Security Adoption in Heterogeneous Networks: the Influence of Cyber-Insurance Market

Hosts (or nodes) in the Internet often face epidemic risks such as virus and worms attack. Despite the awareness of these risks and the availability of anti-virus software, investment in security protection is still scare, hence, epidemic risk is still prevalent. Deciding whether to invest in security protection is an inter-dependent process: security investment decision made by one node can affect the security risk of others, and therefore affect their decisions also. The first contribution of this paper is to provide a fundamental understanding on how “network externality” and “nodes heterogeneity” may affect security adoption. Nodes make decisions on security investment by evaluating the epidemic risk and the expected loss. We characterize it as a Bayesian network game in which nodes only have the local information, e.g., number of neighbors, as well as minimum common information, e.g., degree distribution of the network. Our second contribution is in analyzing a new form of risk management called cyber-insurance. We investigate how the presence of competitive insurance market can affect the security adoption and show that if the insurance provider can observe the protection level of nodes, the insurance market is a positive incentive for security adoption provided that the protection quality is not high. We also find that cyberinsurance is more likely to be a good incentive for nodes with higher degree. This work provides the fundamental understanding on the economics aspect of security adoption, and sheds light on a new Internet security service which can be economically viable and sustainable.