1 / 43

Cyberinsurance As A Market-Based Solution To the Problem of Cybersecurity

This article explores the emergence of cyberinsurance, current practices, economic theory, and its potential in an ideal and real-world scenario. It discusses the problem of cybersecurity breaches and the need for market solutions like cyberinsurance.

gennie
Download Presentation

Cyberinsurance As A Market-Based Solution To the Problem of Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyberinsurance As A Market-Based Solution To the Problem of Cybersecurity Jay Kesan Ruperto Majuca* William Yurcik* College of Law Department of Economics NCSA University of Illinois at Urbana-Champaign {kesan,majuca,yurcik}@uiuc.edu Workshop on the Economics of Information Security ‘05 Harvard University

  2. Outline • Emergence of Cyberinsurance • Current Cyberinsurance Practices • Economic Theory • Ideal World • Real World • Summary

  3. Outline • Emergence of Cyberinsurance • Current Cyberinsurance Practices • Economic Theory • Ideal World • Real World • Summary

  4. The Problem • Pervasive software vulnerabilities & increased availability of hacking tools have resulted in a consistently increasing myriad of attacks: • host-based attacks (theft of credit card numbers, invasion of privacy, etc.) • insider attacks that damage information assets • network DoS availability attacks • Surveys consistently show ~75% of businesses suffer financial losses due to security breaches • InformationWeek estimates annual losses (in the USA) due to security breaches at billions of dollars

  5. Why Is This Happening?

  6. Why Is This Happening? Security Market Failure

  7. Why Is This Happening? Security Market Failure • Imperfect information • Consumers do not know security of software • Externalities • Security is interdependent and damage is not fully borne by “guilty” parties • Security as a Public Good • Risks are shared but incentive to free-ride

  8. Correcting Market Failure • Imperfect Information • Perfect information may not be possible • Externalities • Assign cyber-property rights through laws • enforcement is slow with high transaction costs • Security as Public Good • International regulation for broad protections • funding, long timeframe, divergent interests

  9. Risk Management Market Solutions • Avoid the Risk • Disconnect from the Internet • Mitigate the Risk • Security processes to reduce magnitude of expected loss • Retain the Risk • Self-insurance or gambling • Transfer the Risk via Contract • Guarantees/warranties, service agreements, outsourcing • Transfer the Risk via an Insurance Product • Insurance premiums internalized as cost-of-doing-business

  10. Risk Management Market Solutions • Avoid the Risk • Disconnect from the Internet • Mitigate the Risk • Security processes to reduce magnitude of expected loss • Retain the Risk • Self-insurance or gambling • Transfer the Risk via Contract • Guarantees/warranties, service agreements, outsourcing • Transfer the Risk via an Insurance Product • Insurance premiums internalized as cost-of-doing-business

  11. Inadequacy of Traditional Insurance • Traditional insurance policies • designed to cover traditional perils • cyber-risks are new • time dynamics; attacks & software flaws exposed daily • Cyber-properties are without physical form • attacks do not leave physical damage • insurers dispute what constitutes “physical” damage to “tangible” property, draft more exclusions, and offer new insurance products to stack case against inclusion • Most cyber-torts are international • most 3rd party insurance coverage are not international

  12. Outline • Emergence of Cyberinsurance • Current Cyberinsurance Practices • Economic Theory • Ideal World • Real World • Summary

  13. Outline • Emergence of Cyberinsurance • Current Cyberinsurance Practices • Economic Theory • Ideal World • Real World • Summary

  14. Ideal World (our previous work) • Cyberinsurance increases IT Safety because the insured increases self-protection as rational response to the reduction of premium • Cyberinsurance facilitates standards of liability • Cyberinsurance increases social welfare by solving market failure (Internet risks transfer)

  15. Measuring Welfare Gains Income in good state A Certainty line |Slope| = price of insurance Welfare gains measure B E I1e expenditure on insurance F I* I** Amount of insurance coverage 45o I** I* I0e Income in bad state

  16. Income in good state A $ 47.04 million |slope|= .06 B Certainty line $ 3.14 Bn I** 45o I** $ 1.94 Bn Income in bad state Example: 2000 DOS attacks

