1. Introduction
Advancements in computer information systems have increased the complexity of today’s cybersecurity environment, heightening the vulnerability of critical infrastructures to cyber attacks, while threat actors are deploying an increasingly broad range of intelligence-gathering techniques (He et al., Reference He, Jin and Li2024). The risk exposure and financial consequences of cyber attacks on organizations are illustrated by a wide range of examples. For instance, the SolarWinds hack compromised multiple government systems along with many Fortune 500 companies globally (Oladimeji and Kerner, Reference Oladimeji and Kerner2023). The CryptoLocker ransomware attack caused an estimated loss of $3 million (Kelion, Reference Kelion2013), and the 2016 Dyn cyber attack resulted in the disruption of major internet platforms and services for large swathes of users in Europe and North America (Hilton, Reference Hilton2016). More recently, the Marriott breach exposed personal details of approximately 5.2 million hotel guests (Uberti, Reference Uberti2020), while the Twitter breach led to fraudulent tweets about Bitcoin, generating over
$\$100,000$
worth of Bitcoin deposits (Satter, Reference Satter2023).
Each instance of a data breach or system failure that leads to substantial financial or reputational damage heightens awareness among decision-makers of the inadequacies of current policies in addressing cyber risks. The significant economic and societal implications of cyber risk are well-recognized (e.g., see Biener et al., Reference Biener, Eling and Wirfs2015; Cartagena et al., Reference Cartagena, Gosrani, Grewal and Pikinska2020), emphasizing the need for robust risk management solutions (e.g., see Eling & Jung, Reference Eling and Jung2018; Da et al., Reference Da, Xu and Zhao2021; Liu et al., Reference Liu, Li and Daly2022; Braun et al., Reference Braun, Eling and Jaenicke2023). To address the risk exposure and financial implications of cyber attacks, organizations must invest in and maintain up-to-date security controls. These are essential for patching asset vulnerabilities, helping to minimize the expected present value (PV) of an attack’s impact by reducing an asset’s attack surface or increasing the effort required to breach the asset. However, delivering reliable and robust security for organizations is a capital-intensive process that typically requires a combination of various mitigation measures, and budget constraints often render this strategy economically infeasible. Therefore, to further mitigate cyber risk and improve network resiliency, organizations resort to cyber insurance (Kesan et al., Reference Kesan, Majuca and Yurcik2005; Böhme & Schwartz, Reference Böhme and Schwartz2010; Shetty et al., Reference Shetty, Schwartz, Felegyhazi, Walrand, Moore, Pym and Ioannidis2010; Pal et al., Reference Pal, Golubchik, Psounis and Hui2014; Biener et al., Reference Biener, Eling and Wirfs2015). They then face a dual challenge in improving their cybersecurity posture: gauging the financial impact of cyber breaches and determining the optimal allocation of capital across defence methods and insurance.
Overcoming these challenges requires novel techniques that combine risk assessment and optimization methods accounting for critical aspects of the attack itself, relevant underlying uncertainties, and strategic interaction between the insurer and the insureds. Key uncertainties associated with an attack include the time required to exploit a vulnerability and the extent of the associated financial impact on the targeted organization. Both the exploitation time and the impact of an attack are likely to vary randomly, as they depend not only on the skills of the attacker but also on the organization’s level of cyber preparedness and response (Fielder et al., Reference Fielder, Panaousis, Malacaria, Hankin and Smeraldi2016). For example, Advanced Persistent Threats (APTs) are origins of considerable cyber risk for organizations (Daly, Reference Daly2009) that typically breach their targets in phases by exploiting a series of system-, network-, or even user-oriented vulnerabilities (Nisioti et al., Reference Nisioti, Loukas, Rass and Panaousis2021; Ahmed et al., Reference Ahmed, Panda, Xenakis and Panaousis2022). The FireEye M-Trends 2020 Special report found that the mean dwell time for 2019 in the USA was 60 days, and in EMEA and APAC, 54 days.Footnote 1
An in-depth cyber risk assessment enables a more accurate evaluation of an organization’s security posture, helping to prevent potential denial of cyber insurance claims (Panda et al., Reference Panda, Woods, Laszka, Fielder and Panaousis2019) and cycles of under- or over-investment that elevate the regulatory risk of corrective policy actions, thus supporting efficient asset-liability management (Kamiya et al., Reference Kamiya, Kang, Kim, Milidonis and Stulz2021; Eling & Jung, Reference Eling and Jung2018). To this end, in this paper, we develop a decision-support framework for optimal cybersecurity investment. This incorporates the serial nature of a cybersecurity breach, the uncertainty in the time required to exploit a vulnerability, and the strategic interaction between the organization/defender and the insurer, who, due to possible information asymmetry, may exhibit different attitudes toward risk.
The remainder of the paper is organized as follows. Section 2 reviews the related literature on cybersecurity investment, cyber insurance, and information asymmetry, and positions our contribution within these strands. Section 3 introduces the model framework, outlining the assumptions and notation. We then examine the firm’s optimization problem in the absence of cyber insurance, extend the analysis to allow for the interaction between the defender and the insurer, and derive the optimal insurance policy design for the insurer. Section 4 presents our numerical analysis, which explores equilibrium budget allocation, insurance coverage, and expected losses under varying attack frequencies, system upgrade effectiveness, and likely information asymmetry. Section 5 concludes the paper by summarizing the main findings and discussing implications for cyber insurance design, along with directions for future research.
2. Related work and advancements
Cyber insurance plays a critical role in an organization’s portfolio of mitigation measures, making the interactions between insurers and insureds a key component of a cybersecurity investment strategy. However, this aspect is often overlooked in the cybersecurity economics literature, which primarily focuses on selecting controls to mitigate system vulnerabilities. For example, models for the optimal selection of cybersecurity controls include Smeraldi and Malacaria (Reference Smeraldi and Malacaria2014), who explore how to spend a security budget optimally by employing methods that address overlapping controls that exhibit nonlinear relationships, such as optimization algorithms, combinatorial optimization, and the classical Knapsack problem. Fielder et al. (Reference Fielder, Panaousis, Malacaria, Hankin and Smeraldi2016) propose a methodology for investing in such controls, considering a single value for a vulnerability and several implementation levels for each control. The latter align with the information security levels introduced in the seminal work of Gordon and Loeb (Reference Gordon and Loeb2002).
Building on prior work by Almohri et al. (Reference Almohri, Watson, Yao and Ou2016), Khouzani et al. (Reference Khouzani, Liu and Malacaria2019) develop a game-theoretic framework for analyzing defender-attacker interactions. In this framework, the defender chooses a plan to minimize security risk, while the attacker aims to maximize it by exploiting the most effective attack path. This is modeled as a min–max optimization problem, where the attacker maximizes and the defender minimizes in response to the attacker’s action. Additionally, Zheng et al. (Reference Zheng, Albert, Luedtke and Towle2019) cast the problem of optimal control selection as a set covering problem. They first solve a deterministic version to examine incentives for mitigating supply chain vulnerabilities and later introduce constraints and uncertainties in control efficacy. Expanding on Fielder et al. (Reference Fielder, Panaousis, Malacaria, Hankin and Smeraldi2016), Panda et al. (Reference Panda, Panaousis, Loukas, Laoudias, Di Pierro, Malacaria and Nagarajan2020) propose an optimal control set for protecting healthcare employee groups from social engineering attacks. However, a limitation of these optimization models is their failure to account for the serial nature of an attack and critical uncertainties, such as the exploitation time of a vulnerability and the associated costs once it is compromised. As a result, these models often overlook the financial implications of such uncertainties on an organization’s assets.
Game-theoretic models that analyze interactions between insurers and insureds include Grossklags et al. (Reference Grossklags, Christin and Chuang2008), Laszka et al. (Reference Laszka, Panaousis, Grossklags, Bushnell, Poovendran and Başar2018), and Wang (Reference Wang2019). Specifically, Laszka et al. (Reference Laszka, Panaousis, Grossklags, Bushnell, Poovendran and Başar2018) employ a two-player signaling game to address information asymmetry between a potential client and an insurer, studying incentives for auditing clients before calculating cyber insurance premiums. In the same line of work, Wang (Reference Wang2019) examines the optimization of a firm’s cybersecurity investment decision, whereby a firm must determine how much to invest in both knowledge and expertise, as well as in mitigation measures. The findings indicate that the effectiveness of security spending on specific threats may be diminished if other interdependent security measures are not simultaneously implemented. Insights on how cyber insurance may contribute to risk-reduction training are also provided; however, cyber insurance is not directly integrated into the problem of optimal capital allocation. Similarly, Chong et al. (Reference Chong, Feng, Hu and Zhang2025) emphasize the importance of conducting comprehensive cost–benefit analyses for budget-constrained firms that must make informed capital allocation decisions to achieve a balanced cyber risk management strategy, effectively integrating cybersecurity investment, insurance coverage, and reserving.
Further complicating the strategic interaction between insurers and insureds is information asymmetry, whereby the two parties do not have access to the same information. Within the context of cyber security and cyber insurance, the insurer may lack information regarding the applications and software products installed by network users, as well as regarding the users’ network usage habits (Moore, Reference Moore2010; Böhme, Reference Böhme2010; Pal et al., Reference Pal, Golubchik, Psounis and Hui2014). There are many obstacles for an insurer in obtaining reliable information about the risk exposure of an insured, and even more obstacles in ensuring that this exposure is maintained at the specified level throughout the policy period. For instance, Pal (Reference Pal2012) addresses information asymmetry in cyber insurance by analyzing three distinct scenarios: mutual ignorance, where neither the insured nor the insurer has information about the insured’s cybersecurity investment level; post-contract information acquisition, in which the insurer lacks initial information but the insured gains it after signing the contract; and pre-contract information acquisition, where the insurer remains uninformed while the insured obtains relevant details before entering the contract. In our paper, we explore a critical understudied type of information asymmetry in cyber insurance: the insured has no way of knowing how risk-averse the insurer actually is. This can create a mismatch between what the defender believes about the insurer’s risk attitude and the insurer’s true level of risk aversion.
While the aforementioned literature considers risk mitigation through both cybersecurity measures and cyber insurance, the insurer’s decision-making, which in turn influences a company’s optimal cybersecurity investment, is often overlooked. This gap is addressed by Zhang and Zhu (Reference Zhang and Zhu2022), who develop a Markov model to capture the cyber risk dynamics and defender decisions regarding mitigation measures, including both controls and cyber insurance. In this framework, defenders receive financial compensation from insurers for losses caused by cyber attacks in exchange for premiums. The defenders’ objective is to deploy an optimal combination of controls and cyber insurance to minimize losses, favoring contracts with low premiums and high coverage. Conversely, insurers tend to offer contracts with high premiums and low coverage to maximize profits. Similar to traditional insurance, insurers lack knowledge of local protections implemented by defenders, which can result in inappropriate insurance contracts that significantly harm insurers’ profitability.
