Designing cyber insurance policies in the presence of security interdependence

Cyber insurance is a method for risk transfer but may or may not improve the state of network security. In this work, we consider a profit-maximizing insurer with voluntarily participating insureds. We are particularly interested in two features of cybersecurity and their impact on the contract design problem. The first is the interdependent nature of cybersecurity, whereby one entity's state of security depends on its own effort and others' effort. The second is our ability to perform accurate quantitative assessment of security posture at a firm level by combining recent advances in Internet measurement and machine learning techniques. We observe that security interdependency leads to a "profit opportunity" for the insurer, created by the inefficient effort levels exerted by agents who do not account for risk externalities when insurance is not available; this is in addition to risk transfer that an insurer profits from. Security pre-screening allows the insurer to take advantage of this opportunity by designing appropriate contracts which incentivize agents to increase their effort levels, allowing the insurer to effectively "sell commitment" to interdependent agents, in addition to risk transfer. We identify conditions under which this type of contracts lead to an improved state of network security.