Incentivizing Secure Software Development: The Role of Liability

(Waiver) and Audit

∗
Ziyuan Huang, Gergely Biczók, Mingyan Liu
December 2023
arXiv:2401.08476v1 [cs.CR] 16 Jan 2024

Abstract
Misaligned incentives in secure software development have long been the focus of research in the
economics of security. Product liability, a powerful legal framework in other industries, has been largely
ineffective for software products until recent times. However, the rapid regulatory responses to recent
global cyberattacks by both the United States and the European Union, together with the (relative)
success of the General Data Protection Regulation in defining both duty and standard of care for soft-
ware vendors, may just enable regulators to use liability to re-align incentives for the benefit of the
digital society. Specifically, the recently proposed United States National Cybersecurity Strategy shifts
responsibility for cyber incidents back to software vendors. In doing so, the strategy also puts forward
the concept of the liability waiver: if a software company voluntarily undergoes and passes an IT security
audit, its liability is waived.
In this paper, we analyze this audit scenario from the aspect of the software vendor. We propose a
mechanism where a software vendor should first undergo a repeated auditing process in each stage of
which the vendor decides whether to quit early or stay with additional security investment. We show
that the optimal strategy for an opt-in vendor is to never quit; and exert cumulative investments in either
“one-and-done” or “incremental” manner. We relate the audit mechanism to a liability waiver insurance
policy and revealed its effect on reshaping the vendor’s risk perception. We also discuss influence of audit
quality on the vendor’s incentives and pinpoint that a desirable audit rule should be highly accurate and
less strict.

1 Introduction
Making software products more secure is arguably one of the most important elements in securing our overall
computer and information network ecosystem. It has also been one of the most challenging due in no small
part to a sequence of misaligned incentives. For one, security features in a software product can be hard to
monetize (even when they are noticeable), and thus, spending resources to improve the security in software
production may not lead to immediate or substantial returns on investment. This is exacerbated by the fact
that software markets usually reward first-movers that release new functional features as quickly as possible,
resulting in little to no security testing; hence the mantra: “we’ll ship it on Tuesday and get it right by
version 3” [1]. Secondly, while vulnerabilities in software products can lead to substantial costs to a vendor
(incurred in developing patches, for instance), there is significant uncertainty on whether certain costs will
materialize because a large number of vulnerabilities are never discovered or publicly disclosed, and even
among those discovered, a majority of them are never exploited. Rather than fixing the vulnerabilities,
they are often rolled up in the development of newer versions of the software. This means there is less
motivation on the vendor’s part to try to minimize vulnerabilities a priori. Perhaps most importantly, a
software vendor’s exposure to potential security risk is limited by the fact that the vast majority of the
∗ Ziyuan Huang and Mingyan Liu are with the Electrical and Computer Engineering Department, University of Michigan,

1301 Beal Avenue, Ann Arbor, MI 48109, USA; e-mail: {ziyuanh, mingyan} @umich.edu; Gergely Biczók is with the CrySyS
Lab, Department of Networked Systems and Services, Budapest University of Technology and Economics, 1111 Budapest,
Műegyetem rkp. 3, Hungary; e-mail: [email protected].

1
cost incurred in a security incident is borne by the consumer/user/buyer of the software, not the producer,
instantiating a lax approach to risk mitigation owing to moral hazard [1].
Modern liability frameworks, emerging from early 20th-century case law, aim at establishing legal obli-
gations for individuals and organizations to assume responsibility for their actions, particularly when such
actions result in harm or damage to others. Liability encompasses various legal principles and frameworks
that determine when (duty of care) and to what extent (standard of care) one party may be held accountable
for the consequences of their behavior. Historically, software companies frequently avoided product liability
using a combination of legal gray zones and disclaimers, capitalizing on the broad interpretation of accept-
able user risk. However, the General European Data Protection Regulation (GDPR) leveled the playing field
by defining both duty and standard of care, leading to substantial fines for mishandling personal data and
prompting a reassessment of cybersecurity investments. In addition, recent global cyberattacks triggered
rapid regulatory responses in the US and the EU, mandating secure software development, compliance, and
supply chain security to overcome information asymmetry and lack of expertise for end-users, re-assigning
liability back to software vendors. At the same time, the insurance sector is grappling with the insurability of
cyber risks, particularly in critical infrastructure, following severe cybersecurity incidents and ongoing armed
conflicts. The insurance industry is scrambling to establish baseline scenarios for industrial control systems,
as the potential for systemic cyber risks and catastrophic losses may shift responsibility to governments as
insurers of last resort. This motivated a series of national security policy directives that aim to allow liabil-
ity claims against insecure software products produced by software vendors. Specifically, the United States
National Cybersecurity Strategy, released in April 2023, has introduced a liability waiver mechanism tied
to government-mandated security audits, serving as a financial incentive for software companies to improve
their product security practices.
In this work, we examine what happens if a (government) agency offers optional (and free) product
security audit and, for those who pass the audit, waives their liability associated with software security.
This is formulated as a discrete-time optimal stopping problem, where a software vendor can choose not to
be audited and bear any potential liability that may occur or to be audited. The audit is assumed to be
informative but not perfect, with some randomness to it, i.e., the outcome contains both false positive and
false negative results. Once a vendor opts to be audited, then it has to either pass the audit at some time or
it can quit the market entirely; in other words, a product that has failed an audit is not allowed to release
to the market. The decisions facing the vendor, beyond the initial choice of whether to enter into the audit
process at all, include how much security investment (or effort) to make initially in order to pass the audit
and how much more to make subsequently, following each failed audit, and when is a good time to quit if at
all.
Our goal is to understand: (1) from the vendor’s perspective, under what condition should it subject itself
to the audit, and what is the optimal sequence of security investment; (2) from the auditor’s perspective,
how to maximally incentivize vendors to opt in.
Our main findings are as follows:
• Our results show that under an optimal policy for the vendor, once it opts into the audit mechanism,
it will never quit; it will continue to either improve or hope that it will eventually pass the audit.

