Risk! " #$%&'() *!'+,'''## -. / # $

Risk! " #$%&'(!'+,'''## -. / 0! " # $

+/ #%&''&(+(( &'',$ #-&''&$ #(./0&'',$( ( (! #( &''/$ #$ 3 #4&'',$ #- &'',$ #5&''6(&''&7&'',$ / ( /8 9 :&' " 4; < # $

3 " ( #$ = = #$ #$ ( 3 - > # $ 3

= = " 3 3, 6?3 0 @,/ % A # /CC/; /CC& /CCD$ = = 3 # /CC'$ E #( &''/5&''/$ #/CCC( &'',% (&''&$ #( A &''6&''?$ #7 &''&$ >#&'''$ 4 ;#&''&$ 4

3 F #&''&$3 " #5 >&'',$ 3! A #/CC'$ # $ #/CC6$ 3 #-$ #/CC?$3 - ;G # ; /CCD$ ; ;G ;G #&''/$ #; <G &''&$% #4&'',$ G #- > /CC&$ 7#/C@&$ 3-5

3 3 # 7/C@&$ 3 9 ( #5&''6$! #(&''&$ / ( U ( U ( > 0 U ( < 0! #($# U % $ r =! U ( (,,, z z z n & ' " > ( z < 0 ( z > 0, i, i π I π # $ i 6

I π I "! I z 3 (,,... ( + π + (,,... ( π z z zn U W I z z z zn U W I z 3 π = λ π = ( + λ # 3/CDD$, H' I' # $ # $ # $ #(&'',7&'',!%&'''$!# $ # $ # $ 3/# 4#! 3/+/5 6 4 3 JH' ' 7

3 K max ( z U ( W + [ ( z ] I z + ( z U ( W ( z I z z, I #/$ #/$ ( z = #&$ ' I = #,$ G 3 K ( ( + ( ( #6$ max z U W z z U W z z U ( W z ( z + ( ( z U ( W z ( z = > #?$ ( #?$ #&$ & M 3/,/7 4 3 ; 0 / / & # /$ 8

! / p ( z z / / q p ( z q,0 / & H' / K (, = ( + ( ( = ( ( z z p z p z qp z p z qp z #0$ / p ( z qp ( z & 0! /! / / 9 π ( z : z [ λ] ( z, z = + #@$ 9

@ H'λH'! / 3 max ( z, z U W + π ( z : z I z + z, z U ( W π z : z I z #D$ z, I ( ( (! & # D$, K ( ( p z qp z = [ + λ] K #C$ I λ = #/'$ r ( + λ p ( z qp ( z 6! p ( z C/' 6 p ( z ( qp ( z q p ( z > 0 #//$ #//$ C /' #(&''6.!&,&''6$ 3// 4 6 0

( # &,$ # C/'$!""#$%&' ( # $ ( % "$ ' + """ (&'&' ( #,? M ( + ( ( > ( K p z p z qp z p z! /? p ( z ( ( qp ( z! p z ' p ( z ( ( ( ' p z qp z # $ λ r [ + λ] p ( z qp ( z 5

λ r p z [ + λ] (? M ( -.& "/ %$ # $! ( $ ( % + z I % '%,' $ < 0$ 0, q q # $!'% # $ ( % $ + $ z I,' $ > 0$ > 0, # $!'+/ # $ ( %% $' z I + % '%,' $ = 0, 0, r r 0 M = = #! &$! &# $ > 3 ' p ( z ( qp ( z 0"(' #π$ & ' '+/ #$,

@ M K # $ > #$ ## $ &$ N % &# $ K % & 3 p ( z + q qp ( z λ = p ( z qp ( z { p ( z qp ( z p ( z qp ( z } #/&$ 3

.& "/ %$' %#%% %% $ ( % #$,' +#$ / λ > λ / λ < λ, D M! > π I 0"(- / > 0$' < 0, λ λ C M J # $! J #,$ J " J 3/3 4! " 4

3 #/$ H' H' 3''#6/$(/ 3 K 3 - $ 3-3, /' M +/ 4 4 A # NH'$ # N 'OO/$ A A #! '$ p ( z = = I p I3 ( z 3 = = ( 3 qp z # '$ ( z p = [ + λ] λ r I = [ + λ] p ( z p ( z4 = [ + λ] qp ( z4 λ r I4 = F [ + λ] p ( z4 qp ( z4!! # $ #$ # $ 5

