Security adoption and influence of cyber-insurance markets in heterogeneous networks

Hosts (or nodes) in the Internet often face epidemic risks such as virus and worm attack. Despite the awareness of these risks and the importance of network/system security, investment in security protection is still scare, and hence epidemic risk is still prevalent. Deciding whether to invest in security protection is an interdependent process: security investment decision made by one node can affect the security risk of others, and therefore affect their decisions also. The first contribution of this paper is to provide a fundamental understanding on how ‘‘network externality’’ with ‘‘node heterogeneity’’ may affect security adoption. Nodes make decisions on security investment by evaluating the epidemic risk and the expected loss. We characterize it as a Bayesian network game in which nodes only have the local information, e.g., the number of neighbors, and minimum common information, e.g., degree distribution of the network. Our second goal is to study a new form of risk management, called cyber-insurance. We investigate how the presence of a competitive insurance market can affect the security adoption and show that if the insurance provider can observe the protection level of nodes, the insurance market is a positive incentive for security adoption if the protection quality is not very high. We also find that cyber-insurance ismore likely to be a good incentive for nodeswith higher degree. Conversely, if the insurance provider cannot observe theprotection level of nodes,we verify that partial insurance can be a non-negative incentive, improving node’s utility though not being an incentive. © 2013 Elsevier B.V. All rights reserved.