Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks

Fabio Massacci, Joseph Swierzbinski, Julian Williams

Research output: Contribution to conferenceUnpublished paperpeer-review


Corporate insurance contracts providing liability coverage in the event of an information security breach are increasingly popular. In addition to the obvious use of ‘Cyberinsurance’ as a risk mitigation tool, a public policy narrative has emerged whereby insurance companies act as a clearing house for information and then provide guidance on appropriate security investment to firms seeking liability coverage. Utilizing few assumptions, our modeling framework demonstrates that this view of cyberinsurance as a delegated policy tool is unlikely to yield the anticipated coordination benefits, and may in fact erode the aggregate level of security investment undertaken by targets.
Original languageEnglish
Number of pages38
Publication statusPublished - 29 May 2017
Event16th Annual Workshop on the Economics of Information Security: Weiss 2017 - Rady School of Management, UC San Diego, La Jolla, United States
Duration: 25 Jun 201727 Jun 2017


Conference16th Annual Workshop on the Economics of Information Security
Country/TerritoryUnited States
CityLa Jolla
Internet address

Bibliographical note

The authors would like to thank Luca Allodi from the University of Trento,
Vadim Kotov from Bromium, and the members of the Computer Laboratory in Cambrige (in particular Ross Anderson, Richard Clayton, Daniel Thomas, and Sultan Kus) for very useful discussions and insights on hackers’ technology and markets. We would like also to thank the participants to the Lorentz’ Adversarial Risk Analysis seminar (in particular Milind Tambe, Wolter Pieters, Vivian Jacobs, David Banks, Dieter Gollmann, Andr Hoogstrate, and Christian Probst) for useful discussions on the use of game theory techniques for security, Angela Sasse and her group at UCL, Alex Ashby from Oxford, Christos Ioannidis from the University of Bath, and the seminar participants at the University of Durham (in particular Parantap Basu, Abderrahim Taamouti, Hugo Kruiniger, Leslie Reinhorn, Xiaogang Che, and Damian Damianov) for useful comments. Any remaining mistakes are the sole responsibilities of the authors.


  • Insurance
  • Cyber-Security
  • Public Economics
  • Optimal Investment Allocations


Dive into the research topics of 'Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Security Risks'. Together they form a unique fingerprint.

Cite this