( #/$ #6$ #!,$K# $ # $ 4# $ 4 p p ( z ( z 4 [ λ] qp ( z = + 4!, 6 &/ (. 3 &/+/86 G 3 K 6

z, z, I, I ( + π + ( π U 0 W I z U W I z #/,$ = max #//$G K ( ( p z + q qp z = ( + λ #/6$ λ I = #/?$ r ( + λ p ( z qp ( z 5!""#$' ""4' / ( % ' +''"' / %4' / ( %$ ""4' / ' +''"/ %4' /, // M ( G # /6$ # &$ G p ( z + q qp ( z p ( z qp ( z! G #$ &/,/ 6 9 G &/,/+6! 3 #"3 3&''&5>&'',F &''&$ 7

( & 3 / &#$ / && / / / & / / & qp ( z ( p ( z & / & p ( z qp ( z ( p ( z! / &# & $ / / qp ( z ( p ( z U ( W + I π ( z, z I z + p ( z qp ( z ( p ( z U ( W I π ( z, z I z ( p ( z U ( W π ( z, z I z + + #/0$ { } ( z, z = ( + qp ( z ( p ( z + p ( z qp ( z ( p ( z π λ! K p ( z + qp ( z qp ( z p ( z = + #/@$ ( + λ ( π ( z, z p ( z qp ( z p ( z K = ( + I [ r( I ] > 0 z π ( z, z 6 ( %"" ' +'& '" " ('& '&'/ %%7 % ' " " ( ( %""& '" " ( ' +'' " %%""/ ( %& ' " " (, /& M % 0!,( # $!, / & 3 F #!,$ 3 G / & 3 #PF$#FP$ / & 8

3 #PPF$#PFPF$ G 3 # $ 3 # $7 0!,K ; 3 ( 3G G % 7 # &''&$ 3 &/,/, 9

QR3#!&''6$! 9 -> ( - ( 7 3 ( #($( A9 #4&'',4"4&'',$! 4 ( 3# S&''6(( &''6$ (# $ # $ 3 3! 4# I N p ( z p ( z i i i i z# i I N $ p ( z < p ( z i i I ' N ' p ( z p ( z 9 i i 6& 0

( ( ( = ( + λ p z qp z I ' I I I #/D$ ( ( I ' I N ' N ( #/D$ #C$ p ( z qp ( z O p ( z qp ( z I z I z N #4 ; O #C$#/'$ 7 O % &# $ z > z I I N > I I N 3 H' :/ ;! 6 (! /K (,,..., = ( (... ( z z z p z qp z qp z n n

> ( ( z : z,..., zn = [ + ] ( z, z,..., zn = [ + ] p ( z qp ( z... qp ( zn #/C$ π λ λ! / 3 K max U ( W [ π] I z [ ] U ( W πi z z, I + + #&'$ ( ( n p z qp z = [ I ] r = [ + λ] λ [ + λ] p ( z qp ( z #&/$ n #&&$ 6. "/ %$! ( $ ( % + z I % '%' $ < 0$ 0, q q!'%// % $ ( %""( "/ % z I +% '%$' $ < 0$ 0, n n /, M ( 0 /& &! & & %/ 3

