# Optimal Investment in Cyber-Security under Cyber Insurance for a Multi-Branch Firm

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

- Risk avoidance
- Risk spreading
- Risk transfer
- Risk reduction
- Risk acceptance

- Risk mitigation
- Risk transfer

- purchase and employ antivirus software;
- install firewalls inside the network;
- tightening access control policies;
- renew and update the ICT infrastructures; and
- organize training courses for employees to increase their awareness of cyber-security risks and develop a more cautious behavior.

- We provide a closed formula for the optimal investment in security under vulnerability correlation, extending the results presented in Mazzoccoli and Naldi (2019), where cyber-risk interdependence is not taken into account.
- We demonstrate that the optimal strategy may be not to invest in security but to rely on the protection provided by insurance alone, and we provide closed formulas to identify when such no-investment strategy is the best one, modifying the results obtained by Gordon and Loeb Gordon and Loeb (2002), showing that the no-investment strategy applies not only for low vulnerability values but also in the opposite case of high vulnerability values.
- We analyze the robustness of investment decisions when vulnerability and risk correlation are not accurately estimated.

## 2. Literature Review

## 3. Security Investments and Insurance: The Stand-Alone Firm

- the investment z in security;
- the vulnerability v, i.e., the probability of success of an attack when no investments are made; and
- the probability S that an attack is successful when the investment z is made.

- the investment z; and
- the insurance premium P.

- full liability;
- limited liability (with upper limit); and
- limited liability with deductibles (both lower and upper limit).

## 4. Security Investments and Insurance: The Multi-Branch Firm

- direct breach, due to a direct attack on the headquarters; and
- indirect breach, due to breaches taking place on branches.

## 5. Optimal Investment for the Headquarters

#### 5.1. Full Liability

- ${\widehat{z}}^{\left(\mathrm{full}\right)}$ is positive.
- ${\widehat{z}}^{\left(\mathrm{full}\right)}$ is a point of minimum for ${E}_{H}$.

- Low insurance premium
- Low potential loss
- Low probability of attack
- Low discount rate offered on the premium
- Low effectiveness of security investments
- Too high or too low vulnerability of the branches

#### 5.2. Limited Liability

#### 5.3. Limited Liability with Deductibles

## 6. Robustness of Security Investment Decisions

#### 6.1. Quasi-Elasticity under Full Liability

#### 6.2. Quasi-Elasticity under Limited Liability

#### 6.3. Quasi-Elasticity under Limited Liability with Deductibles

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## Appendix A. Optimal Investment of Headquarters under Full Liability

## Appendix B. Validity Conditions for the Investments of the Headquarters under Full Liability

- (a)
- ${\widehat{z}}^{\left(\mathrm{full}\right)}$ is positive.
- (b)
- ${\widehat{z}}^{\left(\mathrm{full}\right)}$ is a point of minimum for ${E}_{H}$.

- Low insurance premium
- Low potential loss
- Low probability of attack
- Low discount rate offered on the premium
- Low effectiveness of security investments
- Too high or too low vulnerability of the branches