• The optimal policy is in general non-unique, but enjoy some very interesting properties. An optimal
policy falls into two broad categories: the “one-and-done” types and the “incremental” types.
Under the first type, the vendor invests in one installment at the beginning of the process an amount
from a well defined optimal set, prior to the initial audit, and then waits to pass the audit, repeating
over and over till it succeeds. For some problem instances, this initial investment could be quite low
(in which case the vendor simply waits for luck to carry it through the audit).
Under the second type, the vendor invests multiple times, with each amount from the same optimal
set but the timing of these investments can be arbitrary.
• Under either type of strategy, given the probabilistic nature of the audit outcome, an audit could clear
a product with very low security investment for market entry, which is undesirable from a social welfare
standpoint. The auditor can mitigate this by making the audit more accurate (lower noise) but easier
(lower threshold for passing).

2
 • We show how this audit mechanism can be related to a liability waiver insurance policy, and how it
reshapes the vendor’s risk perception.
• We show how the audit quality (accuracy and hardness) influences the vendor’s participation incentive,
and how to adjust these parameters to increase participation.
The remainder of the paper is structured as follows. In Section 2 we review related literature. Section
3 presents an optimal stopping time model to capture the decision making process of a vendor and some
key properties of this problem. Section 4 fully characterizes the vendor’s optimal strategy if it decides to
participate in the audit mechanism. Section 5 examines how the audit parameters influences the participation
incentive of a vendor. Section 6 concludes the paper and presents a number of extensions and future
directions.

2 Background and Related Work

2.1 Software liability
To understand the state of affairs in the ever-changing software liability regulation, we provide a brief
overview. The legal interpretation of liability already appeared in Roman Law, but the modern framework
of product liability first emerged in [2] in relation to a faulty automobile wheel causing injuries to the driver.
The ruling cited the reasonable basis for the automobile manufacturer to know product risks and to make
extra effort to ensure the safety of anyone coming into contact with the car, even if the wheel was produced
by another company. The next milestone case [3] established duty of care with respect to a person consuming
spoiled ginger beer produced by a bottler and contracting severe gastroenteritis. The bottler had to pay
restitution owing to his negligence. Finally, standard of care was put forward in [4] in a complicated multi-
party liability case among the US government, a railroad company, and two boating companies, where the
mooring lines of a barge carrying flour belonging to the government were disconnected by another barge,
causing damage to other ships and eventually sinking. Liability was shared among the companies; specifically,
the boating company operating the barge that cut the lines failed to look after the safety and security of other
barges contacted. Interestingly, the judge based his ruling on inadequate risk management: the burden of
precautions taken by the company was smaller than the likelihood, and the impact of the incident multiplied
together.
Although there were a number of liability cases against software companies in the last decades, companies
often managed to escape fines using nuances of contract law, and limitations of liability and disclaimers in
end-user license agreements (EULA). In fact, the flexible interpretation of acceptable risk taken by the user
of a software product made this a gray area. This has changed dramatically with the emergence of the Eu-
ropean General Data Protection Regulation (GDPR) and its penalty system for organizations mismanaging
the personal data of their users. The GDPR has defined both the duty and standard of care, data protection
agencies collected billions of Euros in fines, and the cost-benefit assessment of cybersecurity-related invest-
ments has changed for the better, at least for the safekeeping of personal data. Concurrently, governments
around the world have become increasingly worried about the changing landscape of cyberattacks which
showed a shift from accessing/exposing user data towards damaging and controlling critical infrastructure
integrated across governmental institutions and private organizations. The 2017 NotPetya ransomware and
the 2021 SolarWinds attacks stand out as having far-reaching implications for national security, letting ma-
licious attackers breach and potentially take over control of systems of critical importance (governmental
organizations, financial institutes, logistics companies, etc.) in the Ukraine, in the United States, and across
the globe. These incidents made governments prioritize the cyber-hardening of their national infrastructure
and, specifically, focus on software supply chain security. Accordingly, both the United States (via the 2021
Executive Order on Improving the Nation’s Cybersecurity [5]) and the European Union (via the 2022 Cy-
ber Resilience Act [6]) acted swiftly and put forward regulations mandating secure software development,
standardized product cybersecurity compliance, and a secure software supply chain [7], and also reducing
the information asymmetry pertaining to non-expert end-users of software products. Software liability also
factors in the end-users’ technical (not having the expertise to assess product security ) and legal inability
(EULA prohibiting the inspection of software code) to evaluate software products they use. In fact, reflecting
liability back to software companies is indeed a sensible solution.

