Cyber insurance was expected to incentivise stronger self-protection by rewarding improved cybersecurity with lower premiums. However, theoretical results show that rational insureds often reduce their cyber investment, relying instead on coverage. In critical infrastructure (CI), this dynamic is particularly problematic, as it heightens cyber risk across supply chains. Effective cyber risk mitigation requires oversight of cybersecurity among all partners. Existing mechanisms to incentivise investment largely depend on insureds’ honesty or access to sensitive data. This paper proposes a simple-to-implement bonus–penalty mechanism that requires only cyber incident occurrence status, no incident history, and is intended for deployment by the state or large CI organisations. We analyse the separate effects of penalties and bonuses on cyber investment, comparing scenarios with and without cyber insurance under a constant absolute risk aversion utility framework and a generic probability function. We assess the mechanism’s ability to prevent the self-protection drop associated with cyber insurance coverage. Numerical examples illustrate and support the theoretical findings.
Yautsiukhin et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: