Presentation is loading. Please wait.

Presentation is loading. Please wait.

Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyWEIS 2009 Presentation.

Published byMelvin Powers Modified over 9 years ago

Similar presentations

Presentation on theme: "Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyWEIS 2009 Presentation."— Presentation transcript:

1 Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyWEIS 2009 Presentation

2 Plan of talk Model [no-insurance] Model + insurance, if user security –I. non-contractible –II. contractible Main results –In many cases, missing cyber-insurance market (if I.) –In general, network security worsens with cyber-insurers Discussion EECS, UC Berkeley Slide 2 of 25

3 Model [no-insurance] Players: Identical users –W - Wealth –D - Damage (if successful attack) –If successful attack, wealth is W- D –p – probability of successful attack –Risk-averse users EECS, UC Berkeley Slide 3 of 25

4 Probability of successful attack [interdependent security] Probability p depends on – user security (“private good”) AND –network security (“public good”) [externality] Interdependent security = externality: –Individual users: no effect on network security, but –User’s security choice affects network security EECS, UC BerkeleySlide 4 of 25

5 Network Security Popular - Varian (2002) (weakest link, best shot, total effort) Our assumptions about network security: –Idea: network security is a function of average user security –This paper: network security = average user security EECS, UC Berkeley Slide 5 of 25

6 User Utility User’s trade-off : Security vs convenience (usability) EECS, UC Berkeley Slide 6 of 25

7 Optimized User Utility A companion paper - similar results for general functions (f & h). This paper: After users optimize applications: EECS, UC Berkeley Slide 7 of 25

8 Nash Equil. vs Social Optimum [No-Insurance ] User Utility Nash equilibrium vs Social Optimum If D/W is small, security is zero (or close to 0) EECS, UC Berkeley Slide 8 of 25

9 Security: Nash vs Social Optimum EECS, UC Berkeley Slide 9 of 25

10 Model of competitive cyber-insurers We follow Rothschild & Stiglitz (1976) Each insurer offers a single contract. Nash equilibrium is a set of admissible contracts –i) each insurer’s profit is non-negative For a given set of offered contracts –ii) no entrant-insurer can enter and make a strictly positive profit –iii) no incumbent-insurer can increase his profit by altering his contract EECS, UC Berkeley Slide 10 of 25

11 Competitive cyber-insurers Insurers are risk neutral & each maximizes his profit Perfectly competitive insurers  zero profits We consider 2 cases. If user security is: –I. Non-contractible –II. Contractible – EECS, UC Berkeley Slide 11 of 25

12 Competitive cyber-insurers (cont.) Insurers: –free entry –zero operating costs –take network security as given Cases: if user security is I. Non-contractible – Contract prohibits purchasing extra coverage II. Contractible EECS, UC Berkeley Slide 12 of 25

13 Equilibrium with cyber-insurers From insurer competition: User chooses from which insurer to buy a contract  In equilibrium, all contracts give a user identical utility Only contracts maximizing user utility attract users  In equilibrium, all contracts maximize user utility User participation constraint must hold EECS, UC Berkeley Slide 13 of 25

14 I. non-contractible v ; extra coverage is prohibited If D < 8/9 W - Missing cyber-insurance market [no equilibrium with positive insurance coverage exists] If D > 8/9 W - equilibrium contract may exist but loss covered is small  market is small EECS, UC Berkeley Slide 14 of 25

15 Equilibrium security [I. non-contractible v ] When equilibrium with positive coverage exists, security worsens relative to no-insurance Nash Why security is worse? user’s incentives to invest in security worsen (risk is covered!) With insurance [& non-contractible v] –utility is higher than with no-insurance –but aggregate damage is higher too EECS, UC Berkeley Slide 15 of 25

16 II. contractible v EECS, UC Berkeley Slide 16 of 25

17 Equilibrium [II. contractible v ] In equilibrium, no user deviates to no insurance –If not, some insurer will offer contract with a deviating security level (with insurance, user utility is higher) Entire damage D is covered –If not, some insurer will offer a contract with a higher coverage  EECS, UC Berkeley Slide 17 of 25

18 Equilibrium security with insurance [II. contractible v ] Equilibrium contract –is unique –it covers the entire damage D We have: If D/W is very low: If D/W is high: EECS, UC Berkeley Slide 18 of 25

19 Security Levels [II. Contractible] EECS, UC Berkeley Slide 19 of 25

20 Conclusion Asymmetric information causes missing markets – A well know result of missing markets from the classical papers: Akerlof (1970) ; Rothschild and Stiglitz (1976) –Cyber-insurance is a convincing case of market failure 1. non-contractible user security (a lot of asymmetric info) –For most parameters, cyber insurance market is missing II. contractible user security (only some asymmetric info) –For most parameters, security worsens relative to no-insurance case EECS, UC Berkeley Slide 20 of 25

21 Missing cyber-insurance market & information asymmetries – a link Asymmetric information (present in our model): –I. non-contractible case: Insurers: no info about user security Insurers: no info about each other –II. Contractible case: Insurers: no info about each other Other info asymmetries could matter: –damage size and attack probability (for both, users & insurers) EECS, UC Berkeley Slide 21 of 25

