Voluntary Participation in Cyber-insurance Markets Parinaz - - PowerPoint PPT Presentation

voluntary participation in cyber insurance markets
SMART_READER_LITE
LIVE PREVIEW

Voluntary Participation in Cyber-insurance Markets Parinaz - - PowerPoint PPT Presentation

Aug 08, 2023 229 likes •516 views

Voluntary Participation in Cyber-insurance Markets Parinaz Naghizadeh, Mingyan Liu Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI 13th Workshop on the Economics of Information Security (WEIS)

slide-1
SLIDE 1

Voluntary Participation in Cyber-insurance Markets

Parinaz Naghizadeh, Mingyan Liu

Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI

13th Workshop on the Economics of Information Security (WEIS) June 24, 2014

slide-2
SLIDE 2

Introduction Model and Contract Design Voluntary Participation Conclusion

The cyber-insurance market 1

  • Over 30 companies offering insurance in the US.
  • Growth of 10-25% in premiums reported.
  • Total amount of premiums estimated between $500M and $1bn.
  • Premiums $10k - $50M, coverage limits $16M - $300M.
  • Cyber-insurance proposed for both risk transfer and shaping

incentives.

1Romanosky, Comments to the Department of Commerce on Incentives to

Adopt Improved Cybersecurity Practices, 2013. The Betterley Report: Cyber/Privacy Insurance Market Survey, 2012.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 2 / 14

slide-3
SLIDE 3

Introduction Model and Contract Design Voluntary Participation Conclusion

Interdependent security risks

  • Security investments of a user have positive externalities on other

users.

  • Users’ preferences are in general heterogeneous:
  • Heterogeneous costs.
  • Different valuations of security risks.
  • Heterogeneity leads to under-investment.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 3 / 14

slide-4
SLIDE 4

Introduction Model and Contract Design Voluntary Participation Conclusion

Cyber-insurance literature

Competitive markets [Shetty 10, Pal 13]

  • Perfect competition with free

entry.

  • Insurance contracts
  • ptimized from individual

users’ viewpoint.

  • Decreases incentive to invest

in security, but individually rational. Monopolistic markets [Hoffman 07, Lelarge 09]

  • A single profit neutral insurer

(social planner).

  • Socially optimal investments

in model with binary decisions.

  • Assumes compulsory

insurance, participation incentives not studied.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 4 / 14

slide-5
SLIDE 5

Introduction Model and Contract Design Voluntary Participation Conclusion

Outline

Introduction Model and Contract Design Voluntary Participation Discussion and Conclusion

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 5 / 14

slide-6
SLIDE 6

Introduction Model and Contract Design Voluntary Participation Conclusion

Interdependent security (IDS) investment game

  • A set of N users.
  • User i’s action: invest xi ≥ 0 in security.
  • User i chooses xi to maximize its utility:

ui(x) := − Lifi(x) − hi(xi) . Li: assets subject to loss fi(x): security risk of i, x vector of investments hi(·): cost of investment

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 6 / 14

slide-7
SLIDE 7

Introduction Model and Contract Design Voluntary Participation Conclusion

Interdependent security (IDS) investment game

  • A set of N users.
  • User i’s action: invest xi ≥ 0 in security.
  • User i chooses xi to maximize its utility:

ui(x) := − Lifi(x) − hi(xi) . Li: assets subject to loss fi(x): security risk of i, x vector of investments hi(·): cost of investment

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 6 / 14

slide-8
SLIDE 8

Introduction Model and Contract Design Voluntary Participation Conclusion

Interdependent security (IDS) investment game

  • A set of N users.
  • User i’s action: invest xi ≥ 0 in security.
  • User i chooses xi to maximize its utility:

ui(x) := − Lifi(x) − hi(xi) . Li: assets subject to loss fi(x): security risk of i, x vector of investments hi(·): cost of investment

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 6 / 14

slide-9
SLIDE 9

Introduction Model and Contract Design Voluntary Participation Conclusion

Interdependent security (IDS) investment game

  • A set of N users.
  • User i’s action: invest xi ≥ 0 in security.
  • User i chooses xi to maximize its utility:

ui(x) := − Lifi(x) − hi(xi) . Li: assets subject to loss fi(x): security risk of i, x vector of investments hi(·): cost of investment

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 6 / 14

slide-10
SLIDE 10

Introduction Model and Contract Design Voluntary Participation Conclusion

Interdependent security (IDS) investment game

  • A set of N users.
  • User i’s action: invest xi ≥ 0 in security.
  • User i chooses xi to maximize its utility:

ui(x) := − Lifi(x) − hi(xi) . Li: assets subject to loss fi(x): security risk of i, x vector of investments hi(·): cost of investment

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 6 / 14

slide-11
SLIDE 11

Introduction Model and Contract Design Voluntary Participation Conclusion

Cyber-insurance implementation

  • A monopolist profit-neutral insurer, determines {(ρi, Ii)}N

i=1:

premium and indemnification payment (coverage).

  • Utility of user i when purchasing insurance:

ui(x, ρi, Ii) = −(Li − Ii)fi(x) − hi(xi) − ρi .

  • The positive externality investment mechanism [Hurwicz 79]

Each participant i inputs message mi := (χi, πi), consisting of an investment profile and a price profile.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 7 / 14

slide-12
SLIDE 12

Introduction Model and Contract Design Voluntary Participation Conclusion

Cyber-insurance implementation

  • A monopolist profit-neutral insurer, determines {(ρi, Ii)}N

i=1:

premium and indemnification payment (coverage).

  • Utility of user i when purchasing insurance:

ui(x, ρi, Ii) = −(Li − Ii)fi(x) − hi(xi) − ρi .

  • The positive externality investment mechanism [Hurwicz 79]

Each participant i inputs message mi := (χi, πi), consisting of an investment profile and a price profile.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 7 / 14

slide-13
SLIDE 13

Introduction Model and Contract Design Voluntary Participation Conclusion

Outline

Introduction Model and Contract Design Voluntary Participation Discussion and Conclusion

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 8 / 14

slide-14
SLIDE 14

Introduction Model and Contract Design Voluntary Participation Conclusion

On incentives to participate

  • User participation depends on:
  • 1. game form
  • 2. options when staying out
  • Most public good problems assume a zero share of resources for

those staying out.

  • Security is a non-excludable public good: users can stay out and

still free-ride on (possibly lower) levels of security.

  • Loner: stays out and best responds to the remaining N − 1 users.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 9 / 14

slide-15
SLIDE 15

Introduction Model and Contract Design Voluntary Participation Conclusion

On incentives to participate

  • User participation depends on:
  • 1. game form
  • 2. options when staying out
  • Most public good problems assume a zero share of resources for

those staying out.

  • Security is a non-excludable public good: users can stay out and

still free-ride on (possibly lower) levels of security.

  • Loner: stays out and best responds to the remaining N − 1 users.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 9 / 14

slide-16
SLIDE 16

Introduction Model and Contract Design Voluntary Participation Conclusion

On incentives to participate

  • User participation depends on:
  • 1. game form
  • 2. options when staying out
  • Most public good problems assume a zero share of resources for

those staying out.

  • Security is a non-excludable public good: users can stay out and

still free-ride on (possibly lower) levels of security.

  • Loner: stays out and best responds to the remaining N − 1 users.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 9 / 14

slide-17
SLIDE 17

Introduction Model and Contract Design Voluntary Participation Conclusion

On incentives to participate

  • User participation depends on:
  • 1. game form
  • 2. options when staying out
  • Most public good problems assume a zero share of resources for

those staying out.

  • Security is a non-excludable public good: users can stay out and

still free-ride on (possibly lower) levels of security.

  • Loner: stays out and best responds to the remaining N − 1 users.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 9 / 14

slide-18
SLIDE 18

Introduction Model and Contract Design Voluntary Participation Conclusion

On incentives to participate

  • User participation depends on:
  • 1. game form
  • 2. options when staying out
  • Most public good problems assume a zero share of resources for

those staying out.

  • Security is a non-excludable public good: users can stay out and

still free-ride on (possibly lower) levels of security.

