Dissertation Defense

Incentive Mechanisms for Managing and Controlling Cyber Risks: The Role of Cyber Insurance and Resource Pooling

Mohammad Mahdi Khalili
3316 EECS BuildingMap
Mohammad Mahdi Khalili


Cyber insurance has emerged as an accepted risk mitigation mechanism, that allows firms (insureds) to transfer their residual risks to the insurer. A major issue, however, is that insurance is fundamentally a method of risk transfer, which in general does not reduce the overall risk; in particular, an insured may lower its effort after purchasing coverage, leading to a poor state of security. It is thus critical to look for ways in which cyber insurance can also be used as an incentive mechanism for firms to increase their security investments.

In this dissertation, we focus on two features of cybersecurity: the interdependent nature of cyber risks and our ability to perform an accurate quantitative assessment of firms’ security posture. We show that these features allow a profit-maximizing cyber insurer to design a cyber insurance contract to incentivize higher security investment.

We further consider resource pooling as an incentive mechanism to incentivize effort in a network of interdependent agents, by allowing agents to have the ability to invest in themselves as well as in other agents. We show that the interaction of strategic and selfish agents under resource pooling improves the agents’ efforts as well as their utilities.

Chair: Professor Mingyan Liu