Security Pricing as Enabler of Cyber-Insurance A First Look at Differentiated Pricing Markets

Despite the promising potential of network risk management services (e.g., cyber-insurance) to improve information security, their deployment is relatively scarce, primarily due to such service companies being unable to guarantee profitability. As a novel approach to making cyber-insurance services more viable, we explore a symbiotic relationship between security vendors (e.g., Symantec) capable of price differentiating their clients, and cyber-insurance agencies having possession of information related to the security investments of their clients. The goal of this relationship is to (i) allow security vendors to price differentiate their clients based on security investment information from insurance agencies, (ii) allow the vendors to make more profit than in homogeneous pricing settings, and (iii) subsequently transfer some of the extra profit to cyber-insurance agencies to make insurance services more viable. In this paper, we perform a theoretical study of a market for differentiated security product pricing, primarily with a view to ensuring that security vendors (SVs) make more profit in the differentiated pricing case as compared to the case of non-differentiated pricing. In order to practically realize such pricing markets, we propose novel and computationally efficient consumer differentiated pricing mechanisms for SVs based on (i) the market structure, (ii) the communication network structure of SV consumers captured via a consumer’s Bonacich centrality in the network, and (iii) security investment amounts made by SV consumers. We validate our analytical model via extensive simulations conducted on practical SV client network topologies; main results show (through those simulations) that (a) a monopoly SV could improve its profit margin by upto ≈ 25% (based on the simulation setting) by accounting for clients’ investment information and network locations, whereas in an oligopoly setting, SVs could improve their profit margins by upto ≈ 18%, and (b) differentiated security pricing mechanisms are fair among SV consumers with respect to the total investment made by a consumer. To the best of knowledge, the proposed differentiated pricing framework is the first of its kind in the security products domain, and is generally applicable to usecases beyond the one investigated in this work.