! 7, / S > Q - F " R( A9 &''6 & Q >K % R( 9 &'',, ; ; - QA 9 F % K ;GR8"(9"/:% //,/CCD6,@@ 3

6 - K CD/@- ( (9 /C/CCC? 7 (( % ( %" 9 % ; &''&K/0 (% %&''& 0 7 Q AR K++++&'',+/C'+7 @ (;. (Q% RG+ + D ( >( > > +/#'/% '"+(;(%-&''6&6,&6D C ( > ( - K ( - 4<.=>?;9"@!"( F/, &''6 /,//6D /' ( >A 7! 0%% /'!0?$F6@@.&''6D@C& // ( > A 7 F - #- $ #$ /% ;(%>'&''?! /& ( #( $ @ + ; + / ( A&''' /, ( 7! K > 7A&'', /6 ( 7Q A,(R 7 EF/&&''/ /? (Q9KA R./0&'', /0 (+ /@ - 4 > Q R. :% 5 % 7A/CC&/6@ /D - -Q R + &+'/,C@/&/0//'''. &''6 /C -A; (A '"+(;" '--:A +@ + "; (= &!:7 C @ + TU;;%&''& 0. Ehrlich, I., and G. S. ecker, Market Insurance, Self-Insurance, and Self-Protection Journal of Political Economy, Vol. 80,No. 4,97, pg. 63-648. &/! - K++3++ + + V V VVV V V!&?&''6 && 4" 4 &'', K % #':% /% ; ( &, 4-74%A3%%(E. 7Q( K (A>- A %% R ++ &6 4;;A%!0? /% ;(%; (F?6&''&6,D6?@ 4

&? 4;;A%Q R!0? /% ;(%; (?6&''&6,D6?@ &0 4;;A% Q! R0%% /'!0?66CA&'',@'@? &@ >5. Q>A K A( R ',@,@ 9 &''' &D >>7 5 /% #D@,C0.&''& &C ( Q - K R,'. A K(( / </=> = =,''3=',=,= =%''(/,/ 5 Q R 7 E F/ & &''/,& 5% A A Q( ( R &''6(;%,D,, 5 > Q A K (R>;8D:;,6 5>>4Q R9"/> #D (&0K&,/&6C&'',,? ; -<G 4Q R &''&,0 ; 5-( >( A Q K U9 R?;8"(./CC&/@,/D0,@ A> " ( % % A+A+/E = >'FK,D#/CC'$D@'DD,,D!7.(.(Q A /CC'R?;8"(-/CC/6@??'&,C "3 3."! -K % %! 7.6&''& + ++3+&''&'/'6 6' %Q&''&( +!7(( R0%; ( D/ &''& 6/ %(. &"!' /': % U&''& 6&!.5 (>AW4 3 % W?+%; 6'DDC6CCD/CC6 6, > QX F &'R % +++V 66 - Q K R/% ;(%>'/,/CC' &??&@0 6? -.Q( K % A - A R?;8"(-/CCD66/60C 60 3 44Q -R; # +. 0/CDD//&? 5

6@. " 3 A%( A/CDD 6D F >Q! R &''& 6C W - K( % WA F6/,6'/6/D/CC? Appendix Proof. aseline scenario: Obective based on the expected utility function of the firm is max ( z U ( W + [ π ( z ] I z + ( z U N ( W π ( z I z z, I The first order condition for IT security investment is π ( z ( z[ U U N ] + I ( z U + { ( z } U N = 0 z. (A First order condition for insurance is ( z[ π ( z ] U π ( z ( z U N = 0. (A Since ( z ( z U = U and I=. That is, the marginal utilities in both π =, from the latter condition we see that N states are equal. From the first condition, ( z = (A3 Proof. IT Security Spending with No Insurance Market Utility function of the firm is z U W z + z U W z max ( ( ( ( N ( z The first order condition for IT security investment is z U U z U + z U = 0 { } ( [ ] ( ( ( N N For W large enough, first order Taylor series approximation gives U U + U (A4 since ( z ( ( z N { } ( ( ( ( z U z U + z U = 0 N U N ( z + ( ( z U ( z = U N + <, IT security investment when insurance is available at fair market price is lower U than IT security investment when there is no insurance market available. Proof 3. Interdependent case: Utility function of the firm is max ( z, z U ( W + [ π ( z : z ] I z + ( z, z UN ( W π ( z : z I z z, I where ( z, z = ( p ( z ( qp ( z The first order condition for IT security investment is ( z, z π ( z (, z U U N + I { ( z, z U + ( z, z U N } = 0 z z First order condition for insurance is ( z, z ( π ( z, z U ( ( z, z π ( z, z U =0 If =0, then I= and ( z z N, = p ( z( qp( z = z (A5 6

