Cyber-insurance framework for large scale interdependent networks

Abstract

This article presents a framework for managing cyber-risks in large-scale interdependent networks where cyber insurers are strategic players. In our earlier work, we imposed that breach probability of each network node (which we view as a player) is a function of two variables: first, player own security action and second, average security of all players. In this article, we formally derive the expression of breach probability from the standard assumptions. For a homogeneous interdependent network (identical users), we provide a solution for optimal security choice of each node in environments without and with cyber insurers present. Then, we introduce a general heterogeneous network (many user types), and derive the expression for network security. Lastly, we consider the network with two user types (normal and malicious), in which we allow one user type (malicious users) to subvert monitoring of the insurers, even if these insurers are able to perfectly enforce security levels of normal users (at zero cost). Our analysis confirms a discrepancy between informal arguments that favor cyber-insurance as a tool to improve network security, and formal models, which tend to view insurance as an instrument of managing risks only. In particular, our results support the case against cyber-insurance as the means of improving security. Our framework helps to identify the crucial network parameters for improving incentives to provide secure networks.