Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

Transcription

1 Maagg Iterdepedet Iformato Securty Rsks: Cybersurace, Maaged Securty Servces, ad Rsk Poolg Arragemets Xa Zhao Assstat Professor Departmet of Iformato Systems ad Supply Cha Maagemet Brya School of Busess ad Ecoomcs Uversty of North Carola at Greesboro Greesboro, NC Phoe: (336) Emal: Lg Xue Assstat Professor Departmet of Maagemet Iformato Systems Fogelma College of Busess ad Ecoomcs Uversty of Memphs Memphs, TN Phoe: (901) Emal: Adrew B. Whsto Hugh Roy Culle Ceteal Char, Professor McCombs School of Busess The Uversty of Texas at Aust IROM, B Uversty Stato Aust, TX Phoe: (512) Emal: abw@uts.cc.utexas.edu 1

2 Maagg Iterdepedet Iformato Securty Rsks: Cybersurace, Maaged Securty Servces, ad Rsk Poolg Arragemets Abstract The terdepedecy of formato securty rsks ofte duces frms to vest effcetly IT securty maagemet. Cybersurace has bee proposed as a promsg soluto to help frms optmze securty spedg. However, cybersurace s effectve addressg the vestmet effcecy caused by rsk terdepedecy. I ths paper, we exame two alteratve rsk maagemet approaches: rsk poolg arragemets (RPAs) ad maaged securty servces (MSSs). We show that frms ca use a RPA as a complemet to cybersurace to address the overvestmet ssue caused by egatve exteraltes of securty vestmets; however, the adopto of a RPA s ot cetve-compatble for frms whe the securty vestmets geerate postve exteraltes. We the show that the MSS provder (MSSP) servg multple frms ca teralze the exteraltes of securty vestmets ad mtgate the securty vestmet effcecy. As a result of rsk terdepedecy, collectve outsourcg arses as a equlbrum oly whe the total umber of frms s small. Keywords: Iformato securty, terdepedet rsks, cybersurace, rsk poolg, rsk maagemet, maaged securty servces 2

3 Itroducto I the etwork ecoomy, product ovato ad value creato are acheved va etworks of frms, operatg o large scales. The scope of formato techology has bee expadg beyod the tradtoal orgazatoal boudares [17; 39]. As a result, formato securty rsks have become trcately terdepedet. For example, ter-orgazatoal formato systems essetally physcally coect frms' IT frastructure va the Iteret ad expose the partcpatg frms to etwork-wde securty rsks. A orgazato's etwork s at rsk f a hacker gas access to ts parter's etwork. Eve frms wthout close busess relatoshps may be logcally terdepedet: Strategc hackers ofte evaluate the securty level of frms ad select ther targets o the bass of whose systems they ca break to quckly wthout beg detected [34]. I these examples, a frm's securty rsks deped ot oly o ts ow securty practces, but also o the securty protectos of others. Frms' securty rsks ca be ether postvely terdepedet or egatvely terdepedet. The securty rsk s defed as the probablty for a frm to have a securty cdet. Postve terdepedecy occurs whe a compay has hgher securty rsks whle other compaes also have hgher securty rsks. For example, a securty threat that mpacts a frm may also fluece the frm's parters va the terorgazatoal formato systems. The hacker who breaks to the frm's etwork may steal sestve data about the parters or peetrate the parters' etworks va the trust coectos. The securty rsks of the frm ad ts parters are thus postvely terdepedet. Wth postve terdepedecy, a frm's securty vestmet ot oly stregthes ts protecto, but also reduces the lkelhood that other frms have securty breaches. The securty vestmets therefore geerate postve exteraltes [20; 31]. Negatve terdepedecy occurs whe a compay has hgher securty rsks whle other 3

4 compaes have lower securty rsks. A typcal example of a egatvely terdepedet securty rsk s a targeted attack. A targeted attack refers to a malware attack amed at oe or a small set of frms. Strategc hackers ofte evaluate the securty level of frms usg varous hackg techques, such as port scas or eavesdroppg, ad select as ther targets frms whose systems ca be broke to quckly wthout detecto [34]. They usually put more effort to attackg systems wth lower securty levels [6]. Accordg to the CSI Computer Crme ad Securty Survey, 22% of respodets reported that ther compaes expereced targeted attacks betwee July 2009 ad Jue 2010 [5]. I ths case, a frm's self-protecto, whle reducg ts ow rsks, potetally dverts hackers to other frms ad thus creases other frms' rsks. Therefore, securty vestmets ths case geerate egatve exteraltes [6]. Because of the etwork exteraltes of securty vestmets, frms ofte vest effcetly from the perspectve of a cetral decso maker who maxmzes the total payoffs of all stakeholders. Researchers from prevous lterature have detfed both the udervestmet ad overvestmet ssues caused by the terdepedecy of securty rsks [6; 20; 31]. Whe the frms' securty vestmets geerate postve exteraltes, a frm's securty vestmets stregthe ot oly ts ow securty but also other frms' securty. Ofte, self-terested frms vest at a level lower tha the optmal level, whch maxmzes the total proft of all frms [20; 31]. Examples of securty vestmets that geerate postve exteraltes clude atvrus software ad frewalls. The stallato of at-vrus software helps prevet vruses from wdely propagatg ad therefore beefts others. However, udervestmet at-vrus protecto s prevalet. A study by McAfee Corp reported that 17% of computers aroud the world had o atvrus protecto stalled or that the at-vrus subscrptos had expred. Furthermore, the U.S. outpaced the average, wth 19 % of computers uprotected, accordg to the data [36]. 4

5 Whe the frms' securty vestmets geerate egatve exteraltes, self-terested frms vest at a level that s hgher tha the optmal level for all frms. Securty measures that are used to defed agast dstrbuted deal of servce (DDoS) attacks, such as cotet cachg ad redudat etwork devces, are more lkely to geerate egatve exteraltes. May e-commerce webstes, for example, prepare for 10 tmes the amout of peak traffc whe desgg ther etworks to defed the DDoS attacks. Such cost of rsk mtgato s farly hgh gve that the possblty of DDoS attack s usually very low [29; 41]. Ths paper exames rsk maagemet solutos to the vestmet effcecy caused by terdepedet formato securty rsks. Cybersurace has bee proposed as a promsg approach to maagg formato securty rsks ad optmzg securty expedtures [12; 31; 42]. Cybersurace s a rage of frst-party ad thrd-party coverage that eables frms to trasfer ther securty rsks to the commercal surace market. Wth cybersurace, frms ca balace ther expedtures betwee vestg securty protectos ad acqurg surace. However, cybersurace s effectve addressg the ssue of vestmet effcecy caused by terdepedet securty rsks [31]. It does ot teralze the exteraltes of securty vestmets ad caot mtgate frms' cetves to udervest or overvest. I addto, the cybersurace market s stll uderdeveloped: Oly a few surers offer cybersurace, ad actuaral data o formato securty, breaches, ad damages s scarce. The ever-chagg ature of securty threats also mpedes the developmet of the thrd-party cybersurace market. The defcecy of cybersurace calls for ew rsk maagemet solutos to address ssues related to formato securty rsks. We cosder two potetal rsk maagemet solutos: rsk poolg arragemets (RPAs) ad maaged securty servces (MSSs). We study whether ad how these solutos ca be used 5

