Models and Measures for Correlation in Cyber-Insurance

A high correlation in the failure of information systems caused by worms or viruses has been the main argument against the existence of a cyber-insurance market. The authors here introduce the notion that different types of system failures are correlated with different sorts of threats, and these different correlations affect the insurance market. Internal attacks can be separated from global risks, or correlation across independent firms in an insurer's portfolio. While internal attacks affect a firm's decision to purchase cyber-insurance, the global threat affects the cost of premiums. These two tiers can model conducive conditions for a cyber-insurance market. An equilibrium model is generated that incorporates features of information assets as well as both tiers of risk correlation. A simulation of the model uncovers which configurations of internal and global correlations are conducive to a cyber-insurance market.