3
 Another intriguing aspect of software liability comes from cyber-insurance. The devastating cybersecu-
rity incidents and the ongoing multi-modal armed conflicts affecting critical infrastructure raised alarms in
the insurance industry regarding the insurability of cyber risks [8], potentially inhibiting the market that
experienced real growth in recent years after decades of underdevelopment. In fact, insurers and re-insurers,
together with academics and cybersecurity experts, are trying to establish baseline scenarios in the indus-
trial control system domain [9]. Indeed, if the cyber risk is systemic and catastrophic losses are expected in
the critical infrastructure sector, the insurance industry will lose its interest to underwrite new policies. In
that case, governments would shoulder the responsibility to be insurers of last resort, similar to instances of
frequent natural disasters [10]. Supposing this happens, the increased scrutiny for software product security
laid down in recent regulations is even more sensible. Even so, a potential insurer role would also be a finan-
cial and administrative burden for the government, especially taking into account tangled software supply
chains. On the other hand, supply chain security solutions and best practices are available; if a company
decides to invest money and effort, a much-improved level of security is within reach. Recognizing this, the
current United States National Cybersecurity Strategy ([11], released in April 2023) explicitly introduced a
liability waiver mechanism designed to reward software companies willing to undergo and pass a government-
mandated product security audit. Such a waiver mechanism could just be the missing financial incentive for
software companies to change their usual ways regarding secure products.

2.2 IT Security Audits

Security audits and related incentive challenges have long been the focus of the ICT industry, regulators,
and researchers. Often perceived as an enabler of effective cyber-insurance contracts and incentivizing
self-protection, audits with post-audit certification are heralded as a potentially effective mechanism for
achieving the desired level of security between multiple interacting stakeholders [12, 13]. In the early phase
of cyber-insurance (1997-2006), the lack of historical data and rudimentary cyber risk modeling resulted
in ineffective actuarial models [14]. Yet, many of them attempted to link security levels to pricing using
security audits, thereby reducing the information asymmetry between prospective clients and insurers [15].
Some insurer carriers (e.g., Hiscox) and brokers (e.g., InsureTrust) performed the security audits themselves
before determining premiums, others outsourced audits to external parties and offered discounts upon suc-
cessful certification (e.g., AIG). These audits were reported to be rigorous, lengthy, and expensive, yet their
effectiveness could vary [14].
Providing a clear rationale for carefully designed audit processes, Böhme finds that security audits con-
nected to cyber-insurance contracts should be tailored to the situation at hand and that their design space
is vast, spanning voluntary, mandatory, unilateral, and bilateral audits with complex technical, managerial,
and policy implications [16]. Focusing on a single profit-maximizing cyber insurer, Khalili et al. explore
the role of an initial quantitative security audit in cyber-insurance contract design [17]. Authors show that
a market exists for a single risk-averse client and that the client’s self-protection effort inside the contract
increases with the quality of pre-screening, i.e., it can mitigate moral hazard. Nevertheless, even with perfect
pre-screening, the effort level is still lower than without insurance. On the other hand, when introducing
multiple, interdependent clients, proper pre-screening enables both optimal profits for the insurer and an
improved level of security across clients. In fact, security interdependence and the resulting underinvestment
create a potential for extra profits for the insurer. Consequently, security pre-screening then enables the
insurer to realize these profits by designing insurance contracts that incentivize clients to increase the level
of self-protection and, under some conditions, also improve the state of network security. In some cyber-
insurance constructions, the cybersecurity posture of companies is self-reported. Therefore, a key problem
for insurers is to design a post-incident claims auditing strategy (including punishment for non-compliance)
to deter policyholders from misrepresenting their security levels to gain a premium discount [18]. Panda et
al. demonstrate that the intuitive approach to this problem is less efficient than computing optimal audit
parameters from elaborate game-theoretical models.
Interestingly, the management literature investigates IT security audits from a slightly different angle.
Gordon et al. find that security audits, as a specific form of management accounting control, can reduce
cybersecurity risks and create a healthy balance in responsibility across various internal functions if ac-
companied by adequate intra-organizational incentives [19]. Adding to this, Steinbart et al. underline the
importance of a proper working relationship between the information security and internal audit functions

4
(IAF) within a company[20]. As IAF is responsible for overseeing and improving risk management and
legal compliance, a good relationship results in more effective security investments, improved cybersecurity
posture, and streamlined incident response. Posing a different research question, Herath and Herath develop
a performance evaluation decision model for whether or not to conduct an IT security audit proving legal
compliance [21]. In fact, the answer is far from trivial, as voluntary security audits carry various costs and
delicate timing issues and depend on the proper design of managerial incentives.
Another phenomenon emerging in the accounting literature is the impact of cyber risk on external business
audits [22, 23]. External auditors are responsible for i) evaluating the client’s losses, claims, and liabilities
related to cyber incidents, ii) detecting potential deficiencies in (shared) internal controls (signaled by security
incidents), and iii) testing and monitoring access control implemented by the client and integrating cyber
threats into their audit risk model. Specifically, Rosati et al. find that breached clients are charged higher
audit fees, and these higher fees affect the whole industry [22]. Nevertheless, external auditors do not revise
their audit risk assessment post-breach, meaning that cyber risk has already been part of their model and
that higher audit fees are temporary. In a related study, Rosati et al. find that, contrary to intuition, cyber
incidents do not result in decreased financial audit quality, as external auditors increase their audit and
testing efforts owing to the acknowledgment and integration of cyber risks [23].
In this work, inspired by the recently released United States National Cybersecurity Strategy [11], we
focus on the audit process of a software vendor, potentially resulting in waived liability with respect to the
vendor’s software products. We concentrate on a single vendor and investigate the utility and temporal
dynamics of the audit process ([21]), while also analyzing the impact of different risk appetites ([17] and
audit quality ([17, 23]).