If >0, for W large enough, using first order Taylor series approximation U U U I U U + U I + ( ; ( N N Substituting in A5, dividing byu and using first order condition for insurance (, ( [ + λ] (, [ λ] ( (, U z z z z N = U + z z we get ( z, z = z + λ [ ] and assuming the CARA utility function we get from the FOC for insurance λ r[ I] = [ + λ] p ( z qp ( z U where r = is a constant and greater than 0. Using identical firms, U p ( z qp ( z = (A6 + λ [ ] λ I = (A7 r [ + λ] p ( z qp ( z Proof 4: Condition for Unique Equilibrium From the first order condition of IT security investment (A6, Π ( R ( z, z = p ( z qp ( z + = 0 The slope of reaction function for Firm and is Π ( R ( z, z p z qp z R ( z = = Π R z, z p z qp ( z ( ( ( ( ( ; R ( z ( [ + λ] ( (, ( R ( z, z ( ( ( ( ( Π R z z p z qp z = = Π p z qp z In order for reaction curve to intersect, the slope of R should be higher than the slope of R. So p ( z ( qp ( z p ( z qp ( z >. p ( z qp ( z p ( z ( qp( z cross-multiplying and rearranging { p ( z ( qp( z p ( z qp ( z }{ p ( z ( qp( z + p ( z qp ( z } > 0 Note that the second term in the HS multiplicand is positive. Hence for an unique equilibrium, p ( z ( qp( z p ( z qp ( z > 0 Assuming symmetric firms, the condition for unique equilibrium can be written as ( ( ( p z qp( z q p z > 0 Proof 5: Denote the level of IT security investment and insurance coverage taken in independent firm and dependent firms I D I D as z and z respectively and I and I. I I λ p ( z = ; r [ + λ] I = I [ + λ] p ( z (A8(a,b D D D λ p ( z qp ( z = ; r [ + λ] I = D D [ + λ] p ( z qp ( z (A9(a,b Dividing A8a and A9a, p z I = p z D qp z D p z I > p z D z I > z D If >0, dividing A8b and A9b, ( ( ( ; ( ( 7

Proof 6: Proof 7: Proof 8: D D ( qp ( z I ( I I p z = D I p z I I D I D z > z p ( z > p ( z ; I D < or I I p ( z p ( z ( ( ( ( z = < 0 q p z qp z p z qp z (i λ p ( z + q qp ( z [ λ] ( ( I D > I (if =0, I I D = I. since denominator is less than zero. I = > 0 z + r p z qp z λ ( + ( [ + λ] r p ( z qp ( z ( ( ( ( ( ( I z p z q qp z p z p z = 0 z q { p z qp z p z qp z } z (ii = > 0 [ + λ] p ( z ( qp ( z p ( z qp ( z λ p ( z + q qp ( z [ + λ] r p ( z qp ( z [ + λ] ( ( ( ( ( I I z + = > 0 z p z qp z p z qp z z I λ (iii = 0, = r r r 0 + λ p z qp z π z ( ( ( ( ( = + < 0 and = ( + λ q z q, ( z = qp ( z p ( z, p ( z q qp ( z z z π < 0 from proposition (i: As a result, > 0 q q z = > 0 { } λ [ + λ] p ( z ( qp ( z p ( z qp ( z λ p ( z + q qp ( z [ + λ] r p ( z qp ( z [ + ] ( ( ( ( ( I I z I = + = λ z λ λ λ p z qp z p z qp z p ( z qp ( z r[ + λ] { } λ p ( z + q qp ( z ( + λ p ( z qp ( z p ( z qp ( z p ( z qp ( z = p ( z qp ( z r[ + λ] { } ( ( p z + q qp z Denote λ = > 0 p ( z qp ( z { p ( z qp ( z p ( z qp ( z } I λλ =. If λ > λ p ( z qp ( z r[ + λ] ( + λ λ, I > λ 0 I, else < 0. λ Proof 9: I = λ ( ( ( λ ( [ ( ] λ r + λ p z qp z = r λ z = + r ( + λ π ( z 8

