A Mathematical Theory of Internet Security Investments Under Cyber-Insurance Coverage

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, spams, and botnets. To reduce the probability of risk, an Internet user generally invests in traditional security mechanisms like anti-virus and anti-spam software, sometimes also known as self-defense mechanisms. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important decision for Internet users is their amount of investment in self-defense mechanisms when insurance solutions are offered. In this paper, we investigate the problem of self-defense investments in the Internet, under optimal cyber-insurance coverage, where optimality is an insurer objective. By the term ‘self-defense investment’, we mean the monetary-cum-precautionary cost that each user needs to invest in employing risk mitigating self-defense mechanisms, given that it is optimally insured by Internet insurance agencies. We propose a general mathematical framework by which co-operative and non-co-operative Internet users can decide whether or not to invest in self-defense for ensuring both, individual and social welfare. Our results show that co-operation amongst users results in more efficient self-defense investments than those in a non-cooperative setting, under full insurance coverage, in a perfect single insurer cyber-insurance market, whereas in imperfect single insurer markets of non-cooperative users, partial insurance driven self-defense investments are optimal. R. Pal and L. Golubchik are with the Department of Computer Science, University of Southern California, CA, 90089 USA. e-mail: {rpal, leana}@usc.edu. September 8, 2010 DRAFT