Analyzing Self-Defense Investments in Internet Security under Cyber-Insurance Coverage

Abstract

Internet users such as individuals and organizations are subject to different types of epidemic risks such as worms, viruses, and botnets. To reduce the probability of risk, an Internet user generally invests in self-defense mechanisms like antivirus and antispam software. However, such software does not completely eliminate risk. Recent works have considered the problem of residual risk elimination by proposing the idea of cyber-insurance. In this regard, an important decision for Internet users is their amount of investment in self-defense mechanisms when insurance solutions are offered. In this paper, we investigate the problem of self-defense investments in the Internet, under full and partial cyber-insurance coverage models. By the term ‘self-defense investment’, we mean the monetary-cum-precautionary cost that each user needs to invest in employing risk mitigating self-defense mechanisms, given that it is fully or partially insured by the Internet insurance agencies. We propose a general mathematical framework by which co-operative and non-co-operative Internet users can decide whether or not to invest in self-defense for ensuring both, individual and social welfare. Our results show that (1) co-operation amongst users results in more efficient self-defense investments than those in a non-cooperative setting, under a full insurance coverage model and (2) partial insurance coverage motivates non-cooperative Internet users to invest more efficiently in self-defense mechanisms when compared to full insurance coverage.