The Impact of Secure OSs on Internet Security: What Cyber-Insurers Need to Know

TL;DR

This paper models how secure OS adoption spreads in networks using social gossip dynamics, providing insights for cyber-insurers to target networks, design contracts, and promote security.

Contribution

It introduces a social gossip-based model for OS platform switching, analyzing network targeting, performance bounds, and contract design for cyber-insurers.

Findings

Identifies optimal network types for cyber-insurance targeting.

Establishes bounds on long-term secure OS adoption levels.

Suggests how topological info can incentivize users to adopt secure OSs.

Abstract

In recent years, researchers have proposed \emph{cyber-insurance} as a suitable risk-management technique for enhancing security in Internet-like distributed systems. However, amongst other factors, information asymmetry between the insurer and the insured, and the inter-dependent and correlated nature of cyber risks have contributed in a big way to the failure of cyber-insurance markets. Security experts have argued in favor of operating system (OS) platform switching (ex., from Windows to Unix-based OSs) or secure OS adoption as being one of the techniques that can potentially mitigate the problems posing a challenge to successful cyber-insurance markets. In this regard we model OS platform switching dynamics using a \emph{social gossip} mechanism and study three important questions related to the nature of the dynamics, for Internet-like distributed systems: (i) which type of networks should cyber-insurers target for insuring?, (ii) what are the bounds on the asymptotic performance level of a network, where the performance parameter is an average function of the long-run individual user willingness to adopt secure OSs?, and (iii) how can cyber-insurers use the topological information of their clients to incentivize/reward them during offering contracts? Our analysis is important to a profit-minded cyber-insurer, who wants to target the right network, design optimal contracts to resolve information asymmetry problems, and at the same time promote the increase of overall network security through increasing secure OS adoption amongst users.