Designing cyber insurance policies: Mitigating moral hazard through security pre-screening

Abstract

Cyber-insurance has been studied as both a method for risk-transfer, as well as a potential incentive mechanism for improving the state of cyber-security. However, in the absence of regulated insurance markets or compulsory insurance, the introduction of insurance deteriorates network security. This is because by transferring part of their risk to the insurer, the insured agents can decrease their levels of effort. In this paper, we consider the design of insurance contracts by an (unregulated) profit-maximizing insurer, and allow for voluntary participation. We propose the use of pre-screening to offer premium discounts to higher effort agents. We show that such premium discrimination not only helps the insurer attain higher profits, but also leads the agents to improve their efforts. We show that with interdependent agents, the incentivized improvement in efforts can compensate for the effort reduction resulting from risk transfer, thus improving the state of network security over the no-insurance scenario. In other words, the availability of pre-screening signals benefits both the insurer, as well as the state of network security, without the need to regulate the market or compulsory participation.