## Appendix C. Optimal Investment of Headquarters under Limited Liability

## Appendix D. Validity Conditions for the Investments of the Headquarters under Limited Liability

## Appendix E. Optimal Investment of Headquarters under Deductibles

## Appendix F. Validity Conditions for the Investments of the Headquarters under Deductibles

## References

- Arnold, Roger. 2008. Economics, 8th ed. Mason: Thomson South-Western. [Google Scholar]
- Bandyopadhyay, Tridib, Vijay S. Mookerjee, and Ram C. Rao. 2009. Why IT managers don’t go for cyber-insurance products. Communications of the ACM 52: 68–73. [Google Scholar] [CrossRef] [Green Version]
- Bolot, Jean, and Marc Lelarge. 2009. Cyber insurance as an incentive for internet security. In Managing Information Risk and the Economics of Security. Berlin: Springer, pp. 269–90. [Google Scholar]
- Bryce, Robert. 2001. Hack Insurer Adds Microsoft Surcharge. Available online: https://www.zdnet.com/article/hack-insurer-adds-microsoft-surcharge/ (accessed on 16 December 2020).
- Eling, Martin, and Jan Wirfs. 2019. What are the actual costs of cyber risk events? European Journal of Operational Research 272: 1109–19. [Google Scholar] [CrossRef]
- Goovaerts, Marc, Rob Kaas, Jan Dhaene, and Michel Denuit. 2001. Modern Actuarial Risk Theory. Berlin: Springer. [Google Scholar]
- Gordon, Lawrence A., and Martin P. Loeb. 2002. The economics of information security investment. ACM Transactions on Information and System Security 5: 438–57. [Google Scholar] [CrossRef]
- Gordon, Lawrence A., Martin P. Loeb, and Tashfeen Sohail. 2003. A framework for using insurance for cyber-risk management. Communications of the ACM 46: 81–85. [Google Scholar] [CrossRef]
- Gordon, Lawrence A., Martin P. Loeb, and Lei Zhou. 2016. Investing in Cybersecurity: Insights from the Gordon-Loeb Model. Journal of Information Security 7: 49. [Google Scholar] [CrossRef] [Green Version]
- Guijarro, Luis, Jose R. Vidal, Vicent Pla, and Maurizio Naldi. 2019. Economic analysis of a multi-sided platform for sensor-based services in the internet of things. Sensors 19: 373. [Google Scholar] [CrossRef] [Green Version]
- Guo, Hong, Hsing Kenneth Cheng, and Ken Kelley. 2016. Impact of network structure on malware propagation: A growth curve perspective. Journal of Management Information Systems 33: 296–325. [Google Scholar] [CrossRef]
- Kesan, Jay P., Rupterto P. Majuca, and William J. Yurcik. 2004. The Economic Case for Cyberinsurance. Technical Report 2. Champaign: University of Illinois College of Law. [Google Scholar]
- Khalili, Mohammad Mahdi, Parinaz Naghizadeh, and Mingyan Liu. 2017. Embracing risk dependency in designing cyber-insurance contracts. Paper presented at 2017 55th Annual Allerton Conference on Communication, Control, and Computing (Allerton), Monticello, IL, USA, October 3–6; pp. 926–33. [Google Scholar]
- Khalili, Mohammad Mahdi, Parinaz Naghizadeh, and Mingyan Liu. 2018. Designing cyber insurance policies: The role of pre-screening and security interdependence. IEEE Transactions on Information Forensics and Security 13: 2226–39. [Google Scholar] [CrossRef]
- Kröger, Wolfgang. 2008. Critical infrastructures at risk: A need for a new conceptual approach and extended analytical tools. Reliability Engineering & System Safety 93: 1781–87. [Google Scholar]
- Krugman, Paul, and Robin Wells. 2009. The Rational Consumer. New York: Worth Publishers. [Google Scholar]
- Kshetri, Nir. 2020. The evolution of cyber-insurance industry and market: An institutional analysis. Telecommunications Policy 44: 102007. [Google Scholar] [CrossRef]
- Levitin, Gregory, Liudong Xing, and Yuanshun Dai. 2018. Co-residence based data vulnerability vs. security in cloud computing system with random server assignment. European Journal of Operational Research 267: 676–86. [Google Scholar] [CrossRef]
- Maglaras, Leandros A., Ki Hyung Kim, Helge Janicke, Mohamed Amine Ferrag, Stylianos Rallis, Pavlina Fragkou, Athanasios Maglaras, and Tiago J. Cruz. 2018. Cyber security of critical infrastructures. ICT Express 4: 42–45. [Google Scholar] [CrossRef]
- Malekos Smith, Zhanna, and Eugenia Lostri. 2020. The Hidden Costs of Cybercrime. Technical Report. Santa Clara: McAfee. [Google Scholar]
- Marotta, Angelica, Fabio Martinelli, Stefano Nanni, Albina Orlando, and Artsiom Yautsiukhin. 2017. Cyber-insurance survey. Computer Science Review 24: 35–61. [Google Scholar] [CrossRef]
