skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Effective Premium Discrimination for Designing Cyber Insurance Policies with Rare Losses
Cyber insurance like other types of insurance is a method of risk transfer, where the insured pays a premium in exchange for coverage in the event of a loss. As a result of the reduced risk for the insured and the lack of information on the insurer’s side, the insured is generally inclined to lower its effort, leading to a worse state of security, a common phenomenon known as moral hazard. To mitigate moral hazard, a widely employed concept is premium discrimination, i.e., an agent/insured who exerts higher effort pays less premium. This, however, relies on the insurer’s ability to assess the effort exerted by the insured. In this paper, we study two methods of premium discrimination that rely on two different types of assessment: pre-screening and post-screening. Pre-screening occurs before the insured enters into a contract and can be done at the beginning of each contract period; the result of this process gives the insurer an estimated risk on the insured, which then determines the contract terms. The post-screening mechanism involves at least two contract periods whereby the second-period premium is increased if a loss event occurs during the first period. Prior work shows that both pre-screening and post-screening are generally effective in mitigating moral hazard and increasing the insured’s effort. The analysis in this study shows, however, that the conclusion becomes more nuanced when loss events are rare. Specifically, we show that post-screening is not effective at all with rare losses, while pre-screening can be an effective method when the agent perceives them as rarer than the insurer does; in this case pre-screening improves both the agent’s effort level and the insurer’s profit.  more » « less
Award ID(s):
1739517
PAR ID:
10202977
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
Conference on Decision and Game Theory for Security (GameSec)
Page Range / eLocation ID:
259-275
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, 2017 55th Annual Allerton Conference on Communication, Control, and Computing (Allerton))
    We study the problem of designing cyber insurance policies in an interdependent network, where the loss of one agent (a primary party) depends not only on his own effort, but also on the investments and efforts of others (third parties) in the same eco-system (i.e., externalities). In designing cyber insurance policies, the conventional wisdom is to avoid insuring dependent parties for two reasons. First, simultaneous loss incidents threaten the insurer's business and capital. Second, when a loss incident can be attributed to a third party, the insurer of the primary party can get compensation from the insurer of the third party in order to reduce its own risk exposure. In this work, we analyze an interdependent network model in order to understand whether an insurer should avoid or embrace risks interdependencies. We focus on two interdependent agents, where the risk of one agent (primary party) depends on the other agent (third party), but not the other way around. We consider two potential scenarios: one in which an insurer only insures a primary party, and another one in which the insurer of the primary party further insures the third party agent. We show that it is in fact profitable for the primary party's insurer to insure both agents. Further, we show that insuring both agents not only provides higher profit for the insurer, but also reduces the collective risk. 
    more » « less
  2. ; ; ; ; ; (, Risk Management and Insurance Review)
    Abstract We develop a computational framework for the stochastic and dynamic modeling of regional natural catastrophe losses with an insurance industry to support government decision‐making for hurricane risk management. The analysis captures the temporal changes in the building inventory due to the acquisition (buyouts) of high‐risk properties and the vulnerability of the building stock due to retrofit mitigation decisions. The system is comprised of a set of interacting models to (1) simulate hazard events; (2) estimate regional hurricane‐induced losses from each hazard event based on an evolving building inventory; (3) capture acquisition offer acceptance, retrofit implementation, and insurance purchase behaviors of homeowners; and (4) represent an insurance market sensitive to demand with strategically interrelated primary insurers. This framework is linked to a simulation‐optimization model to optimize decision‐making by a government entity whose objective is to minimize region‐wide hurricane losses. We examine the effect of different policies on homeowner mitigation, insurance take‐up rate, insurer profit, and solvency in a case study using data for eastern North Carolina. Our findings indicate that an approach that coordinates insurance, retrofits, and acquisition of high‐risk properties effectively reduces total (uninsured and insured) losses. 
    more » « less
  3. ; (, The Annual Workshop on the Economics of Information Security (WEIS))
    This paper highlights how cyber risk dependencies can be taken into consideration when underwrit- ing cyber-insurance policies. This is done within the context of a base rate insurance policy framework, which is widely used in practice. Specifically, we show that there is an opportunity for an underwriter to better control the risk dependency and the risk spill-over, ultimately resulting in lower overall cyber risks across its portfolio. To do so, we consider a Service Provider (SP) and its customers as the interdependent insurer’s customers: a data breach suffered by the SP can cause business interruption to its customers. In underwriting both the SP and its customers, we show that the insurer can increase its profit by incentivizing the SP (through a discount on its premium) to invest more in security, thereby decreasing the chance of business interruption to the customers and increasing social welfare. For comparison, we also consider a scenario where the insurer underwrites only the SP’s customers (but not the SP), and receives compensation from the SP’s insurance carrier when losses are attributed to the SP. We show that the insurer cannot outperform the case where it underwrites both the SP and its customers. We use an actual cyber-insurance policy and claims data to calibrate and substantiate our analytical findings. 
    more » « less
  4. ; ; ; ; ; ; ; (, The Geneva Papers on Risk and Insurance - Issues and Practice)
    Abstract Hurricanes significantly harm homeowners through physical damage and long-term financial strain due to rising insurance costs, property value loss, and repair expenses. This paper focuses on the interrelated decisions of the government mitigation funding of residential acquisitions and retrofit subsidies and of price restrictions on the insurance market in eastern North Carolina to determine the financial effects on stakeholders. The introduction of these policy interventions have impacts that propagate through the system due to risk adjustments, homeowner take-up behaviour, and insurer profit-maximising behaviour. This study uses an integrated game theoretic model to demonstrate that there are cost-effective government spending levels that reduce residential loss from hurricane damage. When insurance prices are capped at preintervention levels, the number of households and their distribution of losses, which has been altered through mitigation, leads to increased insurer insolvency. When insurance prices are allowed to adjust after mitigation, some homeowners find insurance is no longer affordable. This highlights the tradeoff between ensuring insurer stability and expanding homeowner insurance accessibility. 
    more » « less
  5. (, Workshop on the Economics of Information Security)
    The actuarially fair insurance premium reflects the expected loss for each insured. Given the dearth of cyber security loss data, market premiums could shed light on the true magnitude of cyber losses despite noise from factors unrelated to losses. To that end, we extract cyber insurance pricing information from the regulatory filings of 26 insurers. We provide empirical observations on how premiums vary by coverage type, amount, policyholder type, and over time. A method using Particle Swarm Optimization is introduced to iterate through candidate parameterized distributions with the goal of reducing error in predicting observed prices. We then aggregate the inferred loss models across 6,828 observed prices from all 26 insurers to derive the County Fair Cyber Loss Distribution. We demonstrate its value in decision support by applying it to a theoretical retail firm with annual revenue of $50M. The results suggest that the expected cyber liability loss is $428K, and that the firm faces a 2.3%chance of experiencing a cyber liability loss between $100K and $10M each year. The method could help organizations better manage cyber risk, regardless of whether they purchase insurance. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email