6 to address the vestmet effcecy ad whether the self-terested frms have cetves to adopt these solutos. A RPA s a mutual form of surace orgazato whch the polcyholders are also the owers. Mutual surace was wdely adopted the surace market for medcal malpractce ad mucpal lablty durg the late 1980s [23] ad has sce also bee used other les of surace, such as employee peso ad employee health surace. The tradtoal advatages of a RPA over commercal surace clude tax beefts, reduced overhead expeses, ad flexble polcy developmet [40]. RPAs are dfferet from thrd-party cybersurace terms of rsk trasfer. RPAs ca ever completely elmate the rsks for a dvdual polcyholder. Eve though the rsk pool ca ssue full coverage for the frms' securty losses, each dvdual frm stll bears part of the rsk pool's loss through ts equty posto. Table 1 compares cybersurace ad RPAs. [Please Isert Table 1 Here.] We fd that eve though a RPA edogezes the etwork exteraltes of securty vestmets for frms, the adopto of the RPA s cetve-compatble for frms oly whe securty vestmets geerate egatve exteraltes. The key reaso s that by poolg the rsks of dvdual frms, the RPA duces moral hazard teams, whch refers to frms' reluctace to vest loss preveto whe they ca trasfer securty losses to others [15]. Ths type of moral hazard s show to be desrable whe securty vestmets geerate egatve exteraltes. However, the case of postve exteraltes, moral hazard further reduces the frms' vestmet cetves ad exacerbates the udervestmet problem. The secod soluto s MSSs, or IT securty outsourcg. MSS provders (MSSPs) provde a rage of securty servces, such as securty motorg ad vulerablty assessmets; etwork protecto ad peetrato testg; maaged spam servces; at-vrus ad cotet flterg 6

7 servces; cdet maagemet ad foresc aalyss; data archvg ad restorato; ad o-ste audts ad cosultg [1; 3]. The CSI Computer Crme ad Securty Survey reported that as may as 36% of respodets outsourced part or all of ther computer securty fuctos to MSSPs. I addto, 14.1% of respodets dcated that ther compaes outsourced more tha 20% of ther securty fuctos [5]. The global MSS market s forecasted to more tha double betwee 2011 ad 2015, whe t wll reach $16.8 bllo [18]. We show that MSSs ca address vestmet effcecy caused by both postve ad egatve exteraltes of securty vestmets whe the total umber of frms s small. Usg MSSs wth a servce level agreemet (SLA), frms ot oly delegate the securty operatos but also trasfer ther securty rsks to MSSPs. Because the MSSP collectvely maages the terdepedet securty rsks for multple clet frms, t ca teralze the exteraltes of securty vestmets. However, collectve outsourcg may ot always arse as a equlbrum because of the terdepedet ature of securty rsks. Whe the total umber of frms s large, a dvdual frm ca leverage the MSSP's collectve operatos for others ad receve a hgher payoff by maagg securty -house. Eve f the MSSP s better able to maage securty (.e., s more cost-effcet maagg securty) tha the frms, ths result stll holds. Ths paper characterzes the codto uder whch all frms wll adopt the MSS soluto. Ths paper cotrbutes to the research o alteratve rsk trasfer (ART) solutos. RPAs, as a ART approach, have bee recogzed by practtoers as havg the advatages of reduced overhead expese ad flexble polcy developmet [40]. We fd that, addto to these advatages, RPAs ca serve as a potetal soluto to vestmet effcecy caused by terdepedet securty rsks ad ca optmze frms' securty spedg. Ths fdg helps polcy makers recogze the potetal beeft of RPAs securty maagemet ad gude the 7

8 developmet of polces for the mutual surace dustry. Ths paper also cotrbutes to the lterature o IT securty outsourcg. It has bee well recogzed that frms outsourcg securty servces ca beeft from cost savgs, reduced staffg eeds, broader sklls acqusto, securty awareess, dedcated facltes, lablty protecto, ad roud-the-clock servce [1]. We llustrate that the use of MSSs ca also be justfed from the perspectve of mtgatg the vestmet effcecy caused by rsk terdepedecy. The rest of the paper orgazed as follows: I the ext secto, we revew related lterature o the ecoomcs of formato securty, cybersurace, RPAs, ad MSSs. We the outle the model setup, followed by the aalyss of the cybersurace, RPAs, ad MSSs solutos. We also exted the model to accout for heterogeeous frms. Fally, we draw maageral ad polcy mplcatos ad coclude ths paper wth future extesos. Related Lterature Researchers pror studes o the ecoomcs of formato securty have examed may ssues related to formato securty vestmets [e.g., 14, 16]. Aderso ad Moore [2] dscussed how moral hazard ad adverse selecto dstort frms' cetves to vest formato securty. Gordo ad Loeb [10] developed a ecoomc model to determe the optmal level of vestmet formato securty. Gal-Or ad Ghose [9] examed frms' cetves to share securty formato ad showed that formato sharg ad securty vestmet complemet each other. Kureuther ad Heal [20] characterzed a class of terdepedet securty rsks ad demostrated that frms geerally udervest securty protectos whe ther securty rsks are terdepedet. Our paper complemets ths stream of research by explorg rsk maagemet solutos to the vestmet effcecy assocated wth terdepedet formato securty rsks. 8

