University of Surrey

Test tubes in the lab Research in the ATI Dance Research

Post-incident audits on cyber insurance discounts

Panda, Sakshyam, Woods, Daniel W, Laszka, Aron, Fielder, Andrew and Panaousis, Emmanouil (2019) Post-incident audits on cyber insurance discounts Computers & Security, 87, 101593. pp. 1-10.

Full text not available from this repository.

Abstract

We introduce a game-theoretic model to investigate the strategic interaction between a cyber insurance policyholder whose premium depends on her self-reported security level and an insurer with the power to audit the security level upon receiving an indemnity claim. Audits can reveal fraudulent (or simply careless) policyholders not following reported security procedures, in which case the insurer can refuse to indemnify the policyholder. However, the insurer has to bear an audit cost even when the policyholders have followed the prescribed security procedures. As audits can be expensive, a key problem insurers face is to devise an auditing strategy to deter policyholders from misrepresenting their security levels to gain a premium discount. This decision-making problem was motivated by conducting interviews with underwriters and reviewing regulatory filings in the US; we discovered that premiums are determined by security posture, yet this is often self-reported and insurers are concerned by whether security procedures are practised as reported by the policyholders.

To address this problem, we model this interaction as a Bayesian game of incomplete information and devise optimal auditing strategies for the insurers considering the possibility that the policyholder may misrepresent her security level. To the best of our knowledge, this work is the first theoretical consideration of post-incident claims management in cyber security. Our model captures the trade-off between the incentive to exaggerate security posture during the application process and the possibility of punishment for non-compliance with reported security policies. Simulations demonstrate that common sense techniques are not as efficient at providing effective cyber insurance audit decisions as the ones computed using game theory.

Item Type: Article
Divisions : Faculty of Engineering and Physical Sciences > Computer Science
Authors :
NameEmailORCID
Panda, Sakshyams.panda@surrey.ac.uk
Woods, Daniel W
Laszka, Aron
Fielder, Andrew
Panaousis, Emmanouile.panaousis@surrey.ac.uk
Date : November 2019
Funders : European Union's Horizon 2020
DOI : 10.1016/j.cose.2019.101593
Grant Title : Marie Skłodowska-Curie SECONDO grant agreement
Copyright Disclaimer : © 2019. This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/
Uncontrolled Keywords : Game theory; Cyber insurance; Economics of security; Premium discount; Post-incident audit; Security
Depositing User : Clive Harris
Date Deposited : 29 Aug 2019 12:31
Last Modified : 29 Aug 2019 12:31
URI: http://epubs.surrey.ac.uk/id/eprint/852503

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year


Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800