( π z ( z ( λ = + + z λ z λ λ π z ( ( z π ( z I λ π + λ + = = λ λ λ λ π z ( ( π I We know that insured amount will greater than premium paid.(i.e. ( π ( z > 0 As a result, if > 0, < 0. λ λ If loading factor increases, insurance coverage will decreases if price of insurance ((z increases as well. z π ( z ( z ( λ = + + z > 0 (if λ z λ π ( z > = λ, > 0. λ z λ z λ Proof 0: In region ; p ( z ( z p 3 = ( I r = 4 =, I ( qp ( z3, I3 =. In region ; p ( z = ( + λ p ( z qp ( z ( + λ ( =, r ( I =. In region 4, p ( z4 = + λ qp z λ 4 4 ( ( ( 4, ( λ ( + λ p ( z ( z. In region 3; z z > z3, z > z4, z > z and since > 0, z4 > z3. λ As a result, z > z4, z > z3. For the insurance amount, since z > z4, I = I3 > I > I4. Traditional Insurance Market (q=0, =0 versus Current cyber insurance market. We will compare IT security investment level in region 4 and in region. For cyber insurance coverage taken = I > I4. For the IT security investment, If [ λ] qp ( z + = 4, then 4 z = z. If [ λ ] ( ( ( p p ( z ( z + qp z < p z > p z z > z 4 4 4 If [ λ ] ( ( ( 4 [ λ] qp ( z = + 4. + qp z4 > p z < p z4 z < z4 Proof : Joint decision-making solution Suppose that there are two firms; firm and firm. Social planner will maximize the following U ( W + ( π I z + ( U N ( W πi z + U ( W + ( π I z + ( U N ( W π I z where = ( p ( z ( qp ( z, ( ( ( ( = p z qp z and π ( = + λ FOC for self protection with respect to z ; π π ( U U N U + ( U N + I+ ( U U N U + ( U N I= 0 z z z z FOC for insurance is; π U π U = 0 ( ( N Taylor st order approximation yields as before U N π U U U N π ( I + ( + I+ ( I + ( I= 0 z U z z U U U z For identical agent, U = U = U and U N = U N = U N and since ( ( + λ UN = ( [ + λ] U 9

( ( ( p z + q qp z = The above equation can be written as ( ( ( p z qp z + M = ( + λ ( + λ Comparing with individual firm s first order condition z p ( z ( qp ( z + M = where M=0 and since < 0. + λ M ( Proof : Utility of firm will be qp ( z p ( z U W + I π z, z I z + ; M = p ( z ( q qp ( z 0 ( A ( ( ( ( ( ( ( + π (, + ( ( C ( π (, p z qp z p z U W I z z I z p z U W z z I z First order condition with respect to z qp ( z ( p ( z U A + p ( z qp ( z ( p ( z U p ( z UC π ( z, z ( + I qp ( z ( p ( z U A + p ( z qp ( z ( p ( z U + ( p( z U C = 0 z First order condition with respect to I ( π ( z, z qp ( z ( p ( z U A + ( π ( z, z p ( z qp ( z ( p ( z U ( p( z π ( z, z U C = 0 Following first order Taylor series approximation, U U ( A + U A I, UC U A + U A( I and U U A + U A( I. From first order condition with respect to I and replacing ( p( z U C in first order condition, ( ( ( ( A ( p z qp z p z U ( I p z U A( I π ( z ( ( ( ( ( ( (, z qp z p z p z qp z p z ( + I U A + U = 0 z π ( z, z π ( z, z Substituting the Taylor approximation, dividing by U, and since, and for symmetric firms, p ( z + qp ( z qp ( z p ( z = ( + λ The equation above can be written as ( ( ( A ( ( ( ( ( π z, z p z qp z p z ( + I [ r ( I ] z π ( z, z + K, where K = > 0 p z qp z p z K = [ + λ] ', where K K qp ( z = > 0 ' z For the individual choice of z earlier K =0.From the previous equation = > 0 K p ( z qp ( z qp ( z p ( z As a result IT security investment with liability is greater than without liability. The equation above can be written as p ( z + q qp ( z K = where K = K qp ( z p ( z > 0. + λ [ ] For the oint choice of z earlier, K =0. Thus, from the last equation z = > 0 K p ( z + q qp ( z qp ( z p ( z IT security investment level with liability is higher than social optimum level of IT security investment without liability. Proof 3: Generalization to Several Interdependent Firms Proof is omitted due to space limitation. However, proof is available from authors upon request. 30