9 There s a emergg body of lterature that has examed the use of surace formato securty maagemet. Gordo et al. [12] dscussed the advatages of usg cybersurace to maage formato securty rsks. Ogut et al. [31] used a ecoomc model to exame frms' vestmets securty protectos ad the use of cybersurace the cotext of terdepedet securty rsks. They showed that terdepedece of securty rsks reduces frms' cetves to vest securty techologes ad to buy surace coverage. All of these studes focused o thrd-party commercal cybersurace, whereas ths paper, we propose ad exame two alteratve rsk maagemet approaches to formato securty rsks: RPAs ad MSSs. Pror lterature o rsk maagemet has justfed the exstece of RPAs from varous perspectves. For example, the mutual form of surace orgazato s more effcet whe the dstrbuto of rsks prevets depedet surers from usg the law of large umbers to elmate rsks [8; 25]. The mutual form of surace ca also address the coflcts of terest betwee surers ad polcyholders because polcyholders themselves are the owers of a mutual surer [7; 26; 27]. Moreover, mutual surers ca coexst wth depedet surers as a result of the adverse selecto of rsk-averse polcyholders [23]. Ths paper complemets these studes by llustratg the use of mutual surace to edogeze etwork exteraltes of securty vestmets. Our work s also related to pror work o cotractg IT outsourcg, especally IT securty outsourcg. Rchmod et al. [33] aalytcally characterzed the codtos uder whch a orgazato outsources ts software ehacemets, cosderg formato asymmetry ad dfferet proft-sharg rules. Whag [45] proposed a cotract for outsourcg software developmet that acheves the outcome of -house developmet. Wag et al. [44] characterzed 9

10 the effcecy loss resultg from vestmet exteraltes for both -house software developmet ad outsourced custom software developmet. Se et al. [37] proposed a dyamc, prorty-based, prce-pealty scheme for outsourcg IT servces ad foud that t s more effectve tha a fxed-prce approach. IT securty outsourcg has ot receved adequate research atteto utl recetly. Alle et al. [1], Axelrod [3] ad McQulla [25] provded orgazatos wth geeral gudace to help them kowledgeably egage MSSPs. Gupta ad Zhdaov [13] aalytcally explaed the growth ad sustaablty of MSSP etworks ad foud that the tal vestmet s crtcal determg the sze of MSS etworks wth postve exteraltes. I ther settg, the ssue of free-rdg ever occurred. Our paper exames the use of MSSs to address terdepedet formato securty rsks that ofte lead to free-rdg. Hu et al. [16] examed both a MSSP ad ts clets' equlbrum effort decsos whe rsk terdepedecy arose amog the MSSP's clets. I our paper, frms' securty rsks are terdepedet eve though frms do ot use a MSSP. Lee et al.[17] proposed a mult-lateral cotract to solve the double moral hazard ssues betwee the clet frm ad the MSSP. Our paper complemets ths stream of research by examg the use of IT securty outsourcg to address the vestmet effcecy caused by terdepedet formato securty rsks amog frms. Model We cosder rsk-averse frms. Each frm has a tal wealth A. All frms have a detcal payoff fucto U., where U. satsfes the codtos that U. 0 ad U. 0 (.e.,. U s cocave). The assumpto of a creasg ad cocave utlty fucto s cosstet wth the lterature o rsk maagemet (e.g., [22; 24; 35; 38]). Frms vest securty protecto to safeguard ther formato assets. As we dscussed the Itroducto, 10

11 securty vestmets ofte geerate etwork exteraltes. The breach probablty for a dvdual frm, frm, s affected ot oly by ts ow securty vestmet, but also by the securty vestmets of others. We let x, X be frm 's breach probablty, where represets frm 's securty vestmet, ad where X x,..., x, x,..., x represets the other 1 frms' securty vestmets. A frm loses L a securty breach. Frm 's expected payoff ca be represeted by x, X U A L x 1 x, X U A x. It s assumed that the vestmet cost s lear the vestmet level. I partcular, the vestmet cost s equal to the vestmet level. The qualtatve sghts stll hold f the vestmet cost s a creasg ad covex fucto of the vestmet level. A frm's securty vestmet decreases ts breach probablty ad the vestmet exhbts a dmshg margal retur reducg the breach probablty. That s, x X 2 x, X x X 2 x, 0 ad x, X x, 0. The assumpto about the declg margal retur of the securty vestmet s cosstet wth the CERT cdet data [30] ad s wdely used the lterature o securty maagemet (e.g., [4; 10; 11]). We cosder two types of etwork exteraltes: postve exteraltes ad egatve exteraltes. I the case of postve exteraltes, a frm's securty vestmet, whle decreasg ts breach probablty, also decreases the breach probablty of other frms (.e., xj, X j x, X 0, j). I the case of egatve exteraltes, a frm's securty j j x vestmet creases the breach probablty of other frms (.e., x X xj, X j, 0, j j x x j). Table 2 summarzes ad compares the features of dfferet etwork exteraltes. [Please Isert Table 2 Here.] 11

12 Although frms' securty rsks are terdepedet, a frm's securty vestmet geerally has a greater effect o ts ow securty tha o other frms' securty. We therefore assume that: I addto, we assume that x, X x, X, j. (1) j j j1... j xj, X j 0. (2) Codto (2) requres that the secod-order effect of a frm's securty vestmet o ts breach probablty domates the aggregate secod-order effect of other frms' vestmets o ts breach probablty. These codtos reflect the realty that, eve though securty rsks are terdepedet cyberspace, a frm's securty vestmet s stll a effectve strategy for self-protecto. Thrd-Party Cybersurace We establsh the bechmark case whch frms use cybersurace to cover ther securty rsks. We assume that frms ca buy a surace polcy from the cybersurace market to cover ther securty losses. I practce, before ssug surace polces, surace compaes ofte formally audt the clet frms to esure that frms take proper actos to protect themselves. Therefore, we assume that the securty vestmet s observable to the surers. The same assumpto has bee used the lterature [31]. The tmg of evets s as follows: (1) Each frm chooses ts securty vestmet x, 1 ; (2) each frm purchases cybersurace wth coverage I, 1 from thrd-party surers; ad (3) the securty losses are realzed ad the surace compesatos are made. I ths paper, we cosder a mature surace market whch frms are charged a 12

13 actuarally far premum. Whe frm purchases a surace polcy wth coverage I, the surace premum s, P x X I. Frm 's optmzato problem ca be represeted by: max x, X U A L I x, X I x 1 x, X U A x, X I x (3) I, x Accordg to the frst-order codto (FOC) w.r.t. e I, we get I L, where the superscrpt e deotes the cybersurace-oly case. Eq. (3) ca be smplfed as: max U A x, X L x. (4) x I the symmetrc case, we have e e x, X 1, where L e x represets frm 's equlbrum e e e e e securty vestmet ad X x1,..., x 1, x 1,..., x. To evaluate the vestmet effcecy, we compare the frms' vestmet levels the cybersurace-oly case wth the optmal vestmet level. The optmal vestmet level s defed as the securty vestmet level whe all frms jotly maxmze ther total payoffs. It s equvalet to the case that a cetral decso maker maxmzes the jot payoff ad determes the vestmet levels for all frms. We ext exame the cetral decso maker's problem: x X U A L I x X I x x X U A x X I x (5) max,, 1,,. s I, x 1 Aga, accordg to the frst-order codto (FOC) w.r.t. I, we get I o L, 1..., where the superscrpt o deotes the cetralzed case. Eq. (5) ca be smplfed as U A x X L x (6) max,. s I, x 1 The FOC of Eq. (6) w.r.t. x s: 13

