University of Cambridge > > Computer Laboratory Security Seminar > Cyberinsurance: good for your company, bad for your country?

Cyberinsurance: good for your company, bad for your country?

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Laurent Simon.

Abstract: ‘Cyberinsurance’ is a broad industry term indicating a corporate liability insurance covering damages due to security breaches of the IT corporate infrastructure. It is a booming market that raises significant expectations: both policy makers (e.g. the UK Paymaster General and the US Senate Committee on Security), and cyber experts (e.g. Bruce Schneier) have heralded it as a mechanism for efficiently valuing the cost of cyber attacks and to act as an effective substitute for government action. Whilst the effect of purchasing insurance on the behavior of individuals or firms has been studied for more than four decades, the unique, adaptive characteristics of cyber attacks make past findings not necessarily applicable.

In this talk I will illustrate a general economic model of heterogeneous firms, making risk averse decisions facing losses from cyber attacks conducted by strategic adversaries in a Cournot competition. We demonstrate that whilst the presence of actuarially fair insurance increases the aggregate utility of target firms, the presence of insurance does not necessarily increase the security expenditures wrt those mandated by a benevolent social planner. Furthermore, we show that when insurance is provided by a monopolist insurer mandating firms security expenditure (as it has been proposed) the aggregate security expenditure is predicted to fall dramatically (and the number of attackers to increase). In other words, delegating to cyberinsurers the policy maker role of regulating security expenditures might yield a digital tragedy of the commons.

Joint work with Julian Williams (Durham) and Joe Swierzbinski (Aberdeen)

Bio: Fabio Massacci is a professor at the University of Trento (IT). He has a Ph.D. in Computing from the University of Rome La Sapienza in 1998. In his career he has visited Cambridge (UK), Toulouse (FR) and Siena (IT). He has published [105,111,197,203,308] articles in peer reviewed journals and conferences and his h-index is [14,22,36] depending on your favorite bibliographic database. In 2015 he received the IEEE Requirements Engineering ‘10 years most influential paper award’ for his research on security requirements engineering. He was the European Coordinator of the project SECONOMICS ( on socio-economic aspects of security (See our paper with UK National Grid in the May’16 issue of IEEE Security & Privacy). Part of the ideas behind this research has also been incorporated by the Common Vulnerability Scoring Standard (CVSS) v3, just released in June 2015. He is now working on empirical methods for security and vulnerability risk assessment (e.g. are all these cyber security standards actually useful?).

Personal web site: (not very much updated) Laboratory web site:

This talk is part of the Computer Laboratory Security Seminar series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.


© 2006-2024, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity