Cyber Insurance and Security Interdependence: Friends or Foes?

Cyber insurance is a cyber risk treatment option which allows transferring losses to another party for a fee. Although researchers and practitioners see cyber insurance as a desirable practice, the new market faces several practical (e.g., lack of data) and theoretical (effect of security interdependency) challenges. One of the most important questions from the cyber security point of view is whether cyber insurance is an incentive to self-protection investments. Several studies have shown that with cyber insurance available, agents are more willing to buy insurance than investing in self-protection.In this study, we investigate how security interdependence affects the incentive of agents to invest in self-protection with/without cyber insurance available to them. In particular, we are interested in comparing the investments with and without insurance available for agents when the degree of interdependence changes. In the study, we model a competitive cyber insurance market and assume no information asymmetry.


I. INTRODUCTION
Adaption of the best cyber security practices and implementation of various countermeasures still does not guarantee 100% protection from incidents to occur.Moreover, the cost of security is high, which makes implementation of all possible security practices and countermeasures cost-inefficient.In other words, organisation(s) always face residual risk which they have to accept [2].Recently, cyber insurance appeared on the market and allows transferring residual risks to insureds (demand side that purchases an insurance).
By smoothing the expected losses for insureds, insurance companies collect incident data and use them for a more precise cyber risk estimation [4].With these risk estimation, insurance companies specify a premium (a fee for risk transfer) which may serve as an indicator of security strength [1].Furthermore, cyber insurance is believed to lead to new and more advanced standards in cyber security [4].Last but not least, cyber insurance may incentivise insureds to invest more in self-protection so as to get lower premiums [12], [15].This statement is partially supported by some marketing surveys [3].However, some theoretical studies show that competitive cyber insurance is not always an incentive for self-protection without regulatory constraints [6], [7].In other words, according to the studied behaviour models, insureds are often This work was partially supported by projects H2020 MSCA NeCS 675320 and H2020 MSCA CyberSure 734815.
willing to buy more insurance instead of mitigating their risks.This has a negative effect on the society as a whole, as cyber security is interdependent, i.e., the protection level of one agent depends on other agents that are protected [1].
The studies, which analyse the behaviour of agents without regulation mechanisms (e.g., [6]), also detect the drop in selfprotection investments caused by security interdependence if we compare these investments with an independent case.On the other hand, there is lack of a rigorous analysis of how security interdependency affects the ratio of investments in case of whether cyber insurance is available or not.In other words, the question we would like to answer in this paper is: can higher security interdependence make investments in self protection with cyber insurance higher than in case when the insurance option is not available in an unregulated environment?
In this study, we analyse the impact of security interdependence on the incentive of agents to invest in self-protection with/without cyber insurance available to them.In particular, we are interested in comparing the investments as the degree of interdependence increases.We have the primary interest in the situation, in which, without interdependency, investments in self-protection with cyber insurance are lower than if insurance is not available.In the work, we model a competitive insurance market and assume no information asymmetry between an agent and an insurer.
Our main contribution of this paper is a formal analysis of the security interdependence impact on investment in selfprotection.This work investigates whether cyber insurance can become more incentivising to invest in self protection with the growth of security interdependence.
The remainder of paper is unfolded as follows.In the next section (Section II), we introduce the problem that we are solving in our work.(Section III) describes the basic formal model considering two cases: i) cyber insurance is not available to agents and ii) cyber insurance is available.Then, this section analyses the impact of interdependence on investments in both cases.We conclude the paper with related work (Section IV) and conclusion (Section V).