3 An Optimal Stopping Problem: Model and Preliminaries

The basic problem consists of a neutral auditor with a pre-determined, publicly known audit rule and a
utility-maximizing software vendor (also occasionally referred to interchangeably as the software developer
or producers) responding optimally to the audit rule. The process plays out in discrete time and potentially
over multiple periods, as the vendor may need to be audited repeatedly in order to pass. This section first
describes the sequential decision problem and related assumptions in Section 3.1 and then briefly introduced
the methodology used to solve the problem, i.e., the discounted-reward Markov Decision Process (MDP)
formulated as an optimal stopping problem, in Section 3.2.

3.1 Problem Description

Consider the scenario where a software liability waiver policy exists, which allows a software vendor to
enter the market with zero liability provided it clears an auditing requirement. Further assume that the
initial decision of whether to be audited is voluntary; however, once a vendor decides to go through the
auditing process, then it either has to pass the audit or quit the market entirely. The rationale for the latter
assumption is that a product with known defects/vulnerabilities should not be allowed to enter the market.
In other words, a vendor can decide to “opt out”, whereby it bears the cost of potential liability entirely on
its own but does not need the auditor’s clearance to put its software on the market; or it can decide to “opt
in”, whereby it subject itself to the audit and may have to try multiple times to pass. In either case the
vendor can also choose to quit the market at any time.
The vendor is utility maximizing and potentially risk averse, optimizing over its (successive) security
investment/effort levels, whereas the auditor is not. We shall assume that the audit service is free but not
perfect in its accuracy, i.e., the audit outcome may contain both false positives and false negatives. Each
audit in the auditing process is independent of the others. The availability of such an audit service may be
viewed as a type of mechanism. The central questions we seek to answer include whether there is incentive
for a vendor to participate in such a mechanism, and whether it can induce better/higher security effort
from the vendor in its software production.

5
The Software Vendor
From the vendor’s point of view, the process can be modeled as an infinite-horizon dynamical system in
discrete time. At the initial stage t = 0, the vendor decides whether to participate in the audit. If not, the
process terminates immediately and the vendor’s optimal action is to choose some x ∈ R+ at t = 0+ that
maximizes the following expected opt-out utility which is materialized at time t = 1 when the product is put
on the market:
U out (x) := R − CX (x) − CL (x), (1)
where R denotes the total revenue from selling the product, and CX (x) and CL (x) represent the expected
cost of security investment/effort in the production and the potential liability loss. For simplicity, we will
only treat the liability loss as a random variable and use CL (x) to denote its expectation; the other two
terms are treated as deterministic. This does not significantly alter our analysis or main findings. The
potential risk aversion of the vendor is modeled through the function CL (x) and discussed shortly. The
assumption that the revenue R is independent of the security investment x is also a simplification, although
reasonably justified in practice since enhanced security features in a (software) product is often hard to
monetize. Removing both assumptions is a possible direction of extension.
If the vendor decides to participate in the audit, it then must determine and commit to a security
investment x0 ∈ R+ at time t = 0+ . The value x0 is private information of the vendor; however, since
its utility function is assumed public knowledge, the vendor’s optimal strategy, including the value x0 , is
ultimately known to the auditor/mechanism (i.e., the latter can simply follow the same computation). The
effort x0 goes into the software development over the first time step, with product completed, incurring
an instantaneous cost of c0 = CX (x0 ), and submitted for audit at time t = 1− . The audit outcome is
revealed at time t = 1. Let the audit outcome at time t be denoted as st ∈ {0, 1}. If the audit outcome
is positive/successful, i.e., s1 = 1, the process terminates: the vendor is granted market entry, earning a
reward r1 equaling to the revenue R at time t = 1+ . This is also considered the terminal reward for passing
the audit with discounting applied through the utility function given shortly below.
If the audit outcome at t = 1 is negative/fail, i.e., st = 0, then the vendor is temporarily denied market
entry. It can either choose to quit the process (exit the market) at time t = 1+ , thereby receiving zero
revenue but incurring no further cost, or opt for re-auditing. In the latter case, the vendor must decide a
new (cumulative) effort level x1 ∈ [x0 , ∞) at time t = 1+ , thereby committing to an additional security
investment of x1 − x0 over the next time step. This incurs an instantaneous cost of c1 = CX (x1 ) − CX (x0 )
at time t = 2− . The process then proceeds to stage t = 2 and repeats indefinitely until the vendor either
successfully passes the audit or decides to quit. For any non-terminal stage, we assume it generates a reward
of rt = 0. Let qt denote the binary quitting decision with qt = 1 indicates a quit. The sequencing of actions
and decisions is illustrated in Figure 1, assuming the process has not stopped until time t + 1.

Figure 1: Timeline of the decision process.

Formally, define x := {xt }∞ t=0 as the increasing sequence of total (accumulated) security investments
decided by the vendor at each time t+ . Let τs ∈ {1, 2, . . . } denote the quitting time and τa ∈ {1, 2, . . . } the
time at which the vendor first passes the audit; both are in general random (stopping) times of the processes
{qt }t≥0 and {st }t≥0 respectively. The vendor’s utility when opting in the policy can be written as follows,

6
given the vendor’s decision on x and τs :
"τ ∧τ τa ∧τ s −1
#
a
X s X
in t−1 t
U (x, τs ) = Eτa α rt − α ct
t=1 t=0
a ∧τs −1
"τ #
X
t
= Eτa α (rt+1 − ct )
t=0
(2)
τa ∧τ s −1
"
X
= Eτa − CX (x0 ) − αt (CX (xt ) − CX (xt−1 ))
t=1
#
τa −1
+α R1[0,τs ] (τa ) .

where 1A (x) is the indicator function that returns 1 when the x ∈ A and 0 otherwise and τa ∧τs := min{τa , τs }.
Also, notice that rτa = R and rτs = 0. The vendor’s goal, if it decides to opt in, is to maximize its opt-in
utility in Eqn (2). Denote the maximum utility by U in,∗ := maxx,τs U in (x, τs ).