14 U A x, X L x x, X L 1 U A x, X L x x, X L 0. j j j j j j1, j 1, 1,, where L o o o o I the symmetrc case, we have x X x j X j the optmal level of securty vestmet for frm the cetralzed case, ad o x represets X x,..., x, x,..., x. x o o o o o e I the case of egatve exteraltes, because x X o x. I the case of postve exteraltes, because x, X 0, 0 ad xj, X j 0, we get ad xj X j, 0, we e o get x x. Therefore, the frms overvest whe the securty vestmets geerate egatve exteraltes ad udervest whe the securty vestmets geerate postve exteraltes. I the cybersurace-oly case, we fd that whe securty vestmets geerate egatve (postve) exteraltes, frms purchase full surace (.e., e I L) ad vest more (less) tha the optmal level. These results are le wth the fdgs the exstg lterature [20; 31]. Eve though commercal cybersurace ca hedge frms' rsks, t caot teralze the exteraltes of securty vestmets ad therefore s capable of resolvg ether the overvestmet or udervestmet ssues. A fe for lablty has bee proposed to address the vestmet effcecy ssues caused by the terdepedet securty rsks. Ths mechasm requres the lable frm to compesate the loss that t causes to other frms. As a result, a self-terested frm wll cosder the mpact of ts vestmet o other frms' securty [20; 31]. However, a fe for lablty betwee frms s dffcult to eforce. Because the Iteret has o clear deleato of jursdcto, the mposto of lablty across coutres by eforcemet powers (e.g., govermets, regulatory ageces, or trade assocatos) s extremely costly, f ot mpossble. We ext exame other rsk maagemet approaches RPA or MSSs that ca be 14

15 used to address the vestmet effcecy caused by rsk terdepedecy. Rsk Poolg Arragemets I ths secto, we exame the use of RPAs addressg terdepedet rsks. We use q 0,1 to deote the rato of loss covered by the rsk pool. Whe a frm suffers a securty loss of L, the mutual surer compesates the frm ql. Because the frms are the equty holders of the mutual surer, the total securty losses collected by the mutual surer are the shared equally amog all the frms. If q 1, the frms trasfer oly partal losses to the mutual surer. If q 1, the RPA provdes full coverage to the frms, but each frm stll retas part of the rsk because of ts equty posto. The tmg of evets s as follows. (1) frms cooperatvely choose q ; (2) gve q, each frm chooses ts securty vestmet x, 1... ; (3) each frm purchases cybersurace wth coverage I, 1..., from thrd-party surers; ad (4) the securty losses are realzed, ad the compesato stemmg from both cybersurace ad the RPA s receved. The compesato from a RPA s modeled as follows [22]. Assume that k frms out of 1 frms (excludg frm ) suffer a securty loss L. If frm also suffers a loss L, each of the other 1 k frms shares ql for frm. Cosequetly, frm bears oly a loss of 1 k ql L total. If frm does ot suffer ay loss, t shares ql for each of the k frms that suffer a loss. As a result, frm has to compesate kql total to the k frms. Whe the RPA does ot cover all the rsks, frms ca purchase thrd-party cybersurace addto to usg a RPA. The prcple of demty 1 requres that the cybersurace coverage 1 The prcple of demty s a surace prcple statg that a sured may ot be compesated by the surace compaes 15

16 satsfes the costrat that I ql L ; that s, the total surace compesato from both the RPA ad the cybersurace caot exceed the total loss. I the symmetrc case, frm 's expected payoff ca be represeted by: 1 1k ql max x, X b k, 1, U A L I x, X I x q, x, I k 0 1 kql 1 x, X bk, 1, U A x, X I x, k 0 s. t. I 1 q L, where x, X represets the breach probablty for frm k k k k k subscrpt k the symmetrc case. The fucto 1! k 1! 1 k!. We drop the k b k, 1, 1 deotes the bomal probablty that k out of 1 frms have securty breaches. Proposto 1 characterzes the complemetary relatoshp betwee the RPA ad the cybersurace. Proposto 1 Whe frms use both a RPA ad thrd-party cybersurace, we have k I (1 q) L. That s, f the rsk pool does ot provde full coverage, frms wll buy thrd-party surace to cover the resdual rsks. 2 Proposto 1 shows that rsk-averse frms always choose to hedge agast all rsks. If the rsk pool covers oly part of a frm's rsks (.e., q 1), the frm wll use the cybersurace to cover the resdual rsks. Thus, frm 's expected payoff ca be represeted by: a amout exceedg the sured's ecoomc loss. Therefore, a frm s ot allowed to purchase surace coverage from multple surers resultg a amout of compesato or payout that s hgher tha the total ecoomc loss [35]. 2 The proofs of lemmas ad propostos are avalable upo request. 16

17 1 1 k ql max x, X b k, 1, U A x, X 1qL x qx, k 0 1 kql 1 x, X b k, 1, U A x, X 1 ql x. k 0 (7) Whe a frm uses oly cybersurace, t purchases full coverage ( I L) ad completely trasfers ts rsks to the cybersurace market. However, f frms adopt a RPA, they stll reta part of the rsks because they are equty holders of the rsk pool (.e., the mutual surace etty). Presumably, a rsk-averse frm always wats to mmze ts rsk exposure ad prefers the thrd-party cybersurace to the RPA. However, the cotext of terdepedet securty rsks, cybersurace may ot be superor because t caot address etwork exteraltes of securty vestmets. The questo s whether, gve terdepedet securty rsks, frms have a cetve to use RPAs as a complemet to cybersurace. We show ext that the RPA soluto s cetve-compatble for frms the case of egatve exteraltes but ot the case of postve exteraltes. Negatve Exteraltes We frst exame how the use of a RPA addto to cybersurace flueces frms' securty vestmets ad payoffs whe egatve exteraltes exst. Proposto 2: Whe securty vestmets geerate egatve exteraltes, frms vest less securty the case wth both a RPA ad cybersurace tha the case wth cybersurace oly. The uderlyg sghts of Proposto 2 are as follows. Whe q 0, a frm uses cybersurace oly ad purchases full surace. Cosderg the margal effect of q o a x frm's vestmet at q 0, we have q q0 0. That s, a dvdual frm vests less 17

