19 Equilibrium security with insurance [II. contractible v ] Equilibrium contract –is unique –it covers the entire damage D We have: If D/W is very low: If D/W is high: EECS, UC Berkeley Slide 19 of 25

20 Security Levels [II. Contractible] EECS, UC Berkeley Slide 20 of 25

21 Conclusion Asymmetric information causes missing markets – A well know result of missing markets from the classical papers: Akerlof (1970) ; Rothschild and Stiglitz (1976) –Cyber-insurance is a convincing case of market failure 1. non-contractible user security (a lot of asymmetric info) –For most parameters, cyber insurance market is missing II. contractible user security (only some asymmetric info) –For most parameters, security worsens relative to no-insurance case EECS, UC Berkeley Slide 21 of 25

22 Missing cyber-insurance market & information asymmetries – a link Asymmetric information (present in our model): –I. non-contractible case: Insurers: no info about user security Insurers: no info about each other –II. Contractible case: Insurers: no info about each other Other info asymmetries could matter: –damage size –attack probability EECS, UC Berkeley Slide 22 of 25

23 Conclusion (c0nt.) Even with cyber insurance, improved network security is unlikely –With cyber-insurers, user utility improves, but in general, network security worsens ; sec. increases only if D/W is very low Insurers fail to improve security. Why? –Insurers free-ride on other insurers, which lowers security –Insurance is a tool for risk redistribution, not risk reduction EECS, UC Berkeley Slide 23 of 25

24 Are Cyber-insurers trading lemons? What are cyber-insurers selling? –Indulgences? ? Are cyber insurers selling us the peace of mind? EECS, UC Berkeley Slide 24 of 25

25 How to? Problems to resolve (for cyber-insurance to take off). Need to: –Reduce information asymmetries (tools: disclosure laws, requirements on standard (defaults) settings on security software … ) –Reduce network externalities (tools: imposition of limited user liability, i.e., mandating user security level, i.e., user certification) But – this is hard (technologically and politically) EECS, UC Berkeley Slide 25 of 25

Download ppt "Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyTRUST 2009 Presentation."

Similar presentations

Optimal Contracts under Adverse Selection

Optimal Contracts under Adverse Selection
1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.
Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.

Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.
Hal Varian Intermediate Microeconomics Chapter Thirty-Six

Hal Varian Intermediate Microeconomics Chapter Thirty-Six
ECON 100 Tutorial: Week 9 office: LUMS C85.

ECON 100 Tutorial: Week 9 office: LUMS C85.
Bank Competition and Financial Stability: A General Equilibrium Expositi on Gianni De Nicolò International Monetary Fund and CESifo Marcella Lucchetta.

Bank Competition and Financial Stability: A General Equilibrium Expositi on Gianni De Nicolò International Monetary Fund and CESifo Marcella Lucchetta.
Contracts and Mechanism Design What Contracts Accomplish Moral Hazard Adverse Selection (if time: Signaling)

Contracts and Mechanism Design What Contracts Accomplish Moral Hazard Adverse Selection (if time: Signaling)
FINANCING UNDER ASYMMETRIC INFORMATION 3th set of transparencies for ToCF.

FINANCING UNDER ASYMMETRIC INFORMATION 3th set of transparencies for ToCF.
Interbank Market Liquidity and Central Bank Intervention Franklin Allen Elena Carletti University of Pennsylvania University of Frankfurt and CFS Douglas.

Interbank Market Liquidity and Central Bank Intervention Franklin Allen Elena Carletti University of Pennsylvania University of Frankfurt and CFS Douglas.
Thomas Berry-Stölzle Hendrik Kläver Shen Qiu Terry College of Business University of Georgia Should Life Insurance Companies Invest in Hedge Funds? Financial.

Thomas Berry-Stölzle Hendrik Kläver Shen Qiu Terry College of Business University of Georgia Should Life Insurance Companies Invest in Hedge Funds? Financial.
The Optimal Allocation of Risk James Mirrlees Chinese University of Hong Kong At Academia Sinica, Taipei 8 October 2010.

The Optimal Allocation of Risk James Mirrlees Chinese University of Hong Kong At Academia Sinica, Taipei 8 October 2010.
Chapter Thirty-Three Law and Economics. Effects of Laws u Property right assignments affect –asset, income and wealth distributions; v e.g. nationalized.

Chapter Thirty-Three Law and Economics. Effects of Laws u Property right assignments affect –asset, income and wealth distributions; v e.g. nationalized.
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyWEIS 2009 Presentation.

Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyWEIS 2009 Presentation.
Network Security An Economics Perspective IS250 Spring 2010 John Chuang.

Network Security An Economics Perspective IS250 Spring 2010 John Chuang.
Adverse Selection Asymmetric information is feature of many markets

Adverse Selection Asymmetric information is feature of many markets
Why Trade Liberalization may not be good

Why Trade Liberalization may not be good
Bert Willems Cournot Competition, Financial Option Markets and Efficiency.

Bert Willems Cournot Competition, Financial Option Markets and Efficiency.
Yale lectures 5 and 6 Nash Equilibrium – no individual can do strictly better by deviating – self enforcing in agreements Investment game – all invest.

Yale lectures 5 and 6 Nash Equilibrium – no individual can do strictly better by deviating – self enforcing in agreements Investment game – all invest.
Investment. An Investor’s Perspective An investor has two choices in investment. Risk free asset and risky asset For simplicity, the return on risk free.

Investment. An Investor’s Perspective An investor has two choices in investment. Risk free asset and risky asset For simplicity, the return on risk free.

Similar presentations

Ads by Google