The Auditor
The auditor is modeled as a neutral (without its own utility function) party defined by the quality of its
∞
audit: the sequence of functions q(x) := {pt (xt−1 )}t=1 , where pt (xt−1 ) is the probability of the software
product passing audit at time t given cumulative security effort of xt−1 .
A security audit for software in practice is a complex task. For tractability, we will model this as an
estimation process, whereby the auditor predetermines a threshold δ and estimates whether the vendor’s
security effort exceeds it. It follows that the estimate at stage t can be represented as a random variable
Yt := xt−1 + Wt whereWt ∼ N(0, σt2 ). Thus the probability of passing theaudit ispt (x
t−1 ) = P(Yt ≥ δ) =
δ−xt−1 1
P(Wt ≥ δ − xt−1 ) = Q where Q(z) := P (Z ≥ z|Z ∼ N (0, 1)) = 1 − erf √z .
σt 2 2
The audit is only meaningful or informative if it is correct more than 50% of the time. In the threshold
model described above, if xt−1 ≥ δ, then pt (xt−1 ) ≥ Q(0) = 12 ; if xt−1 < δ, then pt (xt−1 ) < Q(0) = 21 . Thus,
this threshold audit model is indeed informative for any parameterization (σt )t≥1 .
Assumption 3.1. The audit process is static (or time-invariant), given by pt (x) = p(x) for all t = 1, 2, . . .
and some fixed function p(·).
Applying the above assumption in the threshold audit yields σt = σ for all t = 1, 2, . . . and some fixed
σ > 0.

Specific Functions Used in the Analysis

To fully define the vendor’s utility function we now impose some properties on the liability loss CL (x) and
investment cost CX (x).
We will begin by assuming that the actual liability loss (in dollar amount), denoted by Zx , follows a
2
normal distribution truncated to [0, ∞), which is a normal distribution with mean µZ (x) and variance σZ (x)
2
conditioned on the random variable being non-negative. Assume µZ (x) and σZ (x) are both positive and
decreasing in x, i.e., higher effort reduces the expected loss and the uncertainty in the loss. The density
function of Zx is  
1 φ x−µ Z (x)
σZ (x)
f (z; x) =  ,
σZ (x) 1 − Φ − µZ (x)
σZ (x)

where φ(·) and Φ(·) are respectively the probability density and cumulative distribution functions of the
standard normal distribution. [24] shows that truncated normal is the maximum entropy distribution on
[0, ∞) provided the knowledge of first and second moments subjected to the condition µ2 < 2µ21 where
µk is the k-th moment. We argue that representing the liability loss with known mean and variance with
truncated normal distributions is a suitable choice by the principle of maximum entropy. It states that the

7
maximum entropy distribution is the least informative, therefore the best, distribution that represents the
current system with given prior knowledge of moments [25].
To capture the vendor’s risk aversion, we will model the liability cost that enters into the vendor’s utility
function as CL (x) := E exp(γZx ), where γ > 0 represents the vendor’s risk attitude. An interesting observa-
tion on the Gaussian assumption is that the perceived risk after the transformation through risk aversion, i.e.,
exp(γZx ), actually follows a log-normal distribution, which belongs to the heavy-tailed distribution family1
By the property of normal distribution, we can write CL (γ, x) as
    
1 1 − Φ − µσZZ (x)
(x)
− γσZ (x)
CL (γ, x) = exp γµZ (x) + γ 2 σZ 2
(x)     . (3)
2 1 − Φ − µZ (x) σZ (x)

For the effort cost CX (x), we will assume it can be decomposed into two component costs: CX (x) =
CP (x) + CS (x). Here CP (x) > 0 represents the cost of software development and is strictly decreasing in x
with diminishing marginal; this reflects the observations that higher security investments, such as developer
training, may shorten the development cycle. On the other hand, CS (x) > 0 represents the pure cost of
security investment and is strictly increasing in x. When put together, we develop the following assumption.
Assumption 3.2. CX (x) is first decreasing and then increasing (unboundedly), resulting in a unique global
maximum.
This shape is critical to our subsequent analysis. Intuitively, this means that while security investment
can help lower the development cost to some extent, its own cost ultimately overtakes that of development.
As long as the above assumption is satisfied, it is less important what precise forms these costs take.
Subsequently, we will sometimes work with the following functional forms of CP (x) and CS (x) (with positive
constants b, c):
CP (x) = exp(−bx) ,
(4)
CS (x) = c · x .

