skip to main content

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Embracing risk dependency in designing cyber-insurance contracts
We study the problem of designing cyber insurance policies in an interdependent network, where the loss of one agent (a primary party) depends not only on his own effort, but also on the investments and efforts of others (third parties) in the same eco-system (i.e., externalities). In designing cyber insurance policies, the conventional wisdom is to avoid insuring dependent parties for two reasons. First, simultaneous loss incidents threaten the insurer's business and capital. Second, when a loss incident can be attributed to a third party, the insurer of the primary party can get compensation from the insurer of the third party in order to reduce its own risk exposure. In this work, we analyze an interdependent network model in order to understand whether an insurer should avoid or embrace risks interdependencies. We focus on two interdependent agents, where the risk of one agent (primary party) depends on the other agent (third party), but not the other way around. We consider two potential scenarios: one in which an insurer only insures a primary party, and another one in which the insurer of the primary party further insures the third party agent. We show that it is in fact profitable for the primary party's insurer to insure both agents. Further, we show that insuring both agents not only provides higher profit for the insurer, but also reduces the collective risk.  more » « less
Award ID(s):
1739295
PAR ID:
10076418
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
2017 55th Annual Allerton Conference on Communication, Control, and Computing (Allerton)
Page Range / eLocation ID:
926 to 933
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ( , The Annual Workshop on the Economics of Information Security (WEIS))
    This paper highlights how cyber risk dependencies can be taken into consideration when underwrit- ing cyber-insurance policies. This is done within the context of a base rate insurance policy framework, which is widely used in practice. Specifically, we show that there is an opportunity for an underwriter to better control the risk dependency and the risk spill-over, ultimately resulting in lower overall cyber risks across its portfolio. To do so, we consider a Service Provider (SP) and its customers as the interdependent insurer’s customers: a data breach suffered by the SP can cause business interruption to its customers. In underwriting both the SP and its customers, we show that the insurer can increase its profit by incentivizing the SP (through a discount on its premium) to invest more in security, thereby decreasing the chance of business interruption to the customers and increasing social welfare. For comparison, we also consider a scenario where the insurer underwrites only the SP’s customers (but not the SP), and receives compensation from the SP’s insurance carrier when losses are attributed to the SP. We show that the insurer cannot outperform the case where it underwrites both the SP and its customers. We use an actual cyber-insurance policy and claims data to calibrate and substantiate our analytical findings. 
    more » « less
  2. ; ; ( , IEEE Transactions on Services Computing)
    With the rapid enhancements in technology and the adoption of web services, there has been a significant increase in cyber threats faced by organizations in cyberspace. Organizations want to purchase adequate cyber insurance to safeguard against the third-party services they use. However, cyber insurance policies describe their coverages and exclusions using legal jargon that can be difficult to comprehend. Parsing these policy documents and extracting the rules embedded in them is currently a very manual time-consuming process. We have developed a novel framework that automatically extracts the coverage and exclusion key terms and rules embedded in a cyber policy. We have built our framework using Information Retrieval and Artificial Intelligence techniques, specifically Semantic Web and Modal Logic. We have also developed a web interface where users can find the best matching cyber insurance policy based on particular coverage criteria. To validate our approach, we used industry standards proposed by the Federal Trade Commission document (FTC) and have applied it against publicly available policies of seven insurance providers. Our system will allow cyber insurance seekers to explore various policy documents and compare the paradigms mentioned in those documents while selecting the best relevant policy documents. 
    more » « less
  3. ; ; ; ; ; ( , Risk Analysis)
    This article deals with household-level flood risk mitigation. We present an agent-based modeling framework to simulate the mechanism of natural hazard and human interactions, to allow evaluation of community flood risk, and to predict various adaptation outcomes. The framework considers each household as an autonomous, yet socially connected, agent. A Beta-Bernoulli Bayesian learning model is first applied to measure changes of agents' risk perceptions in response to stochastic storm surges. Then the risk appraisal behaviors of agents, as a function of willingness-to-pay for flood insurance, are measured. Using Miami-Dade County, Florida as a case study, we simulated four scenarios to evaluate the outcomes of alternative adaptation strategies. Results show that community damage decreases significantly after a few years when agents become cognizant of flood risks. Compared to insurance policies with pre-Flood Insurance Rate Maps subsidies, risk-based insurance policies are more effective in promoting community resilience, but it will decrease motivations to purchase flood insurance, especially for households outside of high-risk areas. We evaluated vital model parameters using a local sensitivity analysis. Simulation results demonstrate the importance of an integrated adaptation strategy in community flood risk management. 
    more » « less
  4. ; ; ( , Conference on Decision and Game Theory for Security (GameSec))
    null (Ed.)
    Cyber insurance like other types of insurance is a method of risk transfer, where the insured pays a premium in exchange for coverage in the event of a loss. As a result of the reduced risk for the insured and the lack of information on the insurer’s side, the insured is generally inclined to lower its effort, leading to a worse state of security, a common phenomenon known as moral hazard. To mitigate moral hazard, a widely employed concept is premium discrimination, i.e., an agent/insured who exerts higher effort pays less premium. This, however, relies on the insurer’s ability to assess the effort exerted by the insured. In this paper, we study two methods of premium discrimination that rely on two different types of assessment: pre-screening and post-screening. Pre-screening occurs before the insured enters into a contract and can be done at the beginning of each contract period; the result of this process gives the insurer an estimated risk on the insured, which then determines the contract terms. The post-screening mechanism involves at least two contract periods whereby the second-period premium is increased if a loss event occurs during the first period. Prior work shows that both pre-screening and post-screening are generally effective in mitigating moral hazard and increasing the insured’s effort. The analysis in this study shows, however, that the conclusion becomes more nuanced when loss events are rare. Specifically, we show that post-screening is not effective at all with rare losses, while pre-screening can be an effective method when the agent perceives them as rarer than the insurer does; in this case pre-screening improves both the agent’s effort level and the insurer’s profit. 
    more » « less
  5. ; ( , The RAND Journal of Economics)
    Abstract

    Two risk‐averse litigants with different subjective beliefs negotiate in the shadow of a pending trial. Through contingent contracts, the litigants can mitigate risk and/or speculate on the trial outcome. Contingent contracting decreases the settlement rate and increases the volume and costs of litigation. These contingent contracts mimic the services provided by third‐party investors, including litigation funders and insurance companies. The litigants (weakly) prefer to contract with risk‐neutral third parties when the capital market is transaction‐cost free. However, contracting with third parties further decreases the settlement rate, increases the costs of litigation, and may increase the aggregate cost of risk bearing.

     
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email