Our work builds upon three key strands of literature: first, the valuation of serial projects to assess security breach risks progressing in phases (Tsiodra et al., Reference Tsiodra, Panda, Chronopoulos and Panaousis2023); second, the modeling of the optimal level of resources for securing information (Gordon & Loeb, Reference Gordon and Loeb2002); and third, the strategic interactions between a defender and an insurer, as explored by Zhang and Zhu (Reference Zhang and Zhu2022). Our contribution is thus threefold. First, we extend the traditional discounted cash flow approach by accounting for key uncertainties and the impact of security upgrades on the likelihood of successful attacks. In doing so, we enhance the framework’s applicability not only for investment decision-making but also for risk assessment and management in a cybersecurity context. Second, we develop a bi-level model that captures the strategic interactions between the defender and the insurer. This allows the insureds’ decision-making to depend on the insurers’ choices, and vice versa, reflecting the interdependent nature of their strategies. Third, by analyzing the trade-off involved in allocating a finite budget between controls and cyber insurance, we derive endogenous strategies for both parties.
Our findings indicate that the insurance company tends to offer higher coverage when it receives a larger premium. However, this tendency also depends on the effectiveness of system upgrades. For instance, if a small investment in system upgrades significantly reduces claim frequency, the insurer might be willing to provide high coverage even with a lower premium. Conversely, when the projected frequency of cyber attacks is high, the insurer is inclined to offer lower coverage. In such cases, the defender may find it more advantageous to allocate more capital to system upgrades rather than to insurance. Interestingly, the effectiveness of system upgrades can have a non-monotonic influence on the equilibrium budget allocation strategy and insurance contract design, i.e., greater system upgrade effectiveness does not necessarily imply that the firm should allocate more resources toward them.
3. Model framework
3.1 Preliminaries
Let the defender’s infrastructure consist of
$n\in \mathbb{N}$
systems and networks, referred to as assets, that can be compromised by potential hackers (attackers). Each asset
$i\in \mathbb{N}$
has
$m_i\in \mathbb{N}$
vulnerabilities, that is, software weaknesses (see https://cwe.mitre.org/index.html) that the attacker may exploit. This reflects real-world attacker behavior, where adversaries aim to penetrate as deeply into a network as possible to maximize their expected return from an attack.
These strategic interactions are modeled as a sequence of attack phases, where phase
$i$
of an attack refers to the stage in which the attacker aims to compromise asset
$i$
by exploiting any of its
$m_i$
vulnerabilities, as illustrated in Figure 1. In each phase, the attacker can compromise at most one asset, with successful exploitation potentially leading to privilege escalation or lateral movement within the defender’s infrastructure (Niakanlahiji et al., Reference Niakanlahiji, Wei, Alam, Wang and Chu2020).
The expected impact on the defender from the exploitation of asset
$i$
is denoted by
$L_{i}$
. Following standard risk assessment principles Whitman and Mattord (Reference Whitman and Mattord2011),
$L_{i}$
is expressed in terms of attack likelihood, compromise probability, and loss magnitude. Specifically,
\begin{equation} L_{i}=A_{i}\cdot \langle R_{i},S_{i}\rangle , \end{equation}
where
$A_{i}$
denotes the value of asset
$i$
,
$R_{i}$
is an
$m_i$
-dimensional vector of likelihoods that the attacker attempts to exploit the
$m_{i}$
vulnerabilities of asset
$i$
, and
$S_{i}$
is an
$m_i$
-dimensional vector of probabilities that each vulnerability is successfully breached. The inner product
$\langle R_{i},S_{i}\rangle$
thus represents the overall likelihood of a successful attack against asset
$i$
.
The defender has the option of distributing budget
$K$
between enhancing the system and purchasing cyber insurance at time
$0$
. More specifically, the defender invests
$wK$
, for
$w\in [0,1]$
, in a system upgrade and
$(1-w)K$
in cyber insurance. The former aims to decrease the likelihood of cyber attacks, while the latter offers coverage for a fraction
$c\in [0,1]$
of future losses stemming from such attacks, where
$c$
is determined endogenously by the insurer (see Section 3.2). The time at which the loss,
$L_i$
, of the
$i$
th attack is incurred is
\begin{equation} T^w_i=\sum _{j=1}^{i}\tau ^w_j, \end{equation}
where
$\tau ^w_j$
is the
$j$
th random inter-attack duration with probability distribution generally denoted by
$G(\!\cdot \!)$
(identical for all
$j$
).
Sequential security breach.