3.2 Preliminaries
In light of Figure 1, the vendor’s decision process can be reformulated as a discounted-reward Markov
decision process (MDP) as follows. Let et ∈ {0, 1} denote the continuation status of the process: et = 1 if
the process has terminated by time t (inclusive), and et = 0 if the process proceeds into t+ . Define states
zt := (et , xt−1 ) ∈ Z := {0, 1} × R+ for t = 1, 2, . . . where xt−1 is the cumulative security investment over the
first t − 1 steps. Given the current state zt , the vendor chooses an action ut := (qt , at ) ∈ U := {0, 1} × R+
where qt = 1 when the vendor decides to quit at this stage and at represents the vendor’s additional
investment in case of continuation.
Define an alternative instantaneous reward function ρ(zt , ut ) as follows:
 
ρ(zt , ut ) = p(xt−1 + at )R − (CX (xt−1 + at ) − CX (xt−1 )) 1{0} (et )1{0} (qt ). (5)
Intuitively, this is the expected payoff (reward minus cost) that the vendor earns at time t. It is zero when
either the process has stopped (et = 0) or the vendor decides to quit (qt = 1) at time t.
The state at time t + 1 can be updated using the tuple (zt , ut ) as follows:
(
wt et = 0 and qt = 0
xt = xt−1 + at and et+1 =
1 et = 1 or qt = 1

where wt ∼ Bernoulli(p(xt−1 + at )). This system is a valid MDP by construction.

Let π := {ut }∞
t=1 denote an arbitrary policy. Define the expected total discounted reward with initial state
z under policy π as
" τa ∧τ π −1 # " ∞ #
X s X
π t π π π t π π π
V (z) = Eτa α ρ(zt , ut ) z0 = z = E α ρ(zt , ut ) z0 = z , (6)
t=0 t=0
1 Itis worth noticing that the cyber loss itself, i.e., Zx , is usually directly seen/modeled as heavy-tailed. Mathematically,
our assumption of Normally distributed loss filtered through a risk-averse utility function achieves a similar effect.

8
where the superscript π emphasizes the dependence of relevant variables on the policy π. The second equality
holds because by definition, ρ(ztπ , uπt ) = 0 if the process has stopped before time t, i.e., et = 1. The goal of
the MDP is to find the optimal policy π that maximizes the objective in Eq. (6). Denote the optimal reward
function as V ∗ (z) := maxπ V π (z) and the optimal policy as π ∗ (z) ∈ arg maxπ V π (z).
It suffices to limit our attention to non-terminal states because V ∗ (1, x) ≡ 0 by Eqn (5) and (6). With a
slight abuse of notation, we will denote V ∗ (x) := V ∗ (0, x). Additionally, without loss of generality, we will
only consider stationary policies, i.e., state-dependent and time-invariant, that depend on the state zt only
through xt−1 . In other words, there exists a function g : R+ → U s.t. ut = g(xt−1 ) for every t ≥ 0.
Using the notation above, we can express the vendor’s optimal opt-in utility as follows:

U in,∗ = −CX (0) + V ∗ (0). (7)

The methodology used to compute V ∗ is the Bellman equation. By an extension of Theorem 2.2 in [26]
(see Appendix A), V ∗ is the unique solution to the following fixed-point (Bellman) equation,
h i
V ∗ (x) = max ρ(e = 0, x, u) + αE V ∗ (z ′ ) e = 0, x, u , ∀x ≥ 0, (8)
u∈U

where z ′ represents the next state.

4 The Optimal Opt-In Policy

We now characterize the optimal strategy of the vendor if it initially decides to opt into the audit mechanism.
We begin by determining when it is optimal to quit and then derive its optimal investments using the Bellman
equation.

4.1 Optimal Quitting Time

We expand V ∗ (x) as follows
 
V ∗ (x) = max 0, max −CX (y) + CX (x) + p(y)R + α(1 − p(y))V ∗ (y) , (9)
y≥x

where the first term in the max operator is the maximum reward-to-go for quitting, i.e., q = 1, and the
second term that for continuation. Then,

V ∗ (x) ≥ max −CX (y) + CX (x) + p(y)R + α(1 − p(y))V ∗ (y)

y≥x

≥ p(x)R + α(1 − p(x))V ∗ (x), ∀x ≥ 0,

which implies
p(x)R
V ∗ (x) ≥ > 0, ∀x ≥ 0.
1 − α + αp(x)
This directly leads to the following lemma.
Lemma 4.1. Once opted in, the vendor will never quit the audit process in an optimal strategy.

4.2 Optimal Continuation Investment

Given that an opt-in vendor will never quit, we can remove the max operator in Eq. (9) and express V ∗ (x)
more concisely as

V ∗ (x) = max −CX (y) + CX (x) + p(y)R + α(1 − p(y))V ∗ (y), ∀x ≥ 0.

y≥x

Define W (x) := V ∗ (x) − CX (x). The above equation is equivalent to

W (x) = max −CX (y) + p(y)R + α(1 − p(y))V ∗ (y), ∀x ≥ 0. (10)

y≥x

9
The optimal additional investment given the accumulated investments x can also be computed using

a∗ (x) ∈ −x + arg max −CX (y) + p(y)R + α(1 − p(y))V ∗ (y). (11)
y≥x

Lemma 4.2. W is decreasing in x.2

The monotonicity of W has a very interesting implication on the vendor’s behavior. Suppose the cumu-
lative investments up to t is xt−1 and the vendor chooses an a∗t optimally according to Eq. (11), resulting in
a new cumulative investment xt = xt−1 + a∗t . If the vendor fails the audit at this level, its optimal additional
investment now becomes zero because the maximum in Eqn (10) is already obtained with xt over [xt , ∞) by
the monotonicity of W . Therefore, one of the vendor’s optimal strategy given any cumulative investment
(sunk cost) is to immediately invest at the optimal additional level and wait indefinitely until it passes the
audit.
Lemma 4.3. The function W can be expressed as

W (x) = max G(y), ∀x ≥ 0, (12)

y≥x

where
p(y)R
G(y) := −CX (y) + , (13)
1 − α + αp(y)
and the optimal additional investment, given cumulative investment x, is

a∗ (x) ∈ −x + arg max G(y). (14)

y≥x

Comparing the maximum opt-in utility value in Eq. (7) and the definition of W in Eq. (10), we see
that U in,∗ = W (0). Therefore, we can directly calculate the opt-in optimal (sequential) security investments
behavior by evaluating the function G(x).

