Hostname: page-component-745bb68f8f-g4j75 Total loading time: 0 Render date: 2025-01-26T22:59:56.510Z Has data issue: false hasContentIssue false

Cybersecurity investments and cyber insurance purchases in a non-cooperative game

Published online by Cambridge University Press:  13 January 2025

Tim J. Boonen
Affiliation:
Department of Statistics and Actuarial Science, School of Computing and Data Science, The University of Hong Kong, Hong Kong, Hong Kong SAR, China
Yang Feng*
Affiliation:
School of Economics and Management, University of Science and Technology Beijing, Beijing 100083, China
Zhiwei Tong
Affiliation:
Department of Statistics and Actuarial Science, The University of Iowa, Iowa City, IA 52241, USA
*
Corresponding author: Yang Feng; Email: yangfeng_92@outlook.com

Abstract

The growing concern over cyber risk has become a pivotal issue in the business world. Firms can mitigate this risk through two primary strategies: investing in cybersecurity practices and purchasing cyber insurance. Cybersecurity investments reduce the compromise probability, while cyber insurance transfers potential losses to insurers. This study employs a network model for the spread of infection among interconnected firms and investigates how each firm’s decisions impact each other. We analyze a non-cooperative game in which each firm aims to optimize its objective function through choices of cybersecurity level and insurance coverage ratio. We find that each firm’s cybersecurity investment and insurance purchase are strategic complements. Within this game, we derive sufficient conditions for the existence and uniqueness of Nash equilibrium and demonstrate its inefficiency. These theoretical results form the foundation for our numerical studies, allowing us compute firms’ equilibrium decisions on cybersecurity investments and insurance purchases across various network structures. The numerical results shed light on the impact of network structure on equilibrium decisions and explore how varying insurance premiums influence firms’ cybersecurity investments.

Type
Research Article
Copyright
© The Author(s), 2025. Published by Cambridge University Press on behalf of The International Actuarial Association

