A Bi-Level Game Approach to Attack-Aware Cyber Insurance of Computer Networks

Rui Zhang, Quanyan Zhu, Yezekael Hayel

Research output: Contribution to journalArticlepeer-review


Cyber insurance is a valuable approach to mitigate further the cyber risk and its loss in addition to the deployment of technological cyber defense solutions, such as intrusion detection systems and firewalls. An effective cyber insurance policy can reduce the number of successful cyber attacks by incentivizing the adoption of preventative measures and the implementation of best practices of the users. To study cyber insurance in a holistic manner, we first establish a bi-level game-theoretic model that nests a zero-sum game in a moral-hazard type of principal-agent game to capture complex interactions between a user, an attacker, and the insurer. The game framework provides an integrative view of the cyber insurance and enables a systematic design of incentive compatible and attack-aware insurance policy. The framework is further extended to study a network of users and their risk interdependencies. We completely characterize the equilibrium solutions of the bi-level game. Our analytical results provide a fundamental limit on insurability, predict the Peltzman effect, and reveal the principles of zero operating profit and the linear insurance policy of the insurer. We provide analytical results and numerical experiments to corroborate the analytical results and demonstrate the network effects as a result of the strategic interactions among the three types of players.

Original languageEnglish (US)
Article number7859343
Pages (from-to)779-794
Number of pages16
JournalIEEE Journal on Selected Areas in Communications
Issue number3
StatePublished - Mar 2017


  • Cyber insurance
  • information asymmetry
  • mechanism design
  • moral hazard
  • network effects
  • network security
  • security games

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering


Dive into the research topics of 'A Bi-Level Game Approach to Attack-Aware Cyber Insurance of Computer Networks'. Together they form a unique fingerprint.

Cite this