  • Loner: stays out and best responds to the remaining N − 1 users.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 9 / 14

slide-19
SLIDE 19

Introduction Model and Contract Design Voluntary Participation Conclusion

Reasons for opting out (I)

Free riders paying for security; can enjoy spill-overs without paying. Free-rider 4 is happy; free-rider 1 would rather stay out.

1 2 3 4 5 10 20 30 40 50 Expenditure in security in NE vs SO User Index Investment in Security Nash Equilibrium Socially Optimal

Figure : Expenditure in security

1 2 3 4 5 10 20 30 40 50 User Costs in PESIM vs Staying Out User Index User Costs Socially Optimal Staying Out

Figure : Participation Incentive

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 10 / 14

slide-20
SLIDE 20

Introduction Model and Contract Design Voluntary Participation Conclusion

Reasons for opting out (II)

Main investor not receiving high enough compensation. Investor 2 is happy; investors 3 and 5 would rather stay out.

1 2 3 4 5 10 20 30 40 50 Expenditure in security in NE vs SO User Index Investment in Security Nash Equilibrium Socially Optimal

Figure : Expenditure in security

1 2 3 4 5 10 20 30 40 50 User Costs in PESIM vs Staying Out User Index User Costs Socially Optimal Staying Out

Figure : Participation Incentive

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 11 / 14

slide-21
SLIDE 21

Introduction Model and Contract Design Voluntary Participation Conclusion

An impossibility result

There are instances in which no mechanism can satisfy both types.

  • Free-riders are only willing to pay so much (esp. given spillovers).
  • Main investors demand compensation.
  • Mechanism designer does not inject resources into the system.

Positive examples Problem families in which users voluntarily participate in the positive externality mechanism.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 12 / 14

slide-22
SLIDE 22

Introduction Model and Contract Design Voluntary Participation Conclusion

An impossibility result

There are instances in which no mechanism can satisfy both types.

  • Free-riders are only willing to pay so much (esp. given spillovers).
  • Main investors demand compensation.
  • Mechanism designer does not inject resources into the system.

Positive examples Problem families in which users voluntarily participate in the positive externality mechanism.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 12 / 14

slide-23
SLIDE 23

Introduction Model and Contract Design Voluntary Participation Conclusion

An impossibility result

There are instances in which no mechanism can satisfy both types.

  • Free-riders are only willing to pay so much (esp. given spillovers).
  • Main investors demand compensation.
  • Mechanism designer does not inject resources into the system.

Positive examples Problem families in which users voluntarily participate in the positive externality mechanism.

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 12 / 14

slide-24
SLIDE 24

Introduction Model and Contract Design Voluntary Participation Conclusion

Discussion

Tradeoffs

  • Profit-neutrality, socially optimal outcome, participation

Alternative mechanisms?

  • Capital injection, e.g., cyber-insurance with catastrophe coverage
  • ǫ-optimal solution
  • Partial coverage

Combined with secondary incentives?

  • Business opportunities

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 13 / 14

slide-25
SLIDE 25

Introduction Model and Contract Design Voluntary Participation Conclusion

Discussion

Tradeoffs

  • Profit-neutrality, socially optimal outcome, participation

Alternative mechanisms?

  • Capital injection, e.g., cyber-insurance with catastrophe coverage
  • ǫ-optimal solution
  • Partial coverage

Combined with secondary incentives?

  • Business opportunities

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 13 / 14

slide-26
SLIDE 26

Introduction Model and Contract Design Voluntary Participation Conclusion

Discussion

Tradeoffs

  • Profit-neutrality, socially optimal outcome, participation

Alternative mechanisms?

  • Capital injection, e.g., cyber-insurance with catastrophe coverage
  • ǫ-optimal solution
  • Partial coverage

Combined with secondary incentives?

  • Business opportunities

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 13 / 14

slide-27
SLIDE 27

Introduction Model and Contract Design Voluntary Participation Conclusion

Conclusion

  • Sub-optimality of an unregulated interdependent security games
  • A positive externality mechanism to induce socially optimal

security investment

  • The challenge of ensuring voluntary participation

Naghizadeh, Liu (Michigan) VP in Cyber-Insurance 14 / 14