Can cyber-insurance really improve the security in a network?

Lecture / Panel
For NYU Community

Speaker: Ranjan Pal, University of Southern California (USC)

In recent years, security researchers have well established the fact that technical security solutions alone will not result in a robust cyberspace due to several issues jointly related to the economics and technology of computer security. In this regard some of them proposed cyber-insurance to be a suitable risk management technique that has the potential to jointly align with the various incentives of security vendors (e.g., Symantec, Microsoft, etc.), cyber-insurers (e.g., security vendors, ISPs, cloud providers, etc.), regulatory agencies (e.g., government), and network users (individuals and organizations), in turn paving the way for robust cyber-security. In this talk, we ask the following important question: can cyber-insurance really improve the security in a network? To answer our question we adopt a market-based approach. We analyze regulated monopolistic, and competitive cyber-insurance markets in our work, where the market elements consist of risk-averse cyber-insurers, risk-averse network users, a regulatory agency, and security vendors (SVs). Our analysis proves that technical solutions will alone not result in optimal network security, and leads to two important results: (i) without contract discrimination amongst users, there always exists a unique market equilibrium for both market types, but the equilibrium is inefficient and does not improve network security, and (ii) in monopoly markets, contract discrimination amongst users results in a unique market equilibrium that is efficient and results in improvement of network security - however, the cyber-insurer can make zero expected profit. The latter fact is often sufficient to de-incentivize the formation or practical realization of successful and stable cyber-insurance markets.  To alleviate the insurer’s problem of potentially making zero profit, we suggest two mechanisms: (a) the SV could enter into a business relationship with the insurer and lock the latter’s clients in using security products manufactured by the SV. In return for the increased sale of its products, the SV could split the average profit per consumer with the insurer, and (b) the SV could itself be the insurer and account for logical/social network information of its clients to price them. In this regard, we study homogenous, heterogeneous, and binary pricing mechanisms designed via a common Stackelberg pricing game framework. The binary pricing game turns out to be NP-hard, for which we develop an efficient randomized approximation algorithm that achieves insurer profits up to 0.878 of the optimal solution. Our game analysis combined with simulation results on practical networking topologies illustrate increased maximum profits for the insurer (SV) at market equilibrium and always generate strictly positive profit for the latter, when compared to current SV pricing mechanisms in practice. In addition, the state of improved network security remains intact. We conclude the talk with a brief description of our ongoing work on the role of markets and game theory in the design of holistic solution approaches for problems in (i) mobile and ioT privacy, (ii) cloud and ad-driven streaming systems, and (iii) cyber-physical system security


Ranjan Pal is a Research Scientist at the University of Southern California (USC), affiliated with the Electrical Engineering and Computer Science departments. He received his PhD in Computer Science from USC in the Fall of 2014, and was the recipient of the Provost Fellowship throughout his PhD studies. During his PhD, Ranjan held visiting scholar positions at Princeton University, USA, and Deutsch Telekom Research Laboratories (T-Labs), Berlin, Germany. His primary research interests lie in performance modeling, analysis, and design of cyber-security, privacy, and communication networks using tools from economics, game theory, algorithms, and mathematical optimization. He also has a minor research interest in applied machine learning. As a PhD student, Ranjan has co-authored more than 20 papers in premier conferences, journals, and workshops. He is a member of the IEEE and the ACM.