Theorem 4.4. If the vendor opts in, its optimal strategy has to satisfy the following properties:
(1) it will never quit;
(2) it is given by any non-decreasing sequence of cumulative investments {xt }t≥0 , where xt ∈ G :=
arg maxx≥0 G(x);

(3) the optimal opt-in utility is given by maxx≥0 G(x).

Theorem 4.4-(2) says that the optimal opt-in strategy is in general not unique, but these all fall into
two broad categories. The first class is such the vendor invests any amount x ∈ G at stage 0 followed by
nothing else in subsequent stages, essentially waiting for the audit to eventually return a positive outcome
(which is guaranteed to occur with high probability given our assumptions on the audit process). This class
of strategies/vendors is the “patient” type, deciding on a total expenditure and then waiting it out. In
particular, those that invest in the smallest amount (the smallest x in G) are foregoing revenue (due to the
long expected time to passing audit, by the time there is revenue it is severely discounted) in exchange for
a small initial security investment.
The other class of optimal strategies involves investing at two or more different times, each time reaching
some cumulative amount x ∈ G. When these investments are made is arbitrary, provided the first must occur
at time 0. This type of strategies/vendors are more impatient and/or opportunistic: they invest some small
amount initially, hoping to pass audit on good luck; when that doesn’t happen for some time, they decide
to up their game and invest more and hope to pass audit this time, and so on.
It is important to emphasize that both types of strategies yield the same opt-in utility under our model;
they essentially reflect different tradeoffs between willingness to invest vs. willingness to wait for return on
investment.
2 All proofs can be found in Appendix B.

10
 Those who invest the largest amount x ∈ G at time 0 necessarily belong to the first type, as there
is no more feasible action left given the non-decreasing nature of the sequence. These are the “ideal” or
most “desirable” vendors from a public interest or social welfare perspective – they invest the maximum
amount in one go thereby resulting in the highest quality product. In the next section we will discuss what
configurations on the auditing process can help lead to this type of strategy.
The next example shows more concretely the property of the optimal strategies given in Theorem 4.4-(2)
and discussed above.
Example 1 (Property of the Optimal Sequence of Cumulative Investments)
Suppose the set G in Theorem 4.4 contains exactly 3 values x̃1 , x̃2 , and x̃3 , where x̃1 < x̃2 < x̃3 ; i.e., G(x) has
three maximizers. By Theorem 4.4-(2), every optimal investment sequence should start with x0 ∈ {x̃1 , x̃2 , x̃3 }.
This means the initial action a∗0 ∈ {x̃1 , x̃2 , x̃3 } as x0 = x−1 + a∗0 = a∗0 by our definition.
If an optimal strategy starts with x0 = x̃3 , then all subsequent cumulative investments remain at x̃3 , i.e.,
no additional investment in the future. In this case, the optimal cumulative investment sequence and the
optimal action sequence are respectively,
{xt }t≥0 = {x̃3 , x̃3 , x̃3 , x̃3 , . . . } and {a∗t }t≥0 = {x̃3 , 0, 0, 0, . . . }.
As x̃3 is the largest element in G, {x̃3 , x̃3 , x̃3 , . . . } is the unique non-decreasing sequence of cumulative
investments in G given x0 = x̃3 .
If an optimal strategy starts with x0 = x̃2 , then this can lead to either type of optimal sequences. Under
the first type, the vendor invests nothing more beyond the initial amount, i.e.,
{xt }t≥0 = {x̃2 , x̃2 , x̃2 , x̃2 , . . . } and {a∗t }t≥0 = {x̃2 , 0, 0, 0, . . . }.
Under the second type, the vendor invests an additional x̃3 − x̃2 at some arbitrary future time ≥ 1, i.e.,
{xt }t≥0 = {x̃2 , . . . , x̃2 , x̃3 , x̃3 , . . . } and {a∗t }t≥0 = {x̃2 , 0, . . . , x̃3 − x̃2 , 0, . . . }.
Interestingly, the exact time at which the additional investment x̃3 −x̃2 is made has no impact on the strategy’s
optimality.
Similarly, if the optimal strategy starts with x0 = x̃1 , then the vendor could either invest nothing more,
or increase its cumulative investment to x̃2 (or x̃3 ) at some arbitrary time in the future but nothing more,
or increase to x̃2 at some time, followed by another increase to x̃3 some time later.
Example 2 (Using CX (x) given in Eq. (4))
Let p(x) denote the static threshold audit mechanism introduced in Section 3 and given in Assumption 3.1,
and consider the CX (x) in (4) It can be shown that G(x) has at most two local maximum, i.e., G contains
either one or two numbers (see Appendix C for details). This is illustrated in Figure 2, with the two local
maximum denoted low and high, respectively, as xL and xH . If G(xL ) ̸= G(xH ), then there is a single global
maximum and the optimal investment strategy is unique: investing at the global maximum level at time 0
nothing else thereafter.
If xL = xH , then the vendor has two equally optimal options at the initial stage: being conservative and
choosing xH , which is more likely to secure an early pass, or being opportunistic and choosing xL , hoping
for a lucky pass. In the latter case, the vendor has the option to increase its investments to xH at a later
time.