The insurer determines the coverage level,
$c^*(w)$
, based on the capital
$(1-w)K$
, the defender invests in insurance. Given the specifics of the insurance contract, the defender sets optimally the equilibrium budget allocation strategy,
$\widetilde {w}$
, with corresponding equilibrium coverage level
\begin{equation*} \widetilde {c}=c^{\ast }\left ( \widetilde {w}\right ) . \end{equation*}
Our framework can accommodate general duration probability distributions. Consistent with Bentley et al. (Reference Bentley, Stephenson, Toscas and Zhu2020), we adopt the intuitive compound Poisson process with arrival intensity
$\lambda$
to model the impact of mitigations on attack frequency. Following a system upgrade, the likelihood of successful cyber attacks diminishes, and the arrival intensity becomes
$f(w)\lambda$
, where
$0 \lt f(\!\cdot \!) \lt 1$
depends on the invested funds. Aligning the mitigation models discussed in Gordon and Loeb (Reference Gordon and Loeb2002) with our context yields
\begin{equation} f(w) = \frac {1}{(aw + 1)^b}, \end{equation}
where
$a \gt 0$
and
$b \geq 1$
are parameters associated with the capital invested in system upgrades. A higher value of
$a$
or
$b$
represents greater effectiveness of the system upgrade.
3.2 Equilibrium analysis
This section presents the analytical framework within which the objectives of the defender and the insurer are combined to yield equilibrium decisions regarding investment in system upgrades and insurance coverage. A diagrammatic overview of the bi-level framework and the resulting equilibrium is provided in Figure 2. First (Level 1), we formulate the defender’s value function, which we use to derive the capital
$w^*(c)$
to be invested in system upgrades. Second (Level 2), the insurer determines the coverage amount
$c^*(w)$
. This is then passed as input to
$w^*(c)$
to produce the equilibrium investment
$\widetilde {w} \equiv w^*(c^*)$
in system upgrades and the equilibrium coverage level
$\widetilde {c} \equiv c^*(\widetilde {w})$
.
Diagrammatic representation of the bi-level framework capturing the strategic interaction between the defender and the insurer.
As set out in the previous section, the defender may choose to allocate
$wK$
to a system upgrade and
$(1-w)K$
to purchasing cyber insurance. This allocation provides coverage for a portion of future losses resulting from cyber attacks. In the event that the defender incurs loss
$L_{i}$
, the insurer reimburses
$cL_{i}$
, where
$c\in \lbrack 0,1]$
;
$c=0$
corresponds to no coverage, while
$c=1$
to full coverage. The defender’s PV of loss in phase
$i = 1, 2, 3, \dots , n$
is
\begin{equation*} V_i(w) = (1-c)L_{i}e^{-rT_{i}^{w}}. \end{equation*}
Since the arrival of attacks follows a Poisson process, the time intervals between successive attacks are exponentially distributed, i.e.,
$\tau _{j}^{w}\sim \mathrm{Exponential}(f(w)\lambda )$
, hence
$T_{i}^{w}\sim \mathrm{Gamma}(i,f(w)\lambda )$
(see equation 2). The distributional properties of the resulting discounted loss
$V_i(w)$
are derived in the Appendix. Therefore,
\begin{eqnarray} \mathbb{E} [V_i(w)]&=& (1-c)L_i \prod _{j=1}^{i} \mathbb{E}\left [e^{-r\tau _j^w}\right ]= (1-c)L_i \left (\frac {f(w)\lambda }{f(w)\lambda + r}\right )^i. \end{eqnarray}
The PV over all losses is
\begin{equation} V(w)= (1-c)\sum _{i=1}^{n}L_{i}e^{-rT_{i}^{w}}, \end{equation}
with expectation
\begin{eqnarray} \mathbb{E}\left [ V(w)\right ] &=& (1-c)\sum _{i=1}^{n}L_{i}\left ( \frac {f(w)\lambda }{f(w)\lambda +r}\right ) ^{i}. \end{eqnarray}
The defender’s optimization problem is to derive the value of
$w$
that minimizes the expected loss for a given
$c$
:
\begin{eqnarray} w^{*}(c)=\mathop {\mathrm{argmin}}\limits _{w\in [0,1]} \mathbb{E}\left [V(w)\right ]. \end{eqnarray}
On the other hand, the insurer focuses on designing cyber insurance contracts. The insurer’s profit is the premium revenue minus the losses ceded by the firm due to cyber attacks. Specifically, the insurer receives
$(1-w)K$
at time
$0$
, but incurs a cost
$cL_i$
when the firm experiences a loss
$L_i$
due to a cyber attack. The PV of the insurer’s profit is given by
\begin{eqnarray} S(w) = (1-w)K - c \sum _{i=1}^{n} L_i e^{-rT_i^{w}} . \end{eqnarray}
From (8), the PV of the insurer’s profit depends on the firm’s budget allocation plan
$w$
. In response, the insurer determines the level of coverage
$c$
based on the premium received. Here, we assume that the insurer is risk-averse and seeks to achieve a positive profit from the insurance contract with probability
$\alpha _{ins}$
, i.e.,
\begin{align*} \mathbb{P}(S \gt 0) = \alpha _{ins}. \end{align*}
The confidence level
$0 \leq \alpha _{ins} \leq 1$
reflects the insurer’s degree of risk aversion, with a larger (smaller)
$\alpha _{ins}$
indicating a more (less) conservative insurer. This condition implies that the premium exceeds the cost of insurance coverage with probability
$\alpha _{ins}$
. Therefore, the insurer’s required level of coverage satisfies