18 securty protectos f all frms collectvely set up a rsk pool ad allocate a very small proporto of rsk to the pool. The use of a RPA flueces a frm's vestmet cetves through two effects. The frst s the teralzato effect. Frms essetally share ther securty losses wth oe aother va the RPA. Because a dvdual frm bears other frms' losses, t takes to cosderato the egatve effect of ts securty vestmets o others ad thus vests less. The secod s the moral hazard effect. The RPA allows a frm to trasfer ts securty loss to others, whch also dampes the frm's vestmet cetves (.e., a frm would lke to free rde o other frms because of moral hazard teams [15]). I the case of egatve exteraltes, frms have excess cetves to vest securty. The moral hazard effect helps mtgate the overvestmet cetve ad hece stregthes the teralzato effect. Therefore, frms vest less securty protectos whe they partcpate a RPA. Proposto 3: Whe securty vestmets geerate egatve exteraltes, partcpatg a RPA (.e., q 0 ) s cetve-compatble for dvdual frms. Proposto 3 geerates a mportat mplcato: Whe frms overvest because of the egatve exteraltes of ther securty vestmets, they have the cetves to adopt a RPA as a complemet to the thrd-party cybersurace. I other words, dvdual frms are wllg to pool ther securty rsks usg a RPA addto to purchasg cybersurace. To better expla ths cetve compatblty, we derve the margal effect of q o frm 's expected payoff whe q 0 : 1 1 q0 U A x, X L x x, X L U A x, X L x x, X L L q (8) x, X x j U A x, X L x L j1, j xj q 18

19 The frst term of Eq. (8) represets the margal beeft that a frm receves from the reduced cybersurace premum. Whe the coverage of the rsk pool, q, creases, a frm ca purchase less cybersurace coverage I ad thus pay a lower premum I to the commercal surer. The secod term of Eq. (8) represets the margal loss that a frm curs 1 from beg exposed to the rsks wth the rsk pool. I partcular,, represets the x X L 1 margal loss that a frm curs from retag ts ow securty damage, ad L represets the margal loss that a frm curs from compesatg others the rsk pool. The thrd term of Eq. (8) represets the margal effect of other frms' securty vestmets o the frm's payoff. The frst two terms cacel out a symmetrc equlbrum. Because U A x, X L x 0, x, X x j x j x, X 0, ad q 0, the thrd term (cludg the egatve sg) s postve, whch meas that the frm beefts from the reduced vestmets of others. The overall margal effect of q o the frm's expected payoff s postve (.e., 0 q q0 ); thus, frms always have a cetve to set up a rsk pool whe the securty vestmets geerate egatve exteraltes. Note that the fdgs Propostos 1 through 3 do ot deped o the fuctoal forms of the utlty fucto U. ad breach probablty fucto (.), as log as U. ad (.) satsfy the codtos specfed the secto of model setup. Because the aalytcal solutos of the -frm game wth a RPA are tractable, we use umercal examples to llustrate the equlbrum pool coverage, the equlbrum vestmet, ad the frms' payoffs gve. I the umercal examples, we assume that the securty vestmets are addtve [18]. I partcular, x, X exp 2x b k1.., kxk fucto esures that x, X 0 ad x X. Ths breach probablty, 0. The degree of etwork exteraltes 19

20 s captured by b, wth b 0 for the case of egatve exteraltes, b 0 for the case of postve exteraltes, ad b 0 for o exteraltes. Ths fucto form of breach probablty cely captures the terdepedet ature of securty vestmets. For the case of egatve exteraltes, b. Ths value esures that xj, X j 0, j xj X j we let 1 15 x, X x, X, ( j ) j j, ad j j xj X j s less tha 15. I the umercal example, we let A 8, 6 llustrato. 3, 0, 1..., 0 whe the total umber of frms [Please Isert Fgure 1 Here.] L, ad U w ww 20 for Fgure 1(a) compares a dvdual frm's securty vestmets the cybersurace-oly case, the RPA case, ad the optmal case whe securty vestmets geerate egatve exteraltes. Whe the umber of frms creases, the securty vestmet of a dvdual frm becomes less effectve because of the hgher egatve aggregate effect of other frms' securty vestmets. A hgher level of securty vestmet s desrable to cacel out ths aggregate effect. Therefore, the securty vestmets the optmal case ad the cybersurace case are creasg. The hgher egatve effect wth larger also leads to a wder gap betwee the optmal vestmet ad the vestmet the cybersurace-oly case. Specfcally, as the umber of frms creases, each dvdual frm's securty vestmet the cybersurace-oly case further devates from the optmal level. RPAs ca effectvely mtgate frms' overvestmet cetves. A dvdual frm's securty vestmet s sgfcatly lower the RPA case tha the cybersurace-oly case. Relatve to the vestmet the cybersurace-oly case, the 3 We also examed other parameter values (A ad L ) for the payoff fucto ad other payoff fucto forms ad foud that the sghts hold qualtatvely. 20

21 vestmet the RPA case comes closer to the optmal level. Fgure 1(b) compares the frm's expected payoffs the cybersurace-oly case, the RPA case, ad the optmal case. The curves show that relatve to the cybersurace-oly case, the frm's expected payoff the RPA case s much closer to the optmal payoff. Fgure 1(c) llustrates the optmal rato of loss that frms allocate to the rsk pool. The proporto of the loss allocated to the rsk pool creases as the umber of frms the pool creases. Whe the umber of frms creases, frms have more cetves to overvest because of the hgher egatve aggregate effect of securty vestmets by other frms. Frms allocate more rsks to the rsk pool to better leverage the teralzato ad moral hazard effects ad to mtgate overvestmet. Fgure 1 thus llustrates that a RPA s a effectve soluto to the vestmet effcecy caused by the egatve exteraltes of securty vestmets. Postve Exteralty The precedg subsecto demostrates that whe securty vestmets geerate egatve exteraltes, frms wll set up a rsk pool ad use t to cover a postve proporto of rsks. RPAs help address frms' overvestmet cetves through the teralzato ad moral hazard effects. Whe securty vestmets geerate postve exteraltes, do frms stll have a cetve to set up a RPA? Proposto 4 provdes some sghts o the frms' vestmet cetve wth a RPA. Proposto 4: Whe securty vestmets geerate postve exteraltes, frms vest less securty the RPA case (as compared wth the cybersurace-oly case) f the rsks covered x the RPA are suffcetly small (.e., q q0 0 ). x I the case of postve exteraltes, we have q q0 0. Aga, a frm vests less securty 21