II. PROBLEM STATEMENT
In the realm of cyber security, interconnectedness of nodes, so-called security interdependence (i.e., one's security depends on other's security investment), is one of the critical challenges [2].Therefore, it is crucial to analyse its impact on security, especially, for the decision-making on security investments.In this paper, we consider a situation in which an organisation (or agent) has conducted a thorough risk assessment and considers two options to mitigate risks: self-protection investments and cyber insurance.In the paper we do not consider risk avoidance option and risk acceptance is applied automatically for the residual, i.e., uncovered, risk.
The goal of this paper is to theoretically analyse the interplay between security investment in self-protection, cyber insurance, and security interdependence.Such theoretical analysis is required to predict the market behaviour and changes in self-protection investments.Naturally, we would like to be in the situation in which cyber insurance market looks attractive for insureds (as well as for insurers, although this part is not considered in this paper) and investments in security are increasing 1 , ensuring higher level of protection for the market participants and the society.
The effect of security interdependence on self-protection investments in scope of cyber insurance market has been studied by several authors so far [6], [10].The authors have found that despite the general belief that insurance should provoke organisation(s) to invest more in self-protection [19] (in order to reduce insurance premium) the theoretical analysis has shown that investments fall [6], [10].In short, the authors have shown that high interdependence of security forces agents to invest less in self-protection.The studies have found that insurance does not always results in increase of investments [7].On the other hand, there are no studies confronting the self-protection investments with and without cyber insurance for high interdependence cases.
Since the first, informal problem statement description could be a bit misleading, we explain it with Table I.Let x be the amount of self-protection investments of an agent and every cell in the table contains the optimal amount of investments for one of four considered cases: with and without insurance available for purchase and with and without interdependence.We know [7] that if no interdependence is in place, insurance may or may not serve as an incentive for self-protection, depending on the initial conditions (i.e., the probability and utility functions applied for modelling): x I A LI cond x N A LI .We also know [6] that investments with insurance for independent cases are higher than for cases with higher interdependence: H I ; and, because of decreased effect of investments, so do the investments if insurance is not available (x N A LI ≥ x N A H I ).In this paper, we focus on the question how the investment levels for insurance and no insurance cases depend on the degree of interdependence x N A H I ?x I A H I .Our primary focus is on the situations in which initially, i.e., without (i.e., very low) interdependency, investments in selfprotection are higher for no-insurance cases (x I A LI < x N A LI ).In other words, we start with the worst case situation and h

Insurance
No-Insurance available (IA) available (NA) No (low) interdependence (LI) x I A L I x N A L I

High interdependence (HI)
x I A H I x N A H I

TABLE I PROBLEM STATEMENT DESCRIPTION
try to analyse if the relation improves with the increase of interdependence.In particular, we would like to answer the question: which degree of interdependence forces the investments to be the same (x N A H I = x I A H I ).Naturally, the magnitude of investments should be lower than in case of no interdependence.On the other hand, it is very hard to control the degree of interdependence (e.g., to increase the investments), but our analysis can show if cyber insurance has positive effect on investments under high interdependence.In this paper, we propose only the initial results of our analysis, focusing only on proving the existence of the solution (i.e., that exists such Π that x N A H I = x I A H I ) leaving the complete study for the future work.

III. ANALYSIS
For our analysis, we apply the formalisation similar to the one used by H. Ogut et.al [6], I. Ehlrich and G. S. Becker [7], W. Shim [16].Here we provide a brief introduction of the main concepts of cyber insurance and refer the interested readers to A. Marotta et.al [2].
Let W be the amount of wealth an agent possesses at some time, and W 0 be the amount in the beginning of the considered period.We would like to analyse how the agent is going to behave (i.e., plans its investments) in the following period.We assume, that knowing the investments in self-protection x and the degree of security interdependence Π, we can find the probability of an event to occur as pr(x, Π).This probability depends on both direct probability of attack π(x) and aggregated probability of contagion (1 − Π), and can be found as: It is natural to assume that the probability of direct attack π(x) decreases with increase of security investments (π < 0) and the efficacy of investments decreases (π > 0).The aggregated probability of contagion (1−Π i ) per agent i, may be computed with the usual approach (see [2], [6]) if the investments of all agents in the network x j and the bilateral probabilities of contagion q i, j are known: Since, for our work these details are irrelevant, we use only Π and skip the index i so as to avoid theoretical complexities.Moreover, we call Π as a degree of interdependence, since it defines how much the security of the network affects the security level of a considered agent.The value from [0;1) interval defines an interdependent case with some degree where the situation is obviously independent if Π = 1.
An agent uses a utility function to compute its satisfaction of possessing a certain wealth U(W) and returns a positive real value.This function is a concave (U = dU dW ≥ 0, U = dW 2 ≤ 0) Von Neumann-Morgenstern utility function, usually applied in insurance.The use of a concave utility function helps to model the usual behaviour of people, who value equal additional amount of money more possessing less wealth (resulting in risk averseness).Now, if losses from an incident are equal to L, then if no insurance is available to an agent its expected utility is: is the utility if an incident occurs. ( In order to find the optimal amount of investments for an agent, we should consider the first order condition (FOC) and find that it is a solution to the following equation: If insurance option is available, the agent may pay a premium P and get indemnity I in case an incident happens.In the competitive cyber insurance market, no insurer may introduce a new contract more attractive for insureds, than the already available ones.In the model, this means that premiums are fair P = pr(x, Π) * I.In this case, the expected utility is: Now, we should consider FOC for I as well as for x, following H. Ogut et.al [6] and I. Ehlrich and G. S. Becker [7].The optimal indemnity I * is equal to loss L as it is investigated as following proof: Now, we should consider that pr(x) = 1 or pr(x) = 0 is fictitious.In reality, if such situations exist, there is no need to purchase insurance.In this regard, we can ignore these cases so that we obtain U I L = U I N which leads the following solution for optimal investment x I : It is easy to see, that even without solving Equations 6 and 12 we can reason on the values of x I and x N : for example, if π (x I ) > π (x N ) investments in case of insurance are higher than in case of no insurance.
From Equations 6 and 12 we see, that in both cases Π affects the amount of optimal investments.We would like to know if there is such a Π, which makes π (x I ) = π (x N ).In other words, we would like to know if the following equation holds: We should remember, that x N depends on Π as Equation 6states, as well as U N N and U N L depend on x N , according to Equations 4 and 5.In order to simplify our investigation, the first step is to identify the security interdependence (Π) based on Equation 6as following: Above-mentioned transformation leads us to following result: Based on mathematical transformation for defining Π, we are now able to investigate a function f n which is defined by following system2 : Consider two border cases: Π = 1 and Π = 0. We start with Π = 1 case.The most interesting situation is when investments in self-protection in case of insurance are lower than in case of no insurance available (x Now, consider Π = 0 case.We see, that: since for a concave function Since function f (Π) is continuous, then according to the Intermediate Value Theorem, there is such 1 > Π > 0 which makes f ( Π) = − 1 L and Equation 13 holds for this Here it is worth noting that we always should be careful about the value boundaries.For example, very low values of the degree of interdependence may require negative investments which is not possible.Thus, instead of the case with Π = 0 we should consider the case when x N = 0, the minimal reasonable value of security investments and the minimal value of π (x N = 0); if π (x N = 0) < −1/L we may conclude that the required value Π is between 1 and the Π value found from the first equation of the equation system 16 for x N = 0.

