Competitive CyberInsurance and Network Security Nikhil Shetty Galina

  • Slides: 25
Download presentation
Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand TRUST

Competitive Cyber-Insurance and Network Security Nikhil Shetty Galina Schwartz Mark Felegyhazi Jean Walrand TRUST 2009 Presentation EECS, UC-Berkeley

Cyber-insurers as car dealers: trading lemons? • Have you heard of Akerloff (1970) “Market

Cyber-insurers as car dealers: trading lemons? • Have you heard of Akerloff (1970) “Market for Lemons” • Financial Services Industry = manage financial risks (reallocate, redistribute, reduce) • Irony: Financial institutions are to network insecurity risks, Slide 2 of 25 EECS, subject UC Berkeley

Plan of talk: Insecurity as Risk • Model [no-insurance] • Model + insurance, if

Plan of talk: Insecurity as Risk • Model [no-insurance] • Model + insurance, if user security – I. non-contractible – II. contractible • Main results – In many cases, missing cyber-insurance market (if I. ) – In general, network security worsens with cyber-insurers EECS, UC Berkeley • Discussion Slide 3 of 25

Model [no-insurance] • Players: Identical users – W - Wealth – D - Damage

Model [no-insurance] • Players: Identical users – W - Wealth – D - Damage (if successful attack) – If successful attack, wealth is W- D – probability of successful attack – Risk-averse users EECS, UC Berkeley Slide 4 of 25

Probability of successful attack [interdependent security] • Probability p depends on – user security

Probability of successful attack [interdependent security] • Probability p depends on – user security (“private good”) AND – network security (“public good”) [externality] • Interdependent security = externality: – Individual users: no effect on network security, BUT – Users’ security choices affect network security EECS, UC Berkeley Slide 5 of 25

Network Security • Popular security models – based on Varian (2002) (weakest link, best

Network Security • Popular security models – based on Varian (2002) (weakest link, best shot, total effort) • Our assumptions about network security: – Idea: network security is a function of average user security – This paper: network security = average user security EECS, UC Berkeley Slide 6 of 25

User Utility • User’s trade-off : Security vs convenience (usability) EECS, UC Berkeley Slide

User Utility • User’s trade-off : Security vs convenience (usability) EECS, UC Berkeley Slide 7 of 25

Optimized User Utility • A companion paper - similar results for general functions (f

Optimized User Utility • A companion paper - similar results for general functions (f & h). • This paper: After users optimize applications: EECS, UC Berkeley Slide 8 of 25

Nash Equil. vs Social Optimum [No-Insurance ] • User Utility • Nash equilibrium vs

Nash Equil. vs Social Optimum [No-Insurance ] • User Utility • Nash equilibrium vs Social Optimum • If D/W is small, security is zero (or close to 0) EECS, UC Berkeley Slide 9 of 25

Security: Nash vs Social Optimum EECS, UC Berkeley Slide 10 of 25

Security: Nash vs Social Optimum EECS, UC Berkeley Slide 10 of 25

Competitive cyber-insurers (cont. ) • Insurers: – free entry – zero operating costs –

Competitive cyber-insurers (cont. ) • Insurers: – free entry – zero operating costs – take network security as given • Cases: if user security is • I. Non-contractible – Contract prohibits purchasing extra coverage • II. Contractible EECS, UC Berkeley Slide 11 of 25

Model of competitive cyberinsurers • We follow Rothschild & Stiglitz (1976) • Each insurer

Model of competitive cyberinsurers • We follow Rothschild & Stiglitz (1976) • Each insurer offers a single contract. Nash equilibrium is a set of admissible contracts – i) each insurer’s profit is non-negative • For a given set of offered contracts – ii) no entrant-insurer can enter and make a strictly positive profit – iii) no incumbent-insurer can increase his Slide 12 of 25 EECS, UC Berkeley profit by altering his contract

Competitive cyber-insurers • Insurers are risk neutral & each maximizes his profit • Perfectly

Competitive cyber-insurers • Insurers are risk neutral & each maximizes his profit • Perfectly competitive insurers zero profits • We consider 2 cases. If user security is: – I. Non-contractible EECS, UC Berkeley Slide 13 of 25

