To insure or not to insure: How attackers exploit cyber-insurance via game theory

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-09 DOI:10.1016/j.cose.2025.104585

Zhen Li , Qi Liao

{"title":"To insure or not to insure: How attackers exploit cyber-insurance via game theory","authors":"Zhen Li , Qi Liao","doi":"10.1016/j.cose.2025.104585","DOIUrl":null,"url":null,"abstract":"<div><div>Cyber-insurance provides organizations with financial protection against losses from cyber incidents. As its adoption grows, organizations face the challenge of balancing investments in cybersecurity defense measures with the acquisition of cyber-insurance. This convergence presents opportunities but also introduces risks. The effects of cyber-insurance on the interplay between cybersecurity investment and attacker strategies remains poorly understood. In this paper, we systematically analyze an organization’s decision-making process regarding optimal cybersecurity investment and cyber-insurance, with a particular focus on the strategic behavior of attackers. Using economic and game-theoretic models, supported by simulation studies, our findings reveal that while cyber-insurance can mitigate financial losses, it may inadvertently weaken overall cybersecurity defenses. Furthermore, we demonstrate that cyber-attacks are not random events but calculated actions influenced by the attacker’s understanding of the organization’s insurance and defense posture. Attackers can exploit cyber-insurance by strategically launching targeted attacks to manipulate an organization’s reliance on insurance and disrupt its investment equilibrium. This manipulation can persist up to a critical threshold, beyond which escalating threats prompt organizations to strengthen their defenses. In this way, attackers effectively “play God,” strategically shaping an organization’s insurance and cybersecurity portfolio. To counter these risks, we propose actionable recommendations to prevent attackers from exploiting the cyber-insurance market, ensuring a more resilient and secure cybersecurity ecosystem.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104585"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002743","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cyber-insurance provides organizations with financial protection against losses from cyber incidents. As its adoption grows, organizations face the challenge of balancing investments in cybersecurity defense measures with the acquisition of cyber-insurance. This convergence presents opportunities but also introduces risks. The effects of cyber-insurance on the interplay between cybersecurity investment and attacker strategies remains poorly understood. In this paper, we systematically analyze an organization’s decision-making process regarding optimal cybersecurity investment and cyber-insurance, with a particular focus on the strategic behavior of attackers. Using economic and game-theoretic models, supported by simulation studies, our findings reveal that while cyber-insurance can mitigate financial losses, it may inadvertently weaken overall cybersecurity defenses. Furthermore, we demonstrate that cyber-attacks are not random events but calculated actions influenced by the attacker’s understanding of the organization’s insurance and defense posture. Attackers can exploit cyber-insurance by strategically launching targeted attacks to manipulate an organization’s reliance on insurance and disrupt its investment equilibrium. This manipulation can persist up to a critical threshold, beyond which escalating threats prompt organizations to strengthen their defenses. In this way, attackers effectively “play God,” strategically shaping an organization’s insurance and cybersecurity portfolio. To counter these risks, we propose actionable recommendations to prevent attackers from exploiting the cyber-insurance market, ensuring a more resilient and secure cybersecurity ecosystem.

查看原文本刊更多论文

投保还是不投保：攻击者如何通过博弈论利用网络保险

网络保险为组织提供经济保护，防止网络事件造成损失。随着其采用的增长，组织面临着平衡网络安全防御措施投资与获取网络保险的挑战。这种融合带来了机遇，但也带来了风险。网络保险对网络安全投资和攻击者策略之间相互作用的影响仍然知之甚少。在本文中，我们系统地分析了组织关于最优网络安全投资和网络保险的决策过程，特别关注攻击者的战略行为。利用经济和博弈论模型，在模拟研究的支持下，我们的研究结果表明，虽然网络保险可以减轻经济损失，但它可能无意中削弱整体网络安全防御。此外，我们证明了网络攻击不是随机事件，而是受攻击者对组织的保险和防御姿态的理解影响的计算行动。攻击者可以通过战略性地发起有针对性的攻击来利用网络保险，操纵组织对保险的依赖，破坏其投资平衡。这种操纵可以持续到一个关键的阈值，超过这个阈值，不断升级的威胁会促使组织加强防御。通过这种方式，攻击者有效地“扮演上帝”，战略性地塑造组织的保险和网络安全投资组合。为了应对这些风险，我们提出了可操作的建议，以防止攻击者利用网络保险市场，确保更具弹性和安全的网络安全生态系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.