A Novel Cyber-Insurance for Internet Security

TL;DR

This paper introduces Aegis, a new cyber-insurance model that addresses both security and non-security risks, showing it is preferred by users over traditional insurance, thus challenging existing market assumptions.

Contribution

The paper proposes Aegis, a novel cyber-insurance scheme where users share losses, and proves its superiority over traditional contracts in all premium scenarios.

Findings

Users prefer Aegis contracts over traditional ones.

Aegis makes traditional cyber-insurance markets non-existent.

Mathematical analysis supports user preference for shared-loss insurance.

Abstract

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, and botnets. To reduce the probability of risk, an Internet user generally invests in self-defense mechanisms like antivirus and antispam software. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In reality, an Internet user faces risks due to security attacks as well as risks due to non-security related failures (e.g., reliability faults in the form of hardware crash, buffer overflow, etc.) . These risk types are often indistinguishable by a naive user. However, a cyber-insurance agency would most likely insure risks only due to security attacks. In this case, it becomes a challenge for an Internet user to choose the right type of cyber-insurance contract as standard optimal contracts, i.e., contracts under security attacks only, might prove to be sub-optimal for himself. In this paper, we address the problem of analyzing cyber-insurance solutions when a user faces risks due to both, security as well as non-security related failures. We propose \emph{Aegis}, a novel cyber-insurance model in which the user accepts a fraction \emph{(strictly positive)} of loss recovery on himself and transfers rest of the loss recovery on the cyber-insurance agency. We mathematically show that given an option, Internet users would prefer Aegis contracts to traditional cyber-insurance contracts, under all premium types. This result firmly establishes the non-existence of traditional cyber-insurance markets when Aegis contracts are offered to users.