On Economic Perspectives of Internet Security: The Problem of Designing Optimal Cyber-Insurance Contracts

In Internet security, traditional protection mechanisms such as anti-virus software, firewalls, and other add-ons are not capable of completely eliminating security risks [3]. As noted in [7], the management of information security needs to be addressed through economic, psychological, and policymaking approaches, in combination with engineering approaches. As a realistic and futuristic solution, recent efforts suggest alleviating existing Internet security problems through cyber-insurance schemes [5][6] an alternative approach to handling residual risk, where residual risk is transferred to a different entity, i.e, insurance companies, in return for a fee, termed the insurance premium. Cyber-insurance is analogous to the widely popular technique of ‘insurance’ in modern life [1]. Cyber-insurance companies could take the form of government agencies or public/private Internet service providers (ISPs) such as phone and cable companies (e.g., AT&T, Comcast). For instance, ISPs could act as insurance agencies and make it mandatory for its clients to certify their computing devices, and in return provide them with insurance services that include monetary compensations, data backups, real-time network traffic monitoring and filtering [4]. Existing research [5][6] has shown that cyber-insurance is a powerful incentive mechanism that increases the level of self-protection amongst Internet users, and thereby the overall network security (social welfare). The works are based on the notion that increasing level of self-protection amongst Internet users makes individual users robust to the success of threat attacks, and in turn makes the whole network more threat-proof. In this extended abstract, we address the problem of enforcing optimal cyber-insurance contracts between the insurer and the insured, where optimality may be defined w.r.t to maximizing social welfare or w.r.t maximizing insurer commercial profits. We define an insurance contract as a (premium, coverage) tuple that is enforced between the insurer (say an ISP) and the insured, prior to the ISP providing Internet service, as part of terms of the agreement between the two.