22 protectos f frms set up a rsk pool ad allocate a very small proporto of rsk to the pool. The postve exteraltes of securty vestmets lead to suffcet vestmet cetves for frms. Eve though the teralzato effect helps mtgate the udervestmet cetve, the moral hazard effect dampes frms' vestmet cetves ad udermes the capablty of RPAs to teralze the postve exteraltes. The moral hazard effect always domates over the teralzato effect. Therefore, whe a RPA s used addto to cybersurace, frms have eve fewer cetves to vest. Proposto 5 sheds lght o frms' cetves to set up a rsk pool for postvely terdepedet securty rsks. Proposto 5: Whe securty vestmets geerate postve exteraltes, a RPA s ot a cetve-compatble soluto for dvdual frms f t s used to cover oly a small proporto of the rsk (.e., q q0 0). To uderstad Proposto 5, we exame Eq. (8) the cotext of postve exteraltes. As the case wth egatve exteraltes, the frst two terms of Eq. (8) cacel out. Because U A x, X L x 0, x, X x 0, ad q 0, the thrd term (cludg the egatve j x j sg) s egatve. Therefore, Eq. (8) s egatve overall. Thus, usg a rsk pool to cover a small proporto of rsks decreases a dvdual frm's expected payoff. Therefore, frms have o cetve to set up a rsk pool for a small proporto of rsks. The questo, the, s whether frms have a cetve to set up a RPA wth a large coverage. Because the close-form soluto of q ths mult-player game s tractable, we used a umercal approach to search for the possblty that frms are wllg to adopt a RPA. I our search, we used a seres of expoetal breach probablty fuctos, x, X exp x b k1.., kxk. The expoetal fucto esures that the value of breach probablty s always betwee 0 ad 1 for a postve amout of 22

23 securty vestmets. We let 1,2,...,10, whch represets dfferet degrees of covexty of the breach probablty fucto. The total umber of frms,, rages from 2 to 30. We let b, , whch esures that the exteralty s postve. I addto, the aggregate mpact of others' securty vestmets s lower tha that of the frm's ow securty vestmet. Three creasg ad cocave payoff fuctos are examed. They are U w w ww 20, ad U w log w 1 U w exp 1,, whch represet dfferet degrees of cocavty of the frms' payoffs. We dd ot fd ay parameter space whch frms have a cetve to set up a rsk pool. Therefore, the cetve-compatblty of the RPA soluto s dffcult to acheve the case wth postve exteraltes of securty vestmets. Maaged Securty Servces (MSSs) I the prevous secto, we showed that the effectveess of RPAs depeds o the ature of securty rsks. The RPA soluto s effectve addressg overvestmet ssues assocated wth egatvely terdepedet rsks. However, t caot address the udervestmet ssues assocated wth postvely terdepedet rsks. I ths secto, we exame a dfferet securty maagemet soluto: MSSs (or securty maagemet outsourcg). We frst assume that the MSS provder (.e., the MSSP) has the same level of securty expertse as the frms. Ths assumpto eables us to hghlght the sght that the use of MSSs ca be justfed from the perspectve of rsk terdepedecyot o the bass that the MSSP s more cost-effcet tha the clet frms. We later exted the aalyss ad study the case that the MSSP has a cost advatage. If a frm uses MSSs, t pays a fxed fee, deoted by t, to the MSSP. We refer to the frms usg MSSs as the member frms ad the frms ot usg MSSs as o-member frms. I practce, 23

24 a SLA s ofte used to esure that the MSSP assumes accoutablty for the securty loss ad maages the securty for the member frms' beefts. I ths paper, we assume that the SLA specfes the compesato level that the MSSP pays to a member frm f the latter suffers a securty loss. We deote the compesato level as d. The tmg of evets s as follows. (1) The MSSP aouces the servce fee, t; (2) frms decde whether or ot to use the MSSs; (3) the MSSP vests securty protectos for the member frms, ad the o-member frms obta the expected reservato payoff, U s ; ad (4) the securty losses are realzed ad the compesatos are made accordg to the SLAs. Because frms are homogeeous, we focus o the symmetrc case whch all frms choose the same strateges. The MSSP's problem ca be formulated as: max t x, X d x m d,, t x 1 s. t. x, X U A L d t 1 x, X U A t U s (9) Costrat (9) esures that a frm has a hgher payoff whe outsourcg securty maagemet to the MSSP tha whe t maages securty -house ad acheves the reservato payoff. Lemma 1 characterzes the optmal compesato level that the MSSP wll establsh. Lemma 1: The loss compesato d satsfes that d L. Whe a member frm has a securty breach ad losses L, the MSSP compesates the frm to the level of d. Because the member frms are rsk averse but the MSSP s rsk eutral, the MSSP s wllg to provde full surace to the member frms. As a result, the member frms trasfer all securty rsks to the MSSP. I ths regard, the MSSP serves as a thrd-party surer addto to a professoal servce provder [1]. Ths s cotrast to the RPA, wth whch each member frm has to share 1 of the total loss. 24

25 Usg the result Lemma 1, the MSSP's problem ca be smplfed as: t x X L x (10) max, m tx, 1 s. t. U A t U Proposto 6 gves the MSSP's vestmet decsos for the member frms. Proposto 6: Whe all dvdual frms collectvely outsource ther securty maagemet to the MSSP, the MSSP makes the securty vestmet at the optmal level. Collectve outsourcg occurs whe all frms outsource ther securty maagemet to the MSSP. Proposto 6 shows that collectve outsourcg, vestmet effcecy caused by rsk terdepedecy s addressed: The MSSP makes the securty vestmet at the optmal level for all member frms. The optmal level s acheved because the vestmet decso makg s shfted to oe etty, so that etwork exteraltes are completely teralzed. As a result, the vestmet effcecy s elmated. Sustaablty of Collectve Outsourcg Although collectve outsourcg ca lead to optmal securty vestmets (made by the MSSP), whether ths soluto s cetve-compatble to dvdual frms s stll uclear. The questo s ths: Whe all other frms use MSSs, does a dvdual frm have the cetve to defect from usg the MSSs? Whe a frm defects, t has to maage securty -house, but t ca stll use cybersurace to hedge agast ts securty rsks. The payoff of the defectg frm ca be cosdered as a frm's reservato payoff (outsde opto) whe decdg o whether to use MSS s (.e., U s ). We ext exame whether collectve outsourcg s sustaable as a equlbrum for dvdual frms. For aalyss tractablty, we aga assume that the securty vestmets are addtve [18]. I partcular, x, X px b k1.., kxk, where p s a decreasg ad 25

