Cyber-insurance as a signaling game: Self-reporting and external security audits

Aron Laszka, Emmanouil Panaousis, Jens Grossklags

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Scopus citations


An insurer has to know the risks faced by a potential client to accurately determine an insurance premium offer. However, while the potential client might have a good understanding of its own security practices, it may also have an incentive not to disclose them honestly since the resulting information asymmetry could work in its favor. This information asymmetry engenders adverse selection, which can result in unfair premiums and reduced adoption of cyber-insurance. To overcome information asymmetry, insurers often require potential clients to self-report their risks. Still, clients do not have any incentive to perform thorough self-audits or to provide comprehensive reports. As a result, insurers have to complement self-reporting with external security audits to verify the clients’ reports. Since these audits can be very expensive, a key problem faced by insurers is to devise an auditing strategy that deters clients from dishonest reporting using a minimal number of audits. To solve this problem, we model the interactions between a potential client and an insurer as a two-player signaling game. One player represents the client, who knows its actual security-investment level, but may report any level to the insurer. The other player represents the insurer, who knows only the random distribution from which the security level was drawn, but may discover the actual level using an expensive audit. We study the players’ equilibrium strategies and provide numerical illustrations.

Original languageEnglish (US)
Title of host publicationDecision and Game Theory for Security - 9th International Conference, GameSec 2018, Proceedings
EditorsLinda Bushnell, Radha Poovendran, Tamer Basar
PublisherSpringer Verlag
Number of pages13
ISBN (Print)9783030015534
StatePublished - 2018
Event9th International Conference on Decision and Game Theory for Security, GameSec 2018 - Seattle, United States
Duration: Oct 29 2018Oct 31 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11199 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference9th International Conference on Decision and Game Theory for Security, GameSec 2018
Country/TerritoryUnited States

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Cyber-insurance as a signaling game: Self-reporting and external security audits'. Together they form a unique fingerprint.

Cite this