- Mastroeni, Loretta, Alessandro Mazzoccoli, and Maurizio Naldi. 2019. Service level agreement violations in cloud storage: Insurance and compensation sustainability. Future Internet 11: 142. [Google Scholar] [CrossRef] [Green Version]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2019. Robustness of optimal investment decisions in mixed insurance/investment cyber risk management. Risk Analysis 40: 550–64. [Google Scholar] [CrossRef]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2020. The expected utility insurance premium principle with fourth-order statistics: Does it make a difference? Algorithms 13: 116. [Google Scholar] [CrossRef]
- Meland, Per Hakon, Inger Anne Tondel, and Bjornar Solhaug. 2015. Mitigating risk with cyberinsurance. IEEE Security & Privacy 13: 38–43. [Google Scholar]
- Nagurney, Anna, and Shivani Shukla. 2017. Multifirm models of cybersecurity investment competition vs. cooperation and network vulnerability. European Journal of Operational Research 260: 588–600. [Google Scholar] [CrossRef]
- Naldi, Maurizio, and Marta Flamini. 2017. Calibration of the Gordon-Loeb Models for the Probability of Security Breaches. Paper presented at 2017 UKSim-AMSS 19th International Conference on Computer Modelling & Simulation (UKSim), Cambridge, UK, April 5–7; pp. 135–40. [Google Scholar]
- Naldi, Maurizio, Marta Flamini, and Giuseppe D’Acquisto. 2018. Negligence and sanctions in information security investments in a cloud environment. Electronic Markets 28: 39–52. [Google Scholar] [CrossRef]
- Naldi, Maurizio, and Alessandro Mazzoccoli. 2018. Computation of the insurance premium for cloud services based on fourth-order statistics. International Journal of Simulation: Systems, Science and Technology 19: 1–6. [Google Scholar] [CrossRef] [Green Version]
- Naldi, Maurizio, Gaia Nicosia, Andrea Pacifici, and Ulrich Pferschy. 2019. Profit-fairness trade-off in project selection. Socio-Economic Planning Sciences 67: 133–46. [Google Scholar] [CrossRef]
- Nievergelt, Yves. 1983. The concept of elasticity in economics. Siam Review 25: 261–65. [Google Scholar] [CrossRef]
- Ouyang, Min. 2017. A mathematical framework to optimize resilience of interdependent critical infrastructure systems under spatially localized attacks. European Journal of Operational Research 262: 1072–84. [Google Scholar] [CrossRef]
- Pal, Ranjan, Leana Golubchik, Konstantinos Psounis, and Pan Hui. 2014. Will cyber-insurance improve network security? A market analysis. Paper presented at IEEE INFOCOM 2014—IEEE Conference on Computer Communications, Toronto, ON, Canada, April 27–May 2; pp. 235–43. [Google Scholar]
- Peterson, Kevin E. 2020. What is risk management? In The Professional Protection Officer. Amsterdam: Elsevier, pp. 367–72. [Google Scholar]
- Romanosky, Sasha, Lilian Ablon, Andreas Kuehn, and Therese Jones. 2017. Content analysis of cyber insurance policies: How do carriers write policies and price cyber risk? Journal of Cybersecurity 5: 1. [Google Scholar]
- Shetty, Nikhil, Galina Schwartz, Mark Felegyhazi, and Jean Walrand. 2010. Competitive cyber-insurance and internet security. In Economics of Information Security and Privacy. Berlin: Springer, pp. 229–47. [Google Scholar]
- Strupczewski, Grzegorz. 2018. Current state of the cyber insurance market. In Proceedings of Economics and Finance Conferences. Number 6910062. London: International Institute of Social and Economic Sciences. [Google Scholar]
- Toregas, Costis, and Nicolas Zahn. 2014. Insurance for Cyber Attacks: The Issue of Setting Premiums in Context. Technical Report GW-CSPRI-2014-1. Washington, DC: George Washington University. [Google Scholar]
- Vakilinia, Iman, and Shamik Sengupta. 2018. A coalitional cyber-insurance framework for a common platform. IEEE Transactions on Information Forensics and Security 14: 1526–38. [Google Scholar] [CrossRef]
- Xu, Lu, Yanhui Li, and Jing Fu. 2019. Cybersecurity investment allocation for a multi-branch firm: Modeling and optimization. Mathematics 7: 587. [Google Scholar] [CrossRef] [Green Version]
- Xu, Maochao, Kristin M. Schweitzer, Raymond M. Bateman, and Shouhuai Xu. 2018. Modeling and predicting cyber hacking breaches. IEEE Transactions on Information Forensics and Security 13: 2856–71. [Google Scholar] [CrossRef]
- Yang, Zichao, and John CS Lui. 2014. Security adoption and influence of cyber-insurance markets in heterogeneous networks. Performance Evaluation 74: 1–17. [Google Scholar] [CrossRef]
- Young, Derek, Juan Lopez, Mason Rice, Benjamin Ramsey, and Robert McTasney. 2016. A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection 14: 43–57. [Google Scholar] [CrossRef]
- Zhao, Xia, Ling Xue, and Andrew B. Whinston. 2013. Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems 30: 123–52. [Google Scholar] [CrossRef] [Green Version]