  17. Calculating the Premiums • Following Cochrane (1997), total premiums insured is willing to pay may be calculated: • Solving for Π: • Calculated welfare gains and premiums for different risk aversion levels and probabilities of cyber-loss • results: increasing social welfare and premiums with probability of attack and risk aversion

  18. Real World • Adverse Selection • insurers cannot distinguish between high and low risk • Moral Hazard • firms may slack in their security work after being insured • Others • lack of actuarial data, pricey premiums, interrelated risks

  19. Income in good state Certainty line A Welfare Loss Measure Ap P E FL B FH 45o I0p IfH IfL Income in bad state Adverse Selection • Separate high/low risk using risk assessment

  20. Income in good state Certainty line A Welfare Loss Measure Ap P E FL B FH 45o I0p IfH IfL Income in bad state Adverse Selection

  21. Income in good state Certainty line A Welfare Loss Measure Ap P E FL B FH 45o I0p IfH IfL Income in bad state Adverse Selection

  22. Income in good state Certainty line A Welfare Loss Measure Ap P E FL B FH 45o I0p IfH IfL Income in bad state Adverse Selection

  23. Income in good state Certainty line A Welfare Loss Measure Ap P E FL B FH 45o I0p IfH IfL Income in bad state Adverse Selection

  24. Income in good state Certainty line A Welfare Loss Measure Ap P E FL B FH 45o I0p IfH IfL Income in bad state Adverse Selection

  25. Solution to Adverse Selection • Evaluation of applicants’ security through offsite and on-site activities • detailed questionnaire: assesses applicant’s risks exposure, services offered, and network security • baseline risk assessment: physical location’s security, network’s design and activities, physical review of security, incident response, procedures etc. • recommendations for upgrades and fixes

  26. Solutions to Moral Hazard

  27. Solutions to Moral Hazard

  28. Solutions to Moral Hazard

  29. Solutions to Moral Hazard

  30. Solutions to Moral Hazard

  31. Outline • Emergence of Cyberinsurance • Current Cyberinsurance Practices • Economic Theory • Ideal World • Real World • Summary

  32. Summary In Theory - cyberinsurance can correct Internet risk transfer market failure (economic modeling) In Practice - cyberinsurers are slowly resolving real-world problems but some issues are still remain (case study results) Cyberinsurance is still the direction but it will take time, patient perseverance rather than giving up on this market solution.

  33. Questions? <http://www.ncassr.org/projects/econsec/>

  34. backup slides

  35. Insurance and Interdependent Risks • IT security is interdependent, e.g., an infected machine can cause infection of others • Ortzag and Stiglitz 2002: • Two distortions: interdependent risks results in care below the social optimum & insurance coverage also reduces the precaution level. • But if level of precaution can be observed and insurance premium tied to precaution level, moral hazard disappears & full insurance ensue • Suggestions (regulation, taxes and fees)

  36. Developing Cyberliability Law • Higher standards for certain firms/activities: • Financial firms: prevent data in databases from being leaked out or used for identity theft (GLB Act & security regulations) • Health care providers: ensure integrity/security of protected health information (HIPAA & security regulations) • Firms that gather data relating to children to safeguard it • Those covered by consent decrees; others • Those not covered by specific regulations and consent decrees have general common law duty to safeguard data under their control.

  37. Cyberinsurance, Self-Insurance and Self-protection Cyberinsurance “Complements” if premiums tied to self-protection level. (Cyberinsurance increases self-protection, i.e. no moral hazard) “Substitutes”: (High demand for one lowers the other’s) Self-insurance Self-protection “Substitutes” (Availability of one would discourage the other. Self-insurance likely to create a “moral hazard”)

  38. Socially-Optimal Precaution Level $ total social costs E(SC)=p(x)L+wx wx precaution costs Efficiency requires minimizing total costs; occurs if w = - p’(x*)L (marginal social cost) (marginal social benefit) expected losses p(x)L 0 X* Precaution

  39. Cyberinsurance Premiumsand Welfare Gains (in Millions)

More Related