22 Conclusion (c0nt.) Even if cyber insurance would exist, improved network security is unlikely –With cyber-insurers, user utility improves, but in general, network security worsens; sec. increases only if D/W is very low Insurers fail to improve security. Why? –Insurers free-ride on other insurers, which lowers security –Insurance is a tool for risk redistribution, not risk reduction EECS, UC Berkeley Slide 22 of 25

23 Extensions EECS, UC BerkeleySlide 23 of 25 Our setting: identical users –If user types differ: results should hold for each subtype Our setting: specific functions for user utility & security costs –A companion paper shows that most results holds for general functions

24 Cyber-insurers as car dealers: trading lemons? What do cyber-insurers sell? –Indulgences?? Are cyber insurers selling us the peace of mind? Connecting with the next talk: Developing security ratings: how to get from I. (non- contractible v) to II. (contractible v)? EECS, UC Berkeley Slide 24 of 25

25 How to? Problems to resolve (for cyber-insurance to take off) –Reduce information asymmetries (tools: disclosure laws, requirements on standard (defaults) settings on security software … ) –Reduce network externalities (tools: imposition of limited user liability, i.e., mandating user security level) But – this is very difficult (technologically and politically) EECS, UC Berkeley Slide 25 of 25

Download ppt "Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyWEIS 2009 Presentation."

Similar presentations

Optimal Contracts under Adverse Selection

Optimal Contracts under Adverse Selection
1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.

1 Cyber Insurance and IT Security Investment: Impact of Interdependent Risk Hulisi Ogut, UT-Dallas Srinivasan Raghunathan, UT-Dallas Nirup Menon, UT-Dallas.
Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.

Economic Incentives to Increase Security in the Internet: the Case for Insurance Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) IEEE INFOCOM, Rio 2009.
Hal Varian Intermediate Microeconomics Chapter Thirty-Six

Hal Varian Intermediate Microeconomics Chapter Thirty-Six
Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.

Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.
EC 100 Week 2 LT.

EC 100 Week 2 LT.
ECON 100 Tutorial: Week 9 office: LUMS C85.

ECON 100 Tutorial: Week 9 office: LUMS C85.
Bank Competition and Financial Stability: A General Equilibrium Expositi on Gianni De Nicolò International Monetary Fund and CESifo Marcella Lucchetta.

Bank Competition and Financial Stability: A General Equilibrium Expositi on Gianni De Nicolò International Monetary Fund and CESifo Marcella Lucchetta.
The Optimal Allocation of Risk James Mirrlees Chinese University of Hong Kong At Academia Sinica, Taipei 8 October 2010.

The Optimal Allocation of Risk James Mirrlees Chinese University of Hong Kong At Academia Sinica, Taipei 8 October 2010.
Chapter Thirty-Three Law and Economics. Effects of Laws u Property right assignments affect –asset, income and wealth distributions; v e.g. nationalized.

Chapter Thirty-Three Law and Economics. Effects of Laws u Property right assignments affect –asset, income and wealth distributions; v e.g. nationalized.
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Slide 1  2002 South-Western Publishing An assumption of pure competition was complete knowledge of all market information. But knowledge can be unevenly.

Slide 1  2002 South-Western Publishing An assumption of pure competition was complete knowledge of all market information. But knowledge can be unevenly.
Network Security An Economics Perspective IS250 Spring 2010 John Chuang.

Network Security An Economics Perspective IS250 Spring 2010 John Chuang.
Adverse Selection Asymmetric information is feature of many markets

Adverse Selection Asymmetric information is feature of many markets
Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyTRUST 2009 Presentation.

Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand EECS, UC-BerkeleyTRUST 2009 Presentation.
Vertical FDI, outsourcing and contracts Lessons 5 and 6 Giorgio Barba Navaretti Gargnano, June, 11-14 2006.

Vertical FDI, outsourcing and contracts Lessons 5 and 6 Giorgio Barba Navaretti Gargnano, June,
Bert Willems Cournot Competition, Financial Option Markets and Efficiency.

Bert Willems Cournot Competition, Financial Option Markets and Efficiency.
Lecture Presentation Software to accompany Investment Analysis and Portfolio Management Seventh Edition by Frank K. Reilly & Keith C. Brown Chapter.

Lecture Presentation Software to accompany Investment Analysis and Portfolio Management Seventh Edition by Frank K. Reilly & Keith C. Brown Chapter.
Yale lectures 5 and 6 Nash Equilibrium – no individual can do strictly better by deviating – self enforcing in agreements Investment game – all invest.

Yale lectures 5 and 6 Nash Equilibrium – no individual can do strictly better by deviating – self enforcing in agreements Investment game – all invest.
L25 Asymmetric Information. Structure of the course 1) Consumers choice 2) Equilibrium, Producers (Pareto efficiency) 3) Market Failures - fixed cost:

L25 Asymmetric Information. Structure of the course 1) Consumers choice 2) Equilibrium, Producers (Pareto efficiency) 3) Market Failures - fixed cost:

Similar presentations

Ads by Google