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Acemoglu, D., Malekian, A. and Ozdaglar, A. (2016) Network security and contagion. Journal of Economic Theory, 166, 536585.CrossRefGoogle Scholar
Agrafiotis, I., Nurse, J.R., Goldsmith, M., Creese, S. and Upton, D. (2018) A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity, 4(1), 115.CrossRefGoogle Scholar
Albrecher, H., Beirlant, J. and Teugels, J.L. (2017) Reinsurance: Actuarial and Statistical Aspects. Hoboken, New Jersey: John Wiley and Sons.CrossRefGoogle Scholar
Awiszus, K., Bell, Y., Lüttringhaus, J., Svindland, G., Voß, A. and Weber, S. (2024) Building resilience in cybersecurity: An artificial lab approach. Journal of Risk and Insurance, 91(3), 753800.CrossRefGoogle Scholar
Awiszus, K., Knispel, T., Penner, I., Svindland, G., Voß, A. and Weber, S. (2023) Modeling and pricing cyber insurance: Idiosyncratic, systematic, and systemic risks. European Actuarial Journal, 13(1), 153.CrossRefGoogle Scholar
Biener, C., Eling, M. and Wirfs, J.H. (2015) Insurability of cyber risk: An empirical analysis. Geneva Papers on Risk and Insurance - Issues and Practice, 40, 131158.CrossRefGoogle Scholar
Boonen, T.J. and Liu, F. (2022) Insurance with heterogeneous preferences. Journal of Mathematical Economics, 102, 102742.CrossRefGoogle Scholar
Braun, A., Eling, M. and Jaenicke, C. (2023) Cyber insurance-linked securities. ASTIN Bulletin: The Journal of the IAA, 53(3), 684705.CrossRefGoogle Scholar
Da, G., Xu, M. and Zhao, P. (2021) Multivariate dependence among cyber risks based on L-hop propagation. Insurance: Mathematics and Economics, 101, 525546.Google Scholar
Dacorogna, M. and Kratz, M. (2023) Managing cyber risk, a science in the making. Scandinavian Actuarial Journal, 2023, 122.CrossRefGoogle Scholar
Eisenbach, T.M., Kovner, A. and Lee, M.J. (2022) Cyber risk and the US financial system: A pre-mortem analysis. Journal of Financial Economics, 145(3), 802826.CrossRefGoogle Scholar
Eling, M. (2020) Cyber risk research in business and actuarial science. European Actuarial Journal, 10(2), 303333.CrossRefGoogle Scholar
Eling, M., McShane, M. and Nguyen, T. (2021) Cyber risk management: History and future research directions. Risk Management and Insurance Review, 24(1), 93125.CrossRefGoogle Scholar
Fahrenwaldt, M.A., Weber, S. and Weske, K. (2018) Pricing of cyber insurance contracts in a network model. ASTIN Bulletin: The Journal of the IAA, 48(3), 11751218.CrossRefGoogle Scholar
Hillairet, C., Lopez, O., d’Oultremont, L. and Spoorenberg, B. (2022) Cyber-contagion model with network structure applied to insurance. Insurance: Mathematics and Economics, 107, 88101.Google Scholar
Jevtić, P. and Lanchier, N. (2020) Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology. Insurance: Mathematics and Economics, 91, 209223.Google Scholar
Khalili, M.M., Naghizadeh, P. and Liu, M. (2017) Designing cyber insurance policies: Mitigating moral hazard through security pre-screening. GAMENETS, pp. 6373. Springer International Publishing.Google Scholar
Marotta, A., Martinelli, F., Nanni, S., Orlando, A. and Yautsiukhin, A. (2017) Cyber-insurance survey. Computer Science Review, 24, 3561.CrossRefGoogle Scholar
Mott, G., Turner, S., Nurse, J.R., MacColl, J., Sullivan, J., Cartwright, A. and Cartwright, E. (2023) Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Computers and Security, 128, 103162.CrossRefGoogle Scholar
Nagurney, A. and Shukla, S. (2017) Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability. European Journal of Operational Research, 260(2), 588600.CrossRefGoogle Scholar
Ogut, H., Menon, N. and Raghunathan, S. (2005) Cyber insurance and it security investment: Impact of interdependence risk. Available at https://infosecon.net/workshop/pdf/56.pdf.Google Scholar
Osborne, M.J. and Rubinstein, A. (1994) A Course in Game Theory. Cambridge, Massuchusetts, USA: MIT Press.Google Scholar
Pal, R. (2012) Cyber-insurance in internet security: A dig into the information asymmetry problem. Preprint. Available at https://arxiv.org/abs/1202.0884.Google Scholar
Pal, R., Golubchik, L., Psounis, K. and Hui, P. (2014) Will cyber-insurance improve network security? A market analysis. IEEE INFOCOM 2014-IEEE Conference on Computer Communications, pp. 235–243.CrossRefGoogle Scholar
Pal, R., Golubchik, L., Psounis, K. and Hui, P. (2019) Security pricing as enabler of cyber-insurance a first look at differentiated pricing markets. IEEE Transactions on Dependable and Secure Computing, 16(2), 358372.CrossRefGoogle Scholar
Peng, C., Xu, M., Xu, S. and Hu, T. (2018) Modeling multivariate cybersecurity risks. Journal of Applied Statistics, 45(15), 27182740.CrossRefGoogle Scholar
Rosen, J.B. (1965) Existence and uniqueness of equilibrium points for concave N-person games. Econometrica, 33(3), 520534.CrossRefGoogle Scholar
Schwartz, G.A. and Sastry, S.S. (2014) Cyber-insurance framework for large scale interdependent networks. Proceedings of the 3rd International Conference on High Confidence Networked Systems, pp. 145154.CrossRefGoogle Scholar
Shetty, N., Schwartz, G., Felegyhazi, M. and Walrand, J. (2010) Competitive cyber-insurance and internet security. In Economics of Information Security and Privacy (eds. Moore, T., Pym, D. and Ioannidis, C.), pp. 229247. New York: Springer, USA.CrossRefGoogle Scholar
Xiang, Q., Neufeld, A., Peters, G.W., Nevat, I. and Datta, A. (2024) A bonus-malus framework for cyber risk insurance and optimal cybersecurity provisioning. European Actuarial Journal, 14(2), 581621.CrossRefGoogle Scholar
Xu, M. and Hua, L. (2019) Cybersecurity insurance: Modeling and pricing. North American Actuarial Journal, 23(2), 220249.CrossRefGoogle Scholar
Yang, Z. and Lui, J.C. (2014) Security adoption and influence of cyber-insurance markets in heterogeneous networks. Performance Evaluation, 74, 117.CrossRefGoogle Scholar
Zeller, G. and Scherer, M. (2023) Risk mitigation services in cyber insurance: Optimal contract design and price structure. Geneva Papers on Risk and Insurance - Issues and Practice, 48, 502547.CrossRefGoogle ScholarPubMed
Zhang, X., Xu, M., Su, J. and Zhao, P. (2023) Structural models for fog computing based internet of things architectures with insurance and risk management applications. European Journal of Operational Research, 305(3), 12731291.CrossRefGoogle Scholar