**Figure 7.**Impact of the intrinsic vulnerability on the optimal investment in security in the full liability case.

**Figure 11.**Impact of the intrinsic vulnerability on the optimal investment in the limited liability case.

**Figure 13.**Overall security expense of the headquarters for the limited liability with deductibles case.

**Figure 16.**Impact of the intrinsic vulnerability on the optimal investment in the limited liability with deductibles case.

**Figure 17.**Impact of the intrinsic vulnerability on the premium in the limited liability with deductibles case.

**Figure 18.**Impact of the intrinsic vulnerability on the residual loss in the limited liability with deductibles case.

Firm Size | $\mathit{\alpha}$ |
---|---|

Large | $2.7\times {10}^{-5}$ |

Medium | $9.8\times {10}^{-5}$ |

Small | $34.6\times {10}^{-5}$ |

Headquarters Parameters | |
---|---|

Parameter | Value |

Expected loss $\lambda $ | ${10}^{7}$ |

Attack probability t | 0.9 |

Investment effectiveness $\alpha $ | $2.7\times {10}^{-5}$ |

Discount rate r | 0.5 |

Premium rate coefficient k | $5\%$ |

Limit coverage T | $8\times {10}^{6}$ |

Deductibles F | ${10}^{5}$ |

Branch Parameters | |
---|---|

Parameter | Value |

Expected loss ${\lambda}_{i}$ | ${10}^{6}$ |

Attack probability ${t}_{i}$ | 0.9 |

Investment effectiveness ${\alpha}_{i}$ | $34.6\times {10}^{-5}$ |

Discount rate r | 0.5 |

Premium rate coefficient k | $5\%$ |

Vulnerability ${v}_{i}$ | 0.65 |

Limit coverage ${T}_{i}$ | $8\times {10}^{5}$ |

Deductibles ${F}_{i}$ | ${10}^{4}$ |

Dependence coefficient ${\rho}_{i}$ | $0.25$ |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Mazzoccoli, A.; Naldi, M.
Optimal Investment in Cyber-Security under Cyber Insurance for a Multi-Branch Firm. *Risks* **2021**, *9*, 24.
https://doi.org/10.3390/risks9010024

**AMA Style**

Mazzoccoli A, Naldi M.
Optimal Investment in Cyber-Security under Cyber Insurance for a Multi-Branch Firm. *Risks*. 2021; 9(1):24.
https://doi.org/10.3390/risks9010024

**Chicago/Turabian Style**

Mazzoccoli, Alessandro, and Maurizio Naldi.
2021. "Optimal Investment in Cyber-Security under Cyber Insurance for a Multi-Branch Firm" *Risks* 9, no. 1: 24.
https://doi.org/10.3390/risks9010024