26 covex fucto, p. 0, ad p. 0. Ths breach probablty fucto esures that. 0 ad. 0. I the case of egatve exteralty, let 0 I the case of postve exteralty, let 0 b. Ths esures. 0. b. Ths esures Suppose that a frm defects but that the other -1 frms stll outsource ther securty maagemet to the MSSP. The defectg frm's payoff s d U A p x d b 1 x md L x d, where. 0. d x represets the defectg frm's securty vestmet level ad md x represets the MSSP's vestmet level for a member frm whe a frm defects. Let Us d. The MSSP's problem ca be represeted as d m max t px b xk L x tx, 1 k1, k (11) d md d s. t. U At U A p x b 1 x L x (12) Costrat (12) s a dvdual ratoalty (IR) costrat esurg that a frm has a hgher payoff whe usg MSSs tha whe maagg securty -house ad purchasg cybersurace. Ths costrat requres that the MSSP establshes a fee that would ot result member frm defecto. Lemma 2 characterzes the optmal servce fee that the MSSP charges. Lemma 2: The optmal servce fee charged by the MSSP satsfes that t p x d b 1 x md L x d. The MSSP profts from the servce fee. A for-proft MSSP charges a servce fee that s as hgh as possble to maxmze ts proft, whle stll esurg that frms are wllg to use the MSS. Suppose a frm defects. The total expected cost for IT securty for the defectg frm s 26

27 d md d p x b 1 x L x (.e., the cybersurace premum plus the securty vestmet). The maxmum servce fee for the MSSs s therefore equal to the expected total securty cost of the defectg frm, so that ay frm s dfferet betwee defectg or ot. Accordg to Eq. (11) ad Lemma 2, the MSSP's proft s d d 1 md d 1 1 o o. m p x b x L x p b x L x For collectve outsourcg to be vable, the MSSP must charge a fee that ca cover ts servce cost. To derve addtoal sght, we use a geeral expoetal breach probablty (.e., exp y ) to compare betwee the servce fee (.e., 1 p y the servce cost (.e., 1 1 o o p b x L x d md d p x b x L x ) ad ). Proposto 7 characterzes the codto uder whch collectve outsourcg s sustaable as a equlbrum. Proposto 7: All frms are wllg to outsource ther securty maagemet f: b 1 1b b b b b 1 1 l Whe the codto Proposto 7 holds, the expected securty cost curred by a defectg frm (.e., 1 d md d p x b x L x ) s hgher tha the servce cost curred by the MSSP for each member frm collectve outsourcg (.e., 1 1 o o p b x L x ). Accordg to Lemma 2, the MSSP charges a fee equal to a defectg frm's securty cost. Ths servce fee ot oly esures that all frms have cetves to use MSSs but also yelds a postve proft for the MSSP. Therefore, the equlbrum of collectve outsourcg usg MSSs s sustaable whe the codto Proposto 7 holds. The sustaablty of collectve outsourcg, although achevable wth a small umber of 27

28 frms, becomes creasgly dffcult to acheve as the umber of frms creases. Whe the umber of frms s larger, a dvdual defectg frm gas more from the MSSP's collectve operatos. I the case of egatve exteraltes, a larger umber of frms provdes the MSSP wth more cetves to reduce the securty vestmet to address the overvestmet ssue for each member frm, makg t easer for a defectg frm to beat the MSSP securty vestmet ad drve hackers away. I the case of postve exteraltes, a larger umber of frms duces the MSSP to crease the securty vestmet to address the udervestmet ssue for each member frm, makg t easer for a defectg frm to free-rde. Therefore, a dvdual frm s more lkely to defect, ad the reteto of all member frms s the more dffcult for the MSSP. As a result, there s a maxmum umber of frms wth whch the MSSP ca duce all frms to use the MSSs ad address the vestmet effcecy. Fgure 2 demostrates the maxmum umber of frms for whch a sustaable equlbrum exsts, gve the degree of etwork exteraltes, b. [Please Isert Fgure 2 Here.] The crease the degree of etwork exteraltes geerates two coutervalg effects o frms' cetves to defect. I the case of egatve exteraltes ( b 0), whe the degree of etwork exteraltes s hgher ( b s smaller), the advatage of the MSS soluto teralzg exteraltes of the securty vestmets s more evdet, ad a frm s more wllg to use the MSSs. O the other had, a frm also beefts more f t devates from usg the MSSs. Ths s because hgher egatve exteraltes duce the MSSP to vest less aggressvely, ad, as a result, t s easer for a defectg frm to beat the MSSP securty vestmet ad drve hackers away. A dvdual frm s thus less wllg to pay for MSSs, forcg the MSSP to lower the servce fee. The fee that the MSSP ca charge depeds o the tradeoff betwee these two effects. As a result, the maxmum umber of frms that esures a sustaable equlbrum s frst 28

29 creasg b ad the decreasg b. Whe the securty vestmets geerate postve exteraltes (.e., b 0), the defectg frm ca free-rde o the MSSP's collectve securty operatos for member frms. As a result, the MSSP has to keep the servce fee low to reta the member frms. Whe the umber of frms s larger, the beeft of free-rdg s hgher, ad the servce fee that the MSSP charges caot cover the expected cost of servg a frm. As a result, collectve outsourcg to the MSSP s a sustaable equlbrum oly whe 2. It s worth otg that whe securty vestmets geerate postve exteraltes ad the MSSP s more cost-effcet, the maxmum umber of frms a sustaable equlbrum may be hgher tha two, as s llustrated the ext secto. Whe b 0, the frms' securty rsks are depedet, ad securty vestmets have o exteraltes. The servce fee that the MSSP charges s equal to the securty cost that the MSSP curs to serve a member frm. As a result, the MSSP always makes zero proft (.e., the codto Proposto 7 ever holds). Ths case s a trval oe. MSSP's Cost Effcecy The prevous aalyss presets a coutertutve result: Eve though the MSSP servg all frms vests at the optmal level ad frms all beeft from securty outsourcg, collectve outsourcg to the MSSP mght ot arse as a equlbrum. Ths pheomeo occurs because a frm, eve after defectg, mght drectly beeft from the MSSP's securty operatos, resultg a hgher payoff for the frm tha actually usg the MSSs. As a result, the MSSP caot charge a fee that sustas collectve outsourcg ad results a proft. I practce, the MSSP s ofte more capable of maagg securty because of ts better techology, more expereced staff, ad hgher operatoal effcecy. A major reaso for whch dvdual frms outsource securty maagemet s to leverage the MSSP's cost effcecy [1; 3]. 29

