WILL CYBER- IMPROVE NETWORK SECURITY? A MARKET ANALYSIS

Sri Vasavi College, Erode Self-Finance Wing, 3rd February 2017. National Conference on Computer and Communication, NCCC’17. International Journal of Computer Science (IJCS) Published by SK Research Group of Companies (SKRGC)

Abstract

Ranjan Pal University of Southern California Leana Golubchik and Konstantis Psounis University of Southern California {leana, Pan Hui HKUST, and T-Labs - Germany Abstract Recent work in security has illustrated that solutions aimed at detection and elimination of security threats alone are unlikely to result in a robust cyberspace. As an orthogonal approach to mitigating security problems, some have pursued the use of cyber-insurance as a suitable risk management technique. Such an approach has the potential to jointly align with the incentives of security vendors (e.g., Symantec, Microsoft, etc., cyber-insurers (e.g., ISPs, cloud providers, security vendors, etc., regulatory agencies (e.g., government, and network users (individuals and organizations, in turn paving the way for comprehensive and robust cyber-security mechanisms. To this end, in this work, we are motivated by the following important question: can cyber-insurance really improve the security in a network? To address this question, we adopt a market-based approach. Specifically, we analyze regulated mopolistic and competitive cyber-insurance markets, the market elements consist of risk-averse cyber-insurers, risk-averse network users, a regulatory agency, and security vendors. Our results show that (i without contract discrimination amongst users, there always exists a unique market equilibrium for both market types, but the equilibrium is inefficient and does t improve network security, and (ii in mopoly markets, contract discrimination amongst users results in a unique market equilibrium that is efficient, which in turn results in network security improvement - however, the cyber-insurer can make zero expected profits. The latter fact is often sufficient to de-incentivize the insurer to be a part of a market, and will eventually lead to its collapse. This fact also emphasizes the need for designing mechanisms that incentivize the insurer to permanently be part of the market.

References

1. Information Asymmetry. Internet Wikipedia Source.

2. G. A. Akerlof. The market for lemons - quality uncertainty and the market mechanism. Quarterly Journal of Economics,

3. R. Anderson and T. Moore. Information security economics and beyond. In Information Security Summit, 28. R. Bohme. Personal communication.

4. R. Bohme and G. Schwartz. Modeling cyber-insurance: Towards a unifying framework. In WEIS, 21.

5. J. Grossklags, N. Christin, and J. Chuang. Security and insurance management in networks with heterogeus agents. In ACM EC, 28.

6. L. Jiang, V. Ananthram, and J. Walrand. How bad are selfish inverstments in network security? To Appear in IEEE/ACM Transactions on Networking, 21. Khouzani, S. Sen., and N. Shroff. An ecomic analysis of regulating security investments in the internet. In IEEE INFOCOM, 213.

7. M.Feleghyazi and J.Walrand. Competitive cyber insurance and internet security. In WEIS, 29. [16] J. Omic, A. Orda, and P. V. Mieghem. Protecting against network infections:

8. A game theoretic perspective. In IEEE INFOCOM, 29. [17] R. Pal and L. Golubchik. Analyzing self-defense investments in the internet under cyber-insurance coverage. In IEEE ICDCS, 21.

9. R. Pal, L. Golubchik, and K. Psounis. Aegis: A vel cyber-insurance model. In IEEE/ACM GameSec.

Keywords

security, cyber-insurance, market, equilibrium.