Does Cyber-Insurance Benefit the Insured or the Attacker? - A Game of Cyber-Insurance

Cyber-insurance is an insurance policy that protects the insured from a variety of cybersecurity incidents such as cyber-attacks, ransomware, and data breaches. The rapid expansion of cyber-insurance in recent years hints the strong demand for cyber-insurance and its benefits. However, the impacts of cyber-insurance practice on cybersecurity enhancement and cyber-attackers are largely unknown. In this paper we study the optimal cybersecurity investment and cyber-insurance decision-making systematically with special attention paid to the effects of the attacker's strategies. The economic modeling analysis and simulation study suggest that although cyber-insurance may be beneficial for the insured from a financial perspective, cyber-insurance practice may not be optimal from the societal cybersecurity perspective. Purchasing cyber-insurance decreases organizations' optimal cybersecurity investment and increases the attacker's expected payoffs. Therefore, the attacker has a motive to manipulate cyber-insurance by selective cyber-attacks on organizations up to a critical point, beyond which we discovered that imposing further threat will force organizations to invest more in cybersecurity. The attacker is capable of "playing god" by controlling the probabilities of initiating cyber-attacks and acts strategically to influence organizations' incentives to whether to purchase cyber-insurance to harvest benefits. This study of cyber-insurance' effects on attackers and their strategic manipulation of cyber-insurance provides insights for the future of the cyber-insurance market.