4.3 Equivalence to Liability Insurance

Define the following function:
(1 − α)(1 − p(x))
CA (x; p) = R. (15)
1 − α + αp(x)
We can then re-write the utility function as follows:
p(x)R
U in (x) = G(x) = −CX (x) +
1 − α + αp(x)
(1 − α)(1 − p(x))R
= R − CX (x) −
1 − α + αp(x)
= R − CX (x) − CA (x; p) , (16)

11
Figure 2: Shape of G(x) with CX (x) given by Eq. (4). Parameters used: b = c = 1, R = 26, α = 0.08,
δ = 9.13, and σ = 10. There are two local maximum in the figure xL and xH with xL < xH ; in this example
both attain the same global maximum.

with the optimal opt-in strategy obtained by maximizing U in (x) over [0, ∞). Comparing the above expression
to the opt-out utility function given in Eq. (1), we see the two only differ in their last terms: liability loss
CL (x) in Eq. (1) and CA (x; p) in Eq. (16). This comparison provides an alternative interpretation
of the optimal opt-in strategy. It suggests that the audit mechanism is equivalent to a “waiver-for-fee”
mechanism, i.e., offering the vendor complete liability waiver in exchange for a one-time fee of CA (x; p).
This is nothing but an insurance policy with premium discrimination. Viewed through the insurance lens,
CA (x; p) is functionally equivalent to the premium charged by the insurance provider; it is assessed not only
based on the security effort of the vendor, but also on the market value of the product. The insurance
provider may or may not perform an audit as long as it has a way of determining p(x).
We will refer to CA (x; p) as the waiver cost or audit cost. Remarkably, CA (x; p) is always bounded
above by R while CL (x) could be unbounded for sufficiently small x. Thus this comparison to insurance
merely serves as an alternative interpretation of the audit mechanism, but does not address whether such
an insurance provider would indeed exist and makes profit. This is a crucial difference between a profit-
maximizing insurer and a profit-neutral auditor modeled in this paper; a more comprehensive comparison
will be an interesting direction of future study.

4.4 Risk Perception under the Audit Mechanism

The shape of this function CA (x; p) reveals quite a few interesting properties. Firstly, this function is
decreasing in x with diminishing margins, similar to the liability loss function CL (γ, x). When the vendor
decides to opt in, this waiver cost essentially replaces the liability loss and thus represents the “risk” now
perceived by the vendor.
A few examples of this function with p(x) being the threshold form defined in Section 3 are depicted in
Fig. 3. We observe that CA (x; p) is first concave and then convex as x increases. This suggests that under
the audit mechanism, the vendor’s risk attitude transitions from risk seeking to risk aversion; the former
dominates at lower investment levels, while the latter at higher investment levels. Notice that CA (x; p) is
presented as loss so that the risk-averse (resp. risk-seeking) region corresponds to the concave (resp. convex)
region of −CA (x; p). This is in contrast to −CL (x) which is purely concave, indicating risk-aversion under
all security investments.

12
Figure 3: Auditing cost function CA (x; p) with threshold audit example evaluated at different noise level σ,
taking the threshold fixed as δ = 3.

5 Impact of the Audit Quality

Although we do not explicitly model the auditor as a strategic agent, the vendor’s strategy, and moreover, its
choice of participation, is indeed influenced by the audit threshold δ and audit noise σ, under the threshold
audit rule introduced in Section 3. In this section we first examine how these audit parameters impact the
vendor’s strategy when it opts in, and then how they impact the vendor’s decision to opt in vs. stay out.

5.1 On the Vendor’s Optimal Opt-In Strategy

Results and discussion in Section 4.2 suggest there can potentially be many optimal strategies for an opt-in
vendor, some starting at very low investment levels depending on the solution set to G(x). While these are
equally optimal by the definition of our model, the auditor may favor earlier and higher investments. Below
we show that different choices of δ and σ can reshape G(x) so as to induce more desired opt-in strategies.
Figure 4a and 4b depict the shape of G(x) under different values of δ and σ respectively, while keeping
the other fixed. The global maximum solutions of each curve correspond to the optimal opt-in investments
in that specific parameter setup. The main observations are summarized as follows:

1. From Figure 4a, we see when two local maximas exist in G(x), a high threshold (more difficult audit)
leads the low solution xL to dominate (it becomes the global maxima), whereas a low threshold (an
easier audit) leads the high solution xH to dominate (it becomes the global maxima). (In the region
above the boundary (dashed black horizontal line), the audit threshold is small and xH induces higher
utility than xL ; in the region below the boundary, the audit threshold is large and xL results in higher
utility.) Also, a smaller threshold always induces higher vendor’s utility, regardless of the investment.
2. The above observation suggests that a high threshold δ can encourage low investment as an optimal
strategy. This seems counter intuitive, but the reason is that a difficult audit poses a risk of failing the
audit even at decent effort levels, so the vendor invests less and instead relies on waiting for a positive
audit outcome to materialize when luck strikes. At the same time, a low threshold reduces the need
to gamble on the outcome of the audit and encourages the vendor to invest at the optimal (high) level
from the start, aimed at ensuring a speedy pass.
3. From Figure 4b we see that the shape of the G(x) function is even more sensitive to the audit noise:
a low noise (blue curve) drives xH to become the global maxima (thus high investment as an optimal

13
 strategy