IV. RELATED WORK
Recently, cyber insurance gained much attention of practitioners and researchers.The young market faces a number of issues that slow down its maturation [2], [13].One of these issues relates to interdependency of cyber security and its effect on both cyber insurance and investments in selfprotection [5], [6], [9], [14].In particular, some researchers have found that if cyber insurance is available investments in self-protection drop [5], [6], [10].In contrast, M. Lelarge and J. Bolot [9] have shown that cyber security is a mechanism to incentivise agents to invest in self-protection.Here we would like to underline that that the investment model of M. Lelarge and J. Bolot [9] is binary: either low or high level of protection is possible; while H. Ogut et.al, [6] and Shetty and Schwartz et.al, [5], [10] use the continuous investment model, i.e., any additional investment improves the security level.In our paper we have used the continuous investment model and have shown that whether cyber insurance is an inventive or not may depend on the degree of security interdependence.
A number of authors considered the problem of reducing self-protection level if cyber insurance is available [5], [9], [14], [17] and whether the social optimum level of investments can be reached [10] [5].The best solution found so far is a "fines and rebates" mechanism that penalises the agents with low security and grants bonuses to the agents with high security in addition to premium discrimination [8], [9], [14].In order to use this mechanism, an insurer must have complete information about insureds investments, i.e., there should be no information asymmetry.Furthermore, the work of P. Naghizadeh and M. Liu [11] could be seen as a variation of this mechanism.Their approach requires insurers to collect the proposals for the desired investment level and premiums from all agents.Similarly, Wang also assumed mandatory participation and proposed an integrated framework for allocating total expenditures among security investment and cyber insurance [18].These proposals are adopted to define the pricing strategy for the insurer which leads to the socially optimal investment level if participation is mandatory.In contrast to all these works, we do not consider additional regulation mechanisms in the model, but only analyse the expected behaviour of agents (their investment strategy) in the network with different degree of security interdependence.

V. CONCLUSION
In the paper we have mathematically analysed how the degree of interdependency affects cyber security self-investments with and without cyber insurance available to the considered agent.We have found that if initially, i.e., without interdependence, investments in self-protection are higher in case of no insurance available, then with a certain degree of interdependence, cyber insurance will incentivise to invest in self protection equally to (and even more comparing with) the case if no insurance is available.In other words, we may conclude that interdependent cyber security world has a greater chance to benefit from applying cyber insurance, not only because of its attractiveness for agents but also because of the increase of investments in the self-protection, even if no regulation mechanisms are in force.
The analysis we have presented is far from being complete.For example, in the paper we did not consider the case, when cyber insurance is initially (independent case) incentivise to invest in self protection more than if no insurance available.We have not provided a complete answer on when the ratio of self-protection investments in two cases rises or drops with the change of the degree of interdependence.We also acknowledge that in our model only the considered agent is allowed to purchase insurance and the rest of the network is not.These questions we would like to investigate in our future work.Nevertheless, we see that even the initial analysis already leads to an interesting result.