Aron Laszka, Jens Grossklags
Citation
Aron Laszka, Jens Grossklags. "Should Cyber-Insurance Providers Invest in Software Security?". 20th European Symposium on Research in Computer Security (ESORICS), September, 2015.
Abstract
Insurance is based on the diversifiability of individual risks: if an insurance provider maintains a large portfolio of customers, the probability of an event involving a large portion of the customers is negligible. However, in the case of cyber-insurance, not all risks are diversifiable due to software monocultures. If a vulnerability is discovered in a widely used software product, it can be used to compromise a multitude of targets until it is eventually patched, leading to a catastrophic event for the insurance provider. To lower their exposure to non-diversifiable risks, insurance providers may try to influence the security of widely used software products in their customer population, for example, through vulnerability reward programs. We explore the proposal that insurance providers should take a proactive role in improving software security, and provide evidence that this approach is viable for a monopolistic provider. We develop a model which captures the supply and demand sides of insurance, provide computational complexity results on the provider's investment decisions, and propose different heuristic investment strategies. We demonstrate that investments can reduce non-diversifiable risks and can lead to a more profitable cyber-insurance market. Finally, we detail the relative merits of the different heuristic strategies with numerical results.
Electronic downloads
Internal. This publication has been marked by the author for FORCES-only distribution, so electronic downloads are not available without logging in.
| Citation formats |
- HTML
Aron Laszka, Jens Grossklags. <a href="http://www.cps-forces.org/pubs/121.html" >Should Cyber-Insurance Providers Invest in Software Security?</a>, 20th European Symposium on Research in Computer Security (ESORICS), September, 2015.
- Plain text
Aron Laszka, Jens Grossklags. "Should Cyber-Insurance Providers Invest in Software Security?". 20th European Symposium on Research in Computer Security (ESORICS), September, 2015.
- BibTeX
@inproceedings{LaszkaGrossklags15_ShouldCyberInsuranceProvidersInvestInSoftwareSecurity, author = {Aron Laszka and Jens Grossklags}, title = {Should Cyber-Insurance Providers Invest in Software Security?}, booktitle = {20th European Symposium on Research in Computer Security (ESORICS)}, month = {September}, year = {2015}, abstract = {Insurance is based on the diversifiability of individual risks: if an insurance provider maintains a large portfolio of customers, the probability of an event involving a large portion of the customers is negligible. However, in the case of cyber-insurance, not all risks are diversifiable due to software monocultures. If a vulnerability is discovered in a widely used software product, it can be used to compromise a multitude of targets until it is eventually patched, leading to a catastrophic event for the insurance provider. To lower their exposure to non-diversifiable risks, insurance providers may try to influence the security of widely used software products in their customer population, for example, through vulnerability reward programs. We explore the proposal that insurance providers should take a proactive role in improving software security, and provide evidence that this approach is viable for a monopolistic provider. We develop a model which captures the supply and demand sides of insurance, provide computational complexity results on the provider's investment decisions, and propose different heuristic investment strategies. We demonstrate that investments can reduce non-diversifiable risks and can lead to a more profitable cyber-insurance market. Finally, we detail the relative merits of the different heuristic strategies with numerical results.}, URL = {http://cps-forces.org/pubs/121.html} }
Posted by Aron Laszka on 15 Mar 2016.
For additional information, see the
Publications FAQ or
contact webmaster at cps-forces org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.