Realizing Efficient Cyber-Insurance Markets Via Price Discriminating Security Products

Current cyber-insurance research community has mainly focussed about studying the market success of an insurance-driven security ecosystem. Such an ecosystem comprises of several market elements like cyber-insurers, ISPs, network users (individuals and organizations), security vendors (SVs), regulatory agencies, etc.,which coexist with the goal of mutually satisfying one’s interests in order to improve network security. However, recent market studies, and existing research have explained the moderate rate of improvement of cyber-insurance markets. One of the primary reasons is that insurers fail to make strictly positive expected profit at all times. In this paper, we model a security vendor (e.g., Symantec) as a cyber-insurer, and propose a novel consumer differentiated pricing mechanism for a monopoly SV based on its consumers’ logical network locations and their security investment amounts, with the goal of improving profits. We validate our model with extensive simulations conducted on practical SV client topologies, and show that a monopoly SV could (in theory) improve their current profit margins by approximately 25% by accounting for client location in the consumer network and his investment information. A fraction of the extra profits could then be used by the SV to recover costs related to providing insurance coverage to its clients, and also to always make strictly positive profits as an insurer. Our proposed pricing mechanism also ensures consumer fairness at market equilibrium by (i) charging each consumer a per unit product usage price based on (a) his location in the logical network and (b) the amount of positive externality he generates through his security investments, and (ii) equally costing each client nearly a constant total amount in security investments, irrespective of the client’s overlay network location. Our work demonstrates that price discriminating security products is one way to drive cyber-insurance markets towards being efficient, and highlights the impact of consumer network structure on the pricing and the appropriate allocation of cyber-insurance elements (e.g., fines, rebates, safety capital, etc.) amongst the consumers.