The Economics of Cybersecurity: Drawing Inspiration from Insurance to Fight Against Market Biases [by Maxime ALAY-EDDINE, Cyberwatch SAS

« Sony Employees Reduced To Pen And Paper After Network Hack Linked To North Korea ». This dreadful headline in the International Business Times of 4 december 2014[1] woke us up to the importance of digital technology in our professional lives. Information systems have become essential assets for every organisation and therefore need to be protected. This need has given rise to a distinct industry: IT security, or cybersecurity. Cybersecurity is concerned with ensuring that an organisation’s hardware and software resources are only used within the intended framework[2].

Although 2014 was marked by media coverage of major cyber attacks, it is clear that most companies are still not protected: according to Symantec, nearly 76% of websites have at least one IT vulnerability allowing a hacker to attack it[3]. While information systems play a major role in our lives, they still have extremely little protection.

This begs the question of what economic biases in this industry are leaving too many agents unprotected despite the many services on the market.

This paper offers an answer to this question and presents the options available to economic players to encourage purchasers to adopt their services and thus restore equilibrium to the market.

First, the paper examines the similarities between the cybersecurity and insurance industries and presents a set of specific actions inspired by the latter.

I. The cybersecurity market is subject to an information asymmetry that drives agents to remain unprotected and results in a principal–agent problem resembling that of insurance companies

A. The immaterial nature of cybersecurity and the level of technical skills required create an asymmetry in the market that drives agents to take risks

Agents weigh all security-related economic decisions on the basis of concrete matters for which they calculate, for example, the likelihood of a hazard occurring, but also on the basis of far less rational psychological considerations. Indeed, an agent may feel protected without really being protected, and vice versa. This bias is studied in behavioural economics, which models the impact of emotions, social relationships and brain function on economic decisions. In security, these studies also take into account matters of psychology involved in decision-making and risk perception. The studies reveal certain irrational human behaviour[4].

When an agent has a choice between losing €500 for certain by investing in a security solution or having a one-in-two chance of losing €1,000 in the course of a cyber attack, the agent will tend to take the greater risk. This « loss aversion » phenomenon is explained in prospect theory[5], which reveals that when there is a risky choice leading to losses, agents prefer to take risks. The second bias is the availability bias in estimating the likelihood of an event: a phenomenon that is easy for the human brain to represent and memorise (and is thus more mentally available) is favoured over events that are harder to conceptualise[6]. The extremely technical and conceptual vocabulary in a completely immaterial industry like cybersecurity leads economic agents to take additional risks, as they will prefer to save their budget (very concrete) rather than protect their information system (very abstract).

It can be deduced, then, that the agents who are most inclined to protect themselves are cybersecurity experts, but also those who have already suffered an attack and therefore are capable of better apprehending the consequences of such an event.

B. The asymmetry of the cybersecurity market creates a principal–agent situation identical to that in the insurance industry

Modelling of the cybersecurity market reveals that it is subject to the same biases as the insurance market. Indeed, while agents are interested in cybersecurity prevention solutions, their prices are set based on the maximum amount a client is prepared to pay to benefit from protection even before being attacked. Therefore, while it is necessary to have already been attacked to measure the importance of being protected, this creates the so-called « adverse selection » phenomenon, in which agents who are more inclined to purchase this type of solution are those whose information systems are in worse shape. In this context, a preventive protection system will surely be less effective, and also risks covering only a portion of the threats to the system. The client will then most likely be the victim of a new attack, and will maintain a costly and adversarial relationship with its provider. Therefore, the profits of a provider with consistent prices will decrease in proportion to its number of « bad » clients.

On the other hand, there is also a signal problem concerning cybersecurity providers, particularly in advising and auditing: the level of technical skill required of cybersecurity experts is high enough that the average client is unable to verify their work. Worse yet, the market is besieged by providers with poor technical expertise who are offering services at knockdown prices particularly sought by clients[7]: a bad consultant is a provider who will not identify security flaws. The audited company may then declare that the auditing tasks it delegates do not reveal any problems with its information system, and thus more easily obtain certifications such as ISO 27001. This mechanism is wholly accepted by the market, and even encouraged by less scrupulous clients.

It should be noted that the main cybersecurity clients are also the ones facing the most problems, and there is a particular interest for them in maintaining an information asymmetry to obtain, in spite of everything, all the accreditations and certifications necessary to their activities. This phenomenon is very similar to the one in automobile insurance, in which bad drivers seek to conceal their accidents to keep their discounts.

II. Given the similarities between the industries, cybersecurity should work in synergy with insurance and draw inspiration from its business approaches to achieve market saturation

A. Cybersecurity may be easily integrated into insurance services as an economic instrument to reduce technical risk

The insurance trade consists of providing, in exchange for a premium, a pre-defined service that is generally financial in nature to an individual or organisation when a risk occurs[8]. When a risk occurs, it is called hazard; when a risk causes damage, it is called loss. Insurance products are designed to pool risk among all insured parties and ensure that the sum of the premiums received by the insurance company exceeds the sum of the damages paid as compensation to insured parties following losses. This approach allows insurance companies to offer sliding-scale premiums in amounts that are low enough that insured parties agree to pay them and increase their collective wellbeing. However, the amount of the insurance premiums is directly linked to the financial cost of the risk of the insured parties. If too many losses occur at a given time, the insurer will increase all premiums to cover its costs and divide them among its clients.