30 I ths subsecto, we exame how the MSSP's cost advatage s weakeed by etwork exteraltes of securty vestmets. We assume that the MSSP curs a vestmet cost, where 0,1 captures the level of cost effcecy. Whe 1, the MSSP has the same level of cost effcecy as dvdual frms; as decreases, the MSSP becomes more cost-effcet tha dvdual frms. The MSSP's problem ca be represeted as: max t px b x L x tx, k 1 k1, k d md d s. t. U A t U A p x b 2 x L x. 30 x, Proposto 8 presets the codto uder whch collectve outsourcg arses as a equlbrum whe the MSSP s more cost-effcet tha dvdual frms. Proposto 8: Whe the MSSP s more cost-effcet tha dvdual frms 0 1, all frms decde to outsource ther securty servces f: 1 b 1 b 1 b 1 1 b l b 1 1 b b b b L l l 0. Whe the MSSP s more cost-effcet tha dvdual frms ( 0 1), the maxmum umber of frms yeldg a collectve outsourcg equlbrum depeds o the level of cost effcecy ( ), addto to the degree of etwork exteraltes ( b ). Fgure 3 llustrates the maxmum umber of frms wth whch collectve outsourcg arses as a sustaable equlbrum, gve the level of cost effcecy. Smlar to the degree of etwork exteraltes, cost effcecy affects the frms' defecto cetves through two coutervalg effects. O the oe had, a more effcet MSSP ( s smaller) s more capable of maagg the securty rsks tha are dvdual frms. Therefore, a dvdual frm s more wllg to use the MSSs. Ths s the

31 cost-effcecy effect. O the other had, a defectg frm beefts more by takg advatage of the MSSP's collectve securty maagemet whe the MSSP s more cost-effcet. Ths effect decreases a frm's wllgess to pay for the MSS. Ths s the defecto effect. Fgure 3 llustrates the maxmum umber of frms a sustaable equlbrum whe the MSSP s more cost effcet. It shows that whe the securty vestmets geerate postve exteraltes ( b 0.1), the maxmum umber of frms a collectve outsourcg equlbrum s frst creasg ad the decreasg. Whe the securty vestmets geerate egatve exteraltes ( b 0.1), the cost-effcecy effect domates the defecto effect whe the MSSP's cost-effcecy s hgh ( s small). Therefore, collectve outsourcg s more lkely to arse (.e., all frms are wllg to use the MSS) whe s small. 4 However, whe s large eough (.e., the MSSP s less cost-effcet), the cost-effcecy effect s weakeed ad the maxmum umber of frms decreases to two. Heterogeeous Frms [Please Isert Fgure 3 Here.] I ths paper, we follow the classc lterature o rsk poolg ad focus o ex ate homogeeous frms. I ths secto, we exted the model ad dscuss the case that frms have heterogeeous securty losses. I partcular, we assume that there are two types of frms: type-1 frms ad type-2 frms. I a securty breach, a type-1 frm loses L 1, ad a type-2 frm loses L 2, where L L. Let the total umbers of type-1 frms ad type-2 frms be 1 ad 2, respectvely. We 1 2 have Whe b 0.1, the total umber of frms must be o more tha 10 to esure that x b x k 1.., k k 0. 31

32 Whe frms use cybersurace oly, we ca verfy that a frm stll overvests whe the securty vestmets geerate egatve exteraltes, ad udervests whe the securty vestmets geerate postve exteraltes. We ext exame frms' securty vestmets ad expected payoffs the RPA case. The expected payoff of a type-1 frm ca be represeted by:, 1, b j,, 11 2 k0 j x, X 1 k j q L U A L1 I x X I x s t I q L b k 1 1,, 1, b j,, 11 2 k0 j0b k x, X, kq1 L1 jq2l U A x, X I x Ad, the expected payoff of a type-2 frm ca be represeted by:,, b j, 1, 1 21 k0 j x, X 1 k j q L U A L2 I x X I x s t I q L , b k 2 2,,, b j, 1, 1 21 k0 j0b k x, X, kq1l 1 jq2l U A x, X I x where q1 q 2 s the rato of loss covered by the rsk pool for type-1 frms (type-2 frms). Sce the RPA s a mutual surace orgazato ad the partcpatg frms equally share the loss as equty holders, the RPA covers the same amout of loss for all frms. We therefore focus o the case that q1l 1 q2l2. Dfferetatg j w.r.t. j j I, we get I 1 q j Lj where j 1,2. The expected payoffs for type-1 ad type-2 frms are, respectvely: 32

33 , 1, b j,,, 1 b k 11 2 k0 j x, X k j U A q1l1 x X q1 L1 x, 1, b j,,, 1 b k 11 2 k0 j x, X, k j U A q1l1 x X q1 L1 x,, b j, 1,, 1 b k 1 21 k0 j x, X k j U A q1l1 x X q2 L2 x,, b j, 1,, 1 b k 1 21 k0 j x, X. k j U A q1l1 x X q2 L2 x Sce the aalytcal solutos to the case wth heterogeeous frm are tractable, we use umercal examples to llustrate the equlbrum securty vestmets, the frms' payoffs, ad the equlbrum pool coverages. Smlar to the umercal examples the secto of rsk poolg arragemets, we assume x, X exp 2x b k1.., kxk ww 20 U w 1, where b ad. I addto, we let A 8, L1 6, ad L2 4. We assume that type-1 frms accout for about oe-half of the frms. I partcular, whe s a eve umber ad whe s a odd umber. Fgures 4(a) (c) show the securty vestmets, the frms' payoffs, ad the ratos of loss coverage for type-1 ad type-2 frms. [Please Isert Fgure 4 Here.] Fgure 4(a) shows the frms' securty vestmets the cybersurace-oly case, the RPA case, ad the optmal case whe securty vestmets geerate egatve exteraltes. The sold curves represet a type-1 frm's securty vestmets, ad the dash curves represet a type-2 frm's securty vestmets. Wth heterogeeous frms, RPAs ca stll mtgate frms' overvestmet cetves. Both the type-1 frm' ad type-2 frm's securty vestmets the 15 33