Equilibrium with cyber-insurers • From insurer competition: • User chooses from which insurer to

Equilibrium with cyber-insurers • From insurer competition: • User chooses from which insurer to buy a contract In equilibrium, all contracts give a user identical utility • Only contracts maximizing user utility attract users In equilibrium, all contracts maximize user utility • User participation constraint must hold EECS, UC Berkeley Slide 14 of 25

I. non-contractible v • ; extra coverage is prohibited • If D < 8/9

I. non-contractible v • ; extra coverage is prohibited • If D < 8/9 W - Missing cyber-insurance market [no equilibrium with positive insurance coverage exists] • If. UCDBerkeley > 8/9 W - equilibrium contract may Slide 15 of 25 EECS,

Equilibrium security [I. non-contractible v] • When equilibrium with positive coverage exists, security worsens

Equilibrium security [I. non-contractible v] • When equilibrium with positive coverage exists, security worsens relative to noinsurance Nash • Why security is worse? user’s incentives to invest in security worsen (risk is covered!) • With insurance [& non-contractible v] – utility is higher than with no-insurance EECS, UC Berkeley – but aggregate damage is higher too Slide 16 of 25

II. contractible v EECS, UC Berkeley Slide 17 of 25

II. contractible v EECS, UC Berkeley Slide 17 of 25

Equilibrium [II. contractible v] • In equilibrium, no user deviates to no insurance –

Equilibrium [II. contractible v] • In equilibrium, no user deviates to no insurance – If not, some insurer will offer contract with a deviating security level (with insurance , user utility is higher) • Entire damage D is covered – If not, some insurer will offer a contract with a higher coverage EECS, UC Berkeley Slide 18 of 25

Equilibrium security with insurance [II. contractible v] • Equilibrium contract – is unique –

Equilibrium security with insurance [II. contractible v] • Equilibrium contract – is unique – it covers the entire damage D • We have: • If D/W is very low: • If D/W is high: EECS, UC Berkeley Slide 19 of 25

Security Levels [II. Contractible] EECS, UC Berkeley Slide 20 of 25

Security Levels [II. Contractible] EECS, UC Berkeley Slide 20 of 25

Conclusion • Asymmetric information causes missing markets – A well know result of missing

Conclusion • Asymmetric information causes missing markets – A well know result of missing markets from the classical papers: Akerlof (1970) ; Rothschild and Stiglitz (1976) – Cyber-insurance is a convincing case of market failure • 1. non-contractible user security (a lot of asymmetric info) – For most parameters, cyber insurance market is missing Slide 21 of 25 • II. contractible user security (only some EECS, UC Berkeley

Missing cyber-insurance market & information asymmetries – a link • Asymmetric information (present in

Missing cyber-insurance market & information asymmetries – a link • Asymmetric information (present in our model): – I. non-contractible case: • Insurers: no info about user security • Insurers: no info about each other – II. Contractible case: • Insurers: no info about each other • Other info asymmetries could matter: – damage size attack probability EECS, –UC Berkeley Slide 22 of 25

Conclusion (c 0 nt. ) • Even with cyber insurance, improved network security is

Conclusion (c 0 nt. ) • Even with cyber insurance, improved network security is unlikely – With cyber-insurers, user utility improves , but in general, network security worsens ; sec. increases only if D/W is very low • Insurers fail to improve security. Why? – Insurers free-ride on other insurers, which lowers security – Insurance is a tool for risk redistribution, not risk reduction Slide 23 of 25 EECS, UC Berkeley

Are Cyber-insurers trading lemons? • What are cyber-insurers selling? – Indulgences? ? Are cyber

Are Cyber-insurers trading lemons? • What are cyber-insurers selling? – Indulgences? ? Are cyber insurers selling us the peace of mind? EECS, UC Berkeley Slide 24 of 25

How to? • Problems to resolve (for cyberinsurance to take off). Need to: –

How to? • Problems to resolve (for cyberinsurance to take off). Need to: – Reduce information asymmetries (tools: disclosure laws, requirements on standard (defaults) settings on security software … ) – Reduce network externalities (tools: imposition of limited user liability, i. e. , mandating user security level, i. e. , user certification) • But – this is hard (technologically and Slide 25 of 25 EECS, UC Berkeley politically)