While there is cyber risk insurance that allows clients to better manage this risk from a financial point of view, cybersecurity services focus on better managing this risk from a technical point of view. Consequently, a client having invested in cybersecurity solutions will benefit from a better level of protection, and will particularly reduce its risk of loss following a cyber attack on its information system. Economic agents have grasped these challenges well, and more and more alliances are forming between insurance and cybersecurity companies[9]. This approach counteracts the economic biases examined above, inasmuch as insurance products are already very widespread among the general public. This makes it much easier to sell cybersecurity services by including them in an « Insurance + Cybersecurity Solution » package. This should ultimately lead to a virtuous cycle in which the market will be better equipped with cybersecurity solutions, thereby reducing the overall level of risk and gradually bringing down the costs of insurance premiums and technical solutions.

B. At the same time, cybersecurity providers should assert their autonomy and draw inspiration from the strategies used by insurance companies to saturate the market

Despite the parallels between cybersecurity solutions and insurance products, some non-negligible differences from an economic point of view should not be put aside. Indeed, the ultra-connectedness of different digital economic agents creates a major technical risk each time a new threat appears on the Internet. To illustrate this, let us consider a set of 100 car drivers who have taken out insurance. In the event of hazard in the form of a road accident between two users, only a tiny fraction of the insured parties will be victims of a loss, since only two drivers are to be compensated. In the digital world, the appearance of a threat may be considered to be a hazard, in that it is an external event beyond our control and occurring at an unexpected time. But when this threat affects a network, a large portion of it is likely to be infected. The loss could easily affect 50% of 100 insured companies, or even all of them! The insurance model therefore cannot be applied to the digital world, as each new threat entails a risk of bankruptcy. Insurance and cybersecurity must therefore be regarded as two different products.

Nevertheless, this interconnectedness gives rise to the idea that cybersecurity is a common good: each party should take part in the effort to protect its digital assets as a matter of general interest. If the entire Internet were protected, it would be more difficult for hackers to achieve a certain level of financial profitability through their attacks, and if the number of compromised machines were to decrease, it would also be more complicated for hackers to perform operations with exponential effects, such as distributed denial of service (DDoS) attacks[10]. In this context, cybersecurity may achieve the same importance on the political level as road safety. Progressive generalisation of legislative measures intended to oblige all economic agents to be equipped with protection solutions may then be imagined. This approach is already being implemented among Operators of Vital Importance (OIVs) with the French Military Planning Law of 18 December 2013. Article 22 of this law specifies that OIVs must adopt concrete measures to strengthen the security of their information systems. The French National Information Systems Security Agency (ANSSI) is providing more and more guidelines intended for digital technology users, and has issued a call for projects to prepare a turnkey device to protect the systems of small and medium enterprises[11]. Therefore, the measures that are currently compulsory for OIVs are likely to be generalised to all French companies, and possibly to the general public. Thus, the approach to road safety will be directly transcribed to cyberspace

In conclusion, the cybersecurity and insurance industries are closely related, and it would be appropriate to bring them together, but not fuse them. While cybersecurity services are struggling to integrate into in the market, it must be remembered that it was just as difficult to launch the first insurance services, and that these services did not really achieve their steady level of profitability until the first legislative measures intended to make them compulsory were introduced[12]. It therefore seems necessary to apply the same economic strategy to the cybersecurity market and render it a highly regulated common good.

REFERENCES

[1] « Sony Employees Reduced To Pen And Paper After Network Hack Linked To North Korea », article of 04 December 2014, http://www.ibtimes.com/sony-employees-reduced-pen-paper-after-network-hack-linked-north-korea-1734746

[2] JF Pillou, Tout sur les systèmes d’information (All About Information Systems), Dunod 2006

[3] Symantec, Website Security Threat Report 2015, https://www.symantec-wss.com/uk/WSTR-2015-1/social/thanks#.VUaomK3tlHx

[4] Bruce Schneier, Schneier on Security, The Psychology of Security https://www.schneier.com/essays/archives/2008/01/the_psychology_of_se.html

[5] Daniel Kahneman, Amos Tversky, 1979, « Prospect Theory: An Analysis of Decision under Risk »

[6] Barry Glassner, The Culture of Fear: Why Americans are Afraid of the Wrong Things, Basic Books, 1999

[7] Testsdintrusion.com, a very well known site in the market, offers audits for a flat fee of €150, whereas the market usually demands €850 per day of intervention, with interventions lasting an average of 5 to 10 days.

[8] Assurland https://www.assurland.com/assurance-blog/glossaire-de-l-assurance/definitions-lettre-a.html

[9] News report on the alliance formed between CGI and the broker Verspieren http://www.argusdelassurance.com/produits-services/verspieren-renforce-son-offre-cyber-avec-le-specialiste-informatique-cgi.89755

[10] « Protection contre les attaques par déni de service distribué DDoS » (DDoS Protection) http://www.verisigninc.com/fr_FR/network-availability-security/ddos-protection/what-is-a-ddos-attack/index.xhtml

[11] Investments for the Future Programme (PIA), Cœur de Filière numérique (Heart of the Digital Industry), Sécurité numérique n°2 (Digital Security No. 2)

[12] With, for example, the Law of 13 July 1930 on insurance for land vehicles, from which the French Insurance Code gradually arose