IDEAS home Printed from https://ideas.repec.org/a/inm/orserv/v16y2024i2p124-141.html

Cyber Insurance and Post-Breach Services: A Normative Analysis

Author

Listed:
  • Wendy Hui

    (Singapore Institute of Technology, Singapore 138683)

  • Kai-Lung Hui

    (Department of Information Systems, Business Statistics, and Operations Management, School of Business and Management, Hong Kong University of Science and Technology, Clear Water Bay, Hong Kong)

  • Wei T. Yue

    (Department of Information Systems, College of Business, City University of Hong Kong, Kowloon Tong, Hong Kong)

Abstract

Cyber insurance is becoming an essential tool for managing cybersecurity risks. In this study, we analyze how having the option to subscribe to cyber insurance services affects firms’ risk prevention and mitigation decisions. We model the scenario where the firm purchases cyber insurance in a competitive insurance market and compare it against the case when it does not purchase cyber insurance. When there is a breach, cyber insurance can help cover mitigation expenses and breach losses. Consistent with the prior literature, we find that in most cases cyber insurance exacerbates ex ante moral hazard by decreasing expected risk prevention. However, it enhances ex post efforts by increasing expected risk mitigation, which can lead to more positive outcomes for the insured firm. The mechanism involves designing the contract with a delicate calibration of the coverage of breach losses and the coinsurance rate. Moreover, the findings highlight the importance of a healthy risk mitigation service market in managing cybersecurity risks.

Suggested Citation

  • Wendy Hui & Kai-Lung Hui & Wei T. Yue, 2024. "Cyber Insurance and Post-Breach Services: A Normative Analysis," Service Science, INFORMS, vol. 16(2), pages 124-141, June.
    • Handle: RePEc:inm:orserv:v:16:y:2024:i:2:p:124-141
    DOI: 10.1287/serv.2021.0120
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/serv.2021.0120
    Download Restriction: no
    File URL: https://libkey.io/10.1287/serv.2021.0120?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Michael Rothschild & Joseph Stiglitz, 1976. "Equilibrium in Competitive Insurance Markets: An Essay on the Economics of Imperfect Information," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 90(4), pages 629-649.
    2. Jaap Abbring & Pierre-André Chiappori & Tibor Zavadil, 2008. "Better Safe than Sorry? Ex Ante and Ex Post Moral Hazard in Dynamic Insurance Data," Tinbergen Institute Discussion Papers 08-075/3, Tinbergen Institute.
    3. Gur Huberman & David Mayers & Clifford W. Smith Jr., 1983. "Optimal Insurance Policy Indemnity Schedules," Bell Journal of Economics, The RAND Corporation, vol. 14(2), pages 415-426, Autumn.
    4. Kai-Lung Hui & Ping Fan Ke & Yuxi Yao & Wei T. Yue, 2019. "Bilateral Liability-Based Contracts in Information Security Outsourcing," Information Systems Research, INFORMS, vol. 30(2), pages 411-429, June.
    5. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    6. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2016. "Mandatory Standards and Organizational Information Security," Information Systems Research, INFORMS, vol. 27(1), pages 70-86, March.
    7. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    8. Phelps, Charles E & Newhouse, Joseph P, 1974. "Coinsurance, the Price of Time, and the Demand for Medical Services," The Review of Economics and Statistics, MIT Press, vol. 56(3), pages 334-342, August.
    9. Chul Ho Lee & Xianjun Geng & Srinivasan Raghunathan, 2013. "Contracting Information Security in the Presence of Double Moral Hazard," Information Systems Research, INFORMS, vol. 24(2), pages 295-311, June.
    10. Tawei Wang & Karthik N. Kannan & Jackie Rees Ulmer, 2013. "The Association Between the Disclosure and the Realization of Information Security Risk Factors," Information Systems Research, INFORMS, vol. 24(2), pages 201-218, June.
    11. Crew, Michael A, 1969. "Coinsurance and the Welfare Economics of Medical Care," American Economic Review, American Economic Association, vol. 59(5), pages 906-908, December.
    12. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    13. Stanley Kaplan & B. John Garrick, 1981. "On The Quantitative Definition of Risk," Risk Analysis, John Wiley & Sons, vol. 1(1), pages 11-27, March.
    14. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William & Sohail, Tashfeen, 2006. "The impact of the Sarbanes-Oxley Act on the corporate disclosures of information security activities," Journal of Accounting and Public Policy, Elsevier, vol. 25(5), pages 503-530.
    15. Gould, John P, 1969. "The Expected Utility Hypothesis and the Selection of Optimal Deductibles for a Given Insurance Policy," The Journal of Business, University of Chicago Press, vol. 42(2), pages 143-151, April.
    16. Gramig, Benjamin M. & Horan, Richard D. & Wolf, Christopher A., 2005. "A Model of Incentive Compatibility under Moral Hazard in Livestock Disease Outbreak Response," 2005 Annual meeting, July 24-27, Providence, RI 19200, American Agricultural Economics Association (New Name 2008: Agricultural and Applied Economics Association).
    17. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    18. Ehrlich, Isaac & Becker, Gary S, 1972. "Market Insurance, Self-Insurance, and Self-Protection," Journal of Political Economy, University of Chicago Press, vol. 80(4), pages 623-648, July-Aug..
    19. Hulisi Öğüt & Srinivasan Raghunathan & Nirup Menon, 2011. "Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection," Risk Analysis, John Wiley & Sons, vol. 31(3), pages 497-512, March.
    20. Vijay Mookerjee & Radha Mookerjee & Alain Bensoussan & Wei T. Yue, 2011. "When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination," Information Systems Research, INFORMS, vol. 22(3), pages 606-623, September.
    21. Doherty, Neil A & Schlesinger, Harris, 1983. "The Optimal Deductible for an Insurance Policy When Initial Wealth Is Random," The Journal of Business, University of Chicago Press, vol. 56(4), pages 555-565, October.
    22. Jingguo Wang & Aby Chaudhury & H. Raghav Rao, 2008. "Research Note ---A Value-at-Risk Approach to Information Security Investment," Information Systems Research, INFORMS, vol. 19(1), pages 106-120, March.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Georges Dionne & Scott Harrington, 2017. "Insurance and Insurance Markets," Working Papers 17-2, HEC Montreal, Canada Research Chair in Risk Management.
    2. Xing Gao, 2023. "A competitive analysis of software quality investment with technology diversification and security concern," Electronic Commerce Research, Springer, vol. 23(4), pages 2691-2712, December.
    3. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    4. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    5. Henri Loubergé, 1998. "Risk and Insurance Economics 25 Years After," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 23(4), pages 540-567, October.
    6. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    7. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    8. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    9. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    10. Chi, Yichun & Zhuang, Sheng Chao, 2022. "Regret-based optimal insurance design," Insurance: Mathematics and Economics, Elsevier, vol. 102(C), pages 22-41.
    11. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    12. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    13. Yong Wu & Mengyao Xu & Dong Cheng & Tao Dai, 2022. "Information Security Strategies for Information-Sharing Firms Considering a Strategic Hacker," Decision Analysis, INFORMS, vol. 19(2), pages 99-122, June.
    14. Leting Zhang & Emre M. Demirezen & Subodha Kumar, 2025. "How to Make My Bug Bounty Cost-Effective? A Game-Theoretical Model," Information Systems Research, INFORMS, vol. 36(2), pages 1031-1053, June.
    15. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    16. Margareta Heidt & Jin P. Gerlach & Peter Buxmann, 2019. "Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments," Information Systems Frontiers, Springer, vol. 21(6), pages 1285-1305, December.
    17. Sidorenko, Alexandra, 2001. "Stochastic Model of Demand for Medical Care with Endogenous Labour Supply and Health Insurance," Departmental Working Papers 2001-08, The Australian National University, Arndt-Corden Department of Economics.
    18. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    19. Terrence August & Daehoon Noh & Noam Shamir & Hyoduk Shin, 2025. "Cyberattacks, Operational Disruption, and Investment in Resilience Measures," Management Science, INFORMS, vol. 71(9), pages 7390-7413, September.
    20. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.

    More about this item

    Keywords

    ;
    ;
    ;
    ;
    ;

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orserv:v:16:y:2024:i:2:p:124-141. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.