Post-Incident Audits on Cyber Insurance Discounts
Autor: | Emmanouil Panaousis, Andrew Fielder, Aron Laszka, Sakshyam Panda, Daniel Woods |
---|---|
Rok vydání: | 2019 |
Předmět: |
QA75
FOS: Computer and information sciences Computer Science - Cryptography and Security General Computer Science 02 engineering and technology Audit Security policy Bayesian game Complete information 0202 electrical engineering electronic engineering information engineering Cyber-Insurance Post-incident audit Cyber insurance Game theory Actuarial science 020206 networking & telecommunications Incentive Economics of security Security 020201 artificial intelligence & image processing Business Premium discount Law Cryptography and Security (cs.CR) Underwriting |
Zdroj: | Computers & Security |
ISSN: | 0167-4048 |
DOI: | 10.48550/arxiv.1908.04867 |
Popis: | We introduce a game-theoretic model to investigate the strategic interaction between a cyber insurance policyholderwhose premium depends on her self-reported security level and an insurer with the power to audit the security levelupon receiving an indemnity claim. Audits can reveal fraudulent (or simply careless) policyholders not following reportedsecurity procedures, in which case the insurer can refuse to indemnify the policyholder. However, the insurer has to bear an audit cost even when the policyholders have followed the prescribed security procedures. As audits can be expensive, a key problem insurers face is to devise an auditing strategy to deter policyholders from misrepresenting their security levels to gain a premium discount. This decision-making problem was motivated by conducting interviews with underwriters andreviewing regulatory filings in the US; we discovered that premiums are determined by security posture, yet this is often self-reported and insurers are concerned by whether security procedures are practised as reported by the policyholders. To address this problem, we model this interaction as a Bayesian game of incomplete information and devise optimal auditing strategies for the insurers considering the possibility that the policyholder may misrepresent her security level.To the best of our knowledge, this work is the first theoretical consideration of post-incident claims management in cybersecurity. Our model captures the trade-off between the incentive to exaggerate security posture during the application process and the possibility of punishment for non-compliance with reported security policies. Simulations demonstrate that common sense techniques are not as efficient at providing effective cyber insurance audit decisions as the ones computed using game theory. |
Databáze: | OpenAIRE |
Externí odkaz: |