\begin{equation*} {(1-w)K = \inf \left \{ z \in \mathbb{R} \,:\, \mathbb{P}(Z(w) \leq z) \geq \alpha _{ins} \right \} = \textrm {VaR}_{\alpha _{ins}}(Z(w)), } \end{equation*}
where
${Z(w)} = c \sum _{i=1}^{n} L_i e^{-rT_i^{w}}$
and the Value-at-Risk (VaR) measures the risk by examining the left tail of the PV distribution and is positively homogeneous. Without loss of generality, we adopt VaR as our risk measure, though this choice is not restrictive, and alternative risk measures or utility functions may be employed. By positive homogeneity of VaR, i.e.,
$\mathrm{VaR}_\alpha (cX)=c\,\mathrm{VaR}_\alpha (X)$
for
$c\gt 0$
, and rearranging (3.2), we obtain the insurer’s required level of coverage as a function of
$w$
:
\begin{eqnarray} c^*(w) &=& \frac {(1-w)K}{\mathrm{VaR}_{\alpha _{ins}}\!\left (\sum _{i=1}^{n} L_i e^{-rT_i^{w}}\right )} . \end{eqnarray}
Next, given the required coverage level
$c^*(w)$
, we determine the PV of the firm’s losses, now taking into account the firm’s perception of the insurer’s level of risk aversion, reflected in
$\alpha _{def}$
, which may differ from the insurer’s actual level of risk aversion
$\alpha _{ins}$
due to information asymmetry. By substituting (9) into (5), the PV of the firm’s loss becomes
\begin{eqnarray} V^*(w)=\left (1-\frac {(1-w)K}{\mathrm{VaR}_{\alpha _{def}}\left (\sum _{i=1}^{n}L_ie^{-rT_i^{w}}\right )}\right ) \sum _{i=1}^{n}L_ie^{-rT_i^{w}}. \end{eqnarray}
The equilibrium budget allocation strategy then follows as
\begin{eqnarray} \widetilde {w}=\mathop {\mathrm{argmin}}\limits _{w\in [0,1]} \mathbb{E} \left [V^*(w)\right ]. \end{eqnarray}
Finally, the equilibrium insurance coverage is obtained as
\begin{align*} \widetilde {c} = c^{*}\!\left (\widetilde {w}\right ). \end{align*}
4. Numerical analysis of equilibrium strategies
This section explores the effects of budget allocation ratios, attack frequency, and the frequency reduction parameter on the equilibrium strategies of a defender and an insurer. We examine how these factors influence the insurance coverage level and the expected PV of losses. We highlight the interplay between system upgrades and insurance, revealing non-monotonic relationships and strategic trade-offs that arise from variations in attack frequency and system upgrade effectiveness.
We begin by exploring how the allocation of resources between system upgrades and cyber insurance influences key outcomes, such as insurance coverage levels and expected losses. Table 1 presents the impact of the exogenous budget allocation ratio
$w$
on the optimal investment in insurance coverage, the expected PV of losses retained by the defender, and the VaR of losses transferred to the insurer. For illustrative purposes, results are based on the parameter values
$n=150$
,
$r=0.1$
,
$K=5$
,
$L_i=1$
,
$a=0.5$
,
$b=1$
, and
$\alpha _{ins} = \alpha _{def} = \alpha =0.95$
, using 10 million simulation runs.Footnote
2
For example, when
$a=0.5$
, the insurer provides higher coverage as the premium
$(1-w)K$
increases. However, this increased insurance coverage does not necessarily lead to smaller losses from cyber attacks for the firm. In fact, we observe a non-monotonic relationship with
$w$
, particularly for high attack frequencies (see cases
$\lambda =1$
or
$2$
).
Impact of the budget allocation ratio
$w$
on the optimal insurance coverage level, the expected PV of losses retained by the defender, and the vaR of losses ceded to the insurer, where
$Z(w) = c^*(w)\sum _{i=1}^n L_i e^{-rT_i^w}$
Table 2 reports the equilibrium budget allocation ratio
$\widetilde {w}$
, insurance coverage level
$\widetilde {c}$
, and expected PV of losses
$\widetilde {V}(\!\cdot \!)$
, under information asymmetry. Specifically, this asymmetry is reflected in differing percentile levels used in the calculation of the VaR. In the upper panel, we hold constant the defender’s perception of the insurer’s risk aversion, i.e.,
$\alpha _{def} = 0.95$
, while increasing the insurer’s actual level of risk aversion. The results show that the defender’s expected losses increase as
$\alpha _{ins}$
rises. Intuitively, under information asymmetry, the defender forms decisions based on a fixed belief about the insurer’s risk aversion and therefore does not observe the insurer’s true level. As a result, the defender maintains a constant budget allocation ratio
$\widetilde {w}$
. In contrast, the insurer’s behavior reflects its true level of risk aversion: the more risk-averse the insurer is relative to the defender’s perception, the lower the equilibrium coverage level. For example, when
$\lambda =1$
, the defender consistently allocates
$\widetilde {w}=0.35$
of the budget to system upgrades regardless of
$\alpha _{ins}$
, yet the coverage level falls from
$\widetilde {c}=0.2897$
to
$0.2849$
to
$0.2532$
as
$\alpha _{ins}$
rises from
$0.90$
to
$0.95$
to
$0.975$
, with expected losses increasing correspondingly from
$6.0449$
to
$6.2226$
to
$6.3731$
.
Equilibrium investment, coverage, and expected PV under asymmetric information
The lower panel of Table 2 isolates the impact of information asymmetry when the insurer’s risk aversion level is held fixed, but the defender does not observe its exact value. We find that when the cyberattack frequency is either very low or very high (e.g.,
$\lambda \leq 0.5$
or
$\lambda \geq 2$
), the expected losses are identical across all values of
$\alpha _{def}$
. This occurs because
$\widetilde {w}$
remains constant, indicating that it is optimal for the defender to allocate the entire budget either to system upgrades or to purchasing insurance. When
$\lambda$
takes intermediate values, however, the defender’s expected PV of losses is minimized under symmetric information, i.e., when
$\alpha _{def} = \alpha _{ins}$
, and increases as
$\alpha _{def}$
deviates from
$\alpha _{ins}$
. This arises because information asymmetry leads the defender to choose a suboptimal budget allocation, resulting in higher realized losses relative to the symmetric-information benchmark. For example, when
$\lambda =1$
and
$\alpha _{ins}=0.95$
, the defender optimally sets
$\widetilde {w}=0.35$
under symmetric information, yielding
$\widetilde {V}=6.2226$
. If instead the defender underestimates the insurer’s risk aversion (
$\alpha _{def} = 0.90$
), the budget allocation falls to
$\widetilde {w}=0.25$
, raising expected losses to
$\widetilde {V}=6.2289$
. Conversely, overestimating the insurer’s risk aversion (
$\alpha _{def}=0.975$
) leaves
$\widetilde {w}$
unchanged at
$0.35$
but results in miscalculated coverage, pushing
$\widetilde {V}$
to
$6.2343$
.
Turning to the directional patterns in Table 2, in the upper panel,
$\widetilde {w}$
is invariant to
$\alpha _{ins}$
across all
$\lambda$
, since the defender does not observe the insurer’s true risk aversion and therefore cannot condition on it. The equilibrium coverage
$\widetilde {c}$
, however, is decreasing in
$\alpha _{ins}$
: a more risk-averse insurer demands a higher VaR threshold before committing to coverage, so for any given premium, the coverage offered is lower. Consequently,
$\widetilde {V}$
is increasing in
$\alpha _{ins}$
for intermediate
$\lambda$
, and remains constant for
$\lambda =2$
, where
$\widetilde {w}=1$
and no insurance is purchased regardless. In the lower panel,
$\widetilde {w}$
is non-decreasing in
$\alpha _{def}$
for intermediate
$\lambda$
: a defender who overestimates the insurer’s risk aversion anticipates less coverage being offered and therefore shifts more of the budget toward system upgrades. The coverage
$\widetilde {c}$
is correspondingly decreasing in
$\alpha _{def}$
, since a higher
$\widetilde {w}$
reduces the premium
$(1-\widetilde {w})K$
available to the insurer, mechanically lowering the coverage level. For
$\lambda =0.5$
and
$\lambda =2$
, the corner solutions (
$\widetilde {w}=0$
and
$\widetilde {w}=1$
, respectively,) are robust to misspecification of
$\alpha _{def}$
, so both
$\widetilde {c}$
and
$\widetilde {V}$
remain constant across columns. The behavior of
$\widetilde {V}$
for intermediate
$\lambda$
is non-monotone in
$\alpha _{def}$
, with the symmetric-information case (
$\alpha _{def}=\alpha _{ins}=0.95$
) yielding the lowest expected losses: any deviation of
$\alpha _{def}$
from
$\alpha _{ins}$
in either direction leads to a suboptimal allocation and therefore higher realized losses. Intuitively, underestimating the insurer’s risk aversion leads to insufficient investment in system upgrades, while overestimating it diverts excessive funds away from insurance; in both cases, the allocation is suboptimal relative to the symmetric-information benchmark.
Impact of the exogenous budget allocation ratio
$w$
on the insurance coverage level (left) and the expected PV of losses (right) for
$a=0.5$
(top) and
$a=2.5$
(bottom).
With these observations in mind, in Figure 3, we more closely examine how the insurance coverage level (left panel) and the expected PV of losses (right panel) vary with
$w$
for different values of
$a$
. The upper panel reveals a notable trend: when
$a$
is small (i.e., the effectiveness of a system upgrade is low), a decrease in
$w$
(that is, an increase in the budget proportion allocated to purchasing insurance) leads to an increase in the level of insurance coverage. This occurs because a low
$a$
value implies that investing in a system upgrade yields only marginal reductions in the frequency of cyber attacks and subsequent losses, making insurance a more cost-efficient option. Additionally, the insurer is inclined to offer more extensive coverage when a higher premium is charged. However, as shown in the top-left panel, the coverage level also depends on the frequency of cyber attacks. Intuitively, proportional coverage becomes costly for the insurer when the attack frequency is high; consequently, a lower coverage level is set in such a case.
Interestingly, the top-right panel demonstrates that when
$a$
is small and the frequency of cyber attacks
$\lambda$
is low, opting for insurance becomes more appealing to the defender, whereas when
$\lambda$
is high, investing in a system upgrade is preferred. This preference for system upgrades when
$\lambda$
is high arises because a high
$\lambda$
prompts the insurer to offer minimal coverage in the absence of a system upgrade. In such a case, investing in system upgrades results in a more substantial reduction in expected losses from cyber attacks compared to purchasing insurance. Consequently, the equilibrium budget allocation ratio
$\widetilde {w}$
is close to
$1$
. Conversely, when
$\lambda$
is low, the expected number of cyber attacks and associated losses remains minimal even if the company does not invest in self-protection. Under these circumstances, the insurer is willing to provide higher coverage, making insurance a more appealing investment for the company. Thus,
$\widetilde {w}$
approaches
$0$
.
When
$a$
is large, the impact of
$w$
on the insurer’s decision and the expected PV of losses becomes more ambiguous, as exhibited in the bottom panel of Figure 3. As shown in (3), larger
$a$
implies that investing in a system upgrade can lead to a more significant reduction in the frequency of future cyber attacks. Interestingly, the bottom-left panel indicates that as
$w$
increases, the insurer may be willing to offer better insurance coverage (for
$w\lt 0.25$
) even if it receives a smaller premium. This counterintuitive result can be attributed to the fact that the insurer benefits from either a higher premium or a lower total claim amount, as indicated in (8). When
$a$
is large, the decrease in the expected PV of future claims resulting from the defender’s investment in system upgrades surpasses the comparatively smaller premium received. The bottom-right panel also shows that the firm is more likely to benefit from a larger investment in system upgrades when
$a$
is large.
Figure 4 examines the influence of cyber attack frequency on the equilibrium strategies of both the defender and the insurer. The left panel shows a decline in the equilibrium insurance coverage level as the frequency of cyber attacks increases. Notably, this coverage level approaches zero when
$\lambda$
becomes exceedingly high. This is because an increase in
$\lambda$
raises both the expected number of cyber attacks experienced by the firm and the claims processed by the insurer. To counterbalance this escalating claim frequency and amount, the insurer may choose to either increase the premium or decrease the coverage ratio. However, when
$\lambda$
is high, the premium (see the first term in equation 8) becomes relatively small compared to the claim amount (see the second term in equation 8), making higher premiums less effective. More importantly, this reduces the budget available for system upgrades, leading to weaker frequency reduction. Consequently, the insurer benefits more from offering lower coverage, enabling the firm to allocate more funds for system upgrades. This, in turn, helps curb the frequency of cyber attacks, ultimately benefiting the insurer as well.
Impact of the frequency parameter
$\lambda$
on the insurance coverage level (left) and the equilibrium budget allocation ratio (right).
As shown in the right panel of Figure 4, the equilibrium budget allocation ratio
$\widetilde {w}$
increases with
$\lambda$
in all cases, indicating that the firm invests more in system upgrades as the frequency of attacks rises. For example, when
$a=0.5$
, the firm tends to allocate its entire budget to insurance when
$\lambda \lt 0.45$
, or entirely to system upgrades when
$\lambda \gt 1.7$
. As discussed earlier, when
$\lambda$
is low, the insurer is willing to offer substantial coverage for losses, such as
$\widetilde {c}=65\%$
for
$a=0.5$
and
$\widetilde {c}=90\%$
for
$a=5$
. This makes investing in insurance a more attractive option for the firm. However, as the frequency of attacks increases, the insurer has less incentive to provide high coverage levels, even with high premiums. Consequently, the effectiveness of loss reduction through insurance diminishes, making it more advantageous for the firm to allocate a larger portion of its budget to system upgrades. When
$\lambda$
becomes extremely high, the insurance company provides minimal coverage, and
$\widetilde {w}$
approaches
$1$
.
Finally, we investigate the impact of the frequency reduction parameter
$a$
. As illustrated in Figure 5, there is a non-monotonic relationship between
$a$
and the equilibrium strategies of both the firm and the insurer. Specifically, the equilibrium budget allocation ratio initially rises and then decreases with increasing
$a$
, while the coverage level does the opposite. Intuitively, when
$a$
is small, investing in system upgrades does not significantly reduce the frequency of future cyber attacks. Thus, the firm must allocate more resources to purchasing insurance, resulting in a lower
$\widetilde {w}$
. However, as
$a$
increases, the system upgrade effectiveness in reducing losses becomes more pronounced; even a small increase in
$w$
can substantially decrease the frequency of future attacks, as implied by (3). Consequently, the firm may decide to allocate a larger budget to these upgrades. In response to the marked decrease in premiums, the insurer may reduce the coverage level. When
$a$
reaches a high value, the projected frequency of attacks diminishes significantly, potentially approaching zero. This limits the scope for further loss reduction despite additional investments in system upgrades. Conversely, the insurer faces reduced claim amounts and is inclined to offer higher coverage. Therefore, higher coverage obtained through larger premiums (see right panel for
$a\gt 1.25$
) could outweigh the marginal reduction in attack frequency, causing
$\widetilde {w}$
to decrease as
$a$
increases.
Impact of the attack frequency reduction parameter
$a$
on the equilibrium budget allocation ratio (left) and the insurance coverage level (right).
5. Conclusions
In today’s digital landscape, cyber insurance has become increasingly essential due to the growing threat of cyber attacks and data breaches. It provides businesses with financial protection in the event of a cyber incident, helping to mitigate costs, such as forensic investigations, legal fees, customer notifications, and credit monitoring for affected individuals. Without insurance, these expenses can be substantial and potentially devastating for a business. Additionally, cyber insurance incentivises businesses to adopt robust cybersecurity measures and protocols. Insurers often require policyholders to meet specific security standards, such as conducting regular assessments and providing employee training, to qualify for coverage. By encouraging proactive risk management practices, cyber insurance reduces the likelihood and severity of cyber incidents.
In this paper, we examine a firm tasked with allocating its limited resources between upgrading its security infrastructure and purchasing cyber insurance. By assessing the risks associated with security breaches and considering the uncertainty in the time required to exploit vulnerabilities in the firm’s security infrastructure, as well as the strategic interactions between the firm and an insurer, we derive the optimal strategies for both parties endogenously. Our findings indicate that insurance coverage tends to increase with a higher premium; however, this relationship depends on the system upgrade effectiveness. If a minor investment in system upgrades results in a significant reduction in claim frequency, the insurer may still offer high coverage even if the premium decreases. Conversely, when the frequency of cyber attacks is high, the insurer provides lower coverage, prompting the firm to allocate more capital to system upgrades rather than insurance. Furthermore, the system upgrade effectiveness can exert a non-monotonic influence on the equilibrium budget allocation strategy and insurance contract design.
Future research directions could involve extending our framework to incorporate alternative optimization objectives that would enable further analysis of how risk preferences influence the optimal budget allocation problem. A utility-based approach could also be adopted to quantify these preferences and describe the objective functions of different market participants. Lastly, the pricing of cyber insurance is inherently complex, as the dynamic and evolving nature of cyber threats undermines the reliability of historical data for forecasting future losses. Additional enhancements worthy of consideration in contract design include more advanced underwriting practices, dynamic pricing, and exclusions, as well as explicit treatment of adverse selection and negotiation (Wang, Reference Wang2019; Awiszus et al., Reference Awiszus, Knispel, Penner, Svindland, Voß and Weber2023; Arce et al., Reference Arce, Woods and Böhme2024).
Data availability statement
The authors provide replication materials openly via https://www.bayes.citystgeorges.ac.uk/faculties-and-research/experts/ioannis-kyriakou.
Funding statement
This work was supported by the Society of Actuaries (SOA) Research Institute and the Casualty Actuarial Society (CAS) under the research grant proposal “Bi-level Optimization of Cyber Risk and Insurance Pricing.” The funder had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests
The author(s) declare none.
A. Appendix
Define, for any
$i\geq 1$
,
$T_{i}=\tau _{1}+\tau _{2}+\cdots +\tau _{i}$
with general distribution function
$F_{T_{i}}\left ( \cdot \right )$
. Consider
$i=1$
. We have for
$V_{1}=(1-c)L_{1}e^{-rT_{1}}$
that
\begin{align*} \Theta _{V_{1}}(v)=\mathbb{P}\left ((1-c)L_{1}e^{-rT_{1}}\leq v\right ) =\mathbb{P}\left ( T_{1}\geq \frac {1}{r}\ln \frac {(1-c)L_{1}}{v}\right ) =1-F_{T_{1}}\left ( \frac {1}{r}\ln \frac {(1-c)L_{1}}{v}\right ) . \end{align*}
Assuming
$\tau _{j}\sim \mathrm{Exponential}(\lambda )$
for all
$j$
, where
$\lambda$
serves as a generic arrival parameter (to connect to the main model, substitute
$\lambda \leftarrow f(w)\lambda$
; the unmitigated baseline
$f(w)=1$
recovers the expressions as written), we get that
\begin{equation} \Theta _{V_{1}}(v) =\left ( \frac {v}{(1-c)L_{1}}\right ) ^{\frac {\lambda }{r}} \end{equation}
with associated density function
\begin{equation} \theta _{V_{1}}(v)=\frac {\lambda }{r}\left ((1-c)L_{1}\right )^{-\frac {\lambda }{r}}v^{\frac {\lambda }{r}-1} \end{equation}
and mean
\begin{equation} \mathbb{E}\left [ V_{1}\right ] =\int _{0}^{L_{1}}v\theta _{V_{1}}(v)\,dv=\frac {\lambda }{\lambda +r}(1-c)L_{1}. \end{equation}
For the general
$n$
-phase attack,
$V_{n}=(1-c)L_{n}e^{-rT_{n}}$
with
\begin{align*} \Theta _{V_{n}}(v)=1-F_{T_{n}}\left ( \frac {1}{r}\ln \frac {(1-c)L_{n}}{v}\right ) . \end{align*}
Since
$T_{n}\sim \mathrm{Gamma}(n,\lambda )$
, we get that
\begin{eqnarray} \Theta _{V_{n}}(v) &=&1-\frac {1}{\Gamma (n)}\gamma \left ( n,\frac {\lambda }{r}\ln \frac {(1-c)L_{n}}{v}\right ) , \end{eqnarray}
\begin{eqnarray} \theta _{V_{n}}(v) &=&\frac {\lambda ^{n}}{rv\Gamma (n)}\left ( \frac {1}{r}\ln \frac {(1-c)L_{n}}{v}\right ) ^{n-1}\left ( \frac {v}{(1-c)L_{n}}\right ) ^{\frac {\lambda }{r}}, \end{eqnarray}
where
$\gamma (\!\cdot \!)$
and
$\Gamma (\!\cdot \!)$
denote the lower incomplete gamma and gamma functions, from which
\begin{eqnarray} \mathbb{E}\left [ V_{n}\right ] &=& (1 - c) L_{n}\prod _{j=1}^{n}\mathbb{E}\left [ e^{-r\tau _{j}^{w}}\right ] = (1 - c) L_{n}\left ( \frac {\lambda }{\lambda +r}\right ) ^{n}. \end{eqnarray}
Open access
