Distinguished Lecture with Mingyan Liu: From Risk Transfer to Risk Mitigation in Contract Design: Cyber Insurance as an Incentive Mechanism for Cybersecurity


October 7, 2019    
1:10 pm - 2:00 pm


3043 ECpE Building Addition
Coover Hall, Ames, Iowa, 50011

Event Type

Mingyan Liu headshotSpeaker: Mingyan Liu, Professor and Peter and Evelyn Fuss Chair of Electrical and Computer Engineering at the University of Michigan, Ann Arbor

Title: From Risk Transfer to Risk Mitigation in Contract Design: Cyber Insurance as an Incentive Mechanism for Cybersecurity

Abstract: With increasingly frequent and evermore costly data breaches and other cyber incidents, firms are turning to cyber insurance as a risk management instrument.  However, much like other types of insurance, cyber insurance is fundamentally a method of risk transfer.  With typical issues of moral hazard and information asymmetry, the insured is generally inclined to lower its effort within a contract, leading to a worse state of security.  To use cyber insurance as an incentive mechanism to encourage better security practices and higher security investment, a commonly used concept is premium discrimination, i.e., an insured pays less premium for exerting higher effort. However, using premium discrimination effectively faces two challenges: (1) one needs to be able to accurately assess the effort exerted by the insured, and (2) cyber risks are notoriously interdependent at a firm level: an insured’s risk is a function of not only its own effort, but also the efforts of its vendors and suppliers. This externality makes the underlying contract design problem quite different from what’s typically studied in the literature. With these two challenges in mind, I will first present our research in quantitative assessment of an organization’s cyber risk from externally observable properties, by applying modern machine learning techniques to large quantities of Internet measurement data.  This firm-level security posture assessment, or “pre-screening” makes premium discrimination feasible.  I then consider a contract design problem with a single profit-maximizing, risk-neutral insurer (principal) and voluntarily participating, risk-averse insureds (agents). We show that risk dependency among agents leads to a “profit opportunity” for the insurer, created by the inefficient effort levels exerted by agents who do not account for risk externalities when outside a contract. Pre-screening then allows the insurer to take advantage of this opportunity by designing appropriate contract terms which incentivize agents to internalize the externalities.  We identify conditions under which this type of contracts lead to not only increased profit for the principal, but also an improved state of network security.  This result further allows us to investigate and compare typical policy portfolios and show how cyber risk dependencies can be taken into account when underwriting policies. This is demonstrated using a commonly practiced rate-schedule based policy framework.

Bio: Mingyan Liu received her Ph.D in electrical engineering from the University of Maryland, College Park, in 2000.  She has since been with the Department of Electrical Engineering and Computer Science at the University of Michigan, Ann Arbor, where she is currently a Professor and the Peter and Evelyn Fuss Chair of Electrical and Computer Engineering. Her research interests are in optimal resource allocation, performance modeling, sequential decision and learning theory, game theory and incentive mechanisms, with applications to large-scale networked systems, cybersecurity and cyber risk quantification. She is the recipient of the 2002 NSF CAREER Award, the University of Michigan Elizabeth C. Crosby Research Award in 2003 and 2014, the 2010 EECS Department Outstanding Achievement Award, the 2015 College of Engineering Excellence in Education Award, the 2017 College of Engineering Excellence in Service Award, and the 2018 Distinguished University Innovator Award.  She has received a number of Best Paper Awards, including at the IEEE/ACM International Conference on Information Processing in Sensor Networks (IPSN) in 2012 and at the IEEE/ACM International Conference on Data Science and Advanced Analytics (DSAA) in 2014.  She has served on the editorial boards of IEEE/ACM Trans. Networking, IEEE Trans. Mobile Computing, and ACM Trans. Sensor Networks.  She is a Fellow of the IEEE and a member of the ACM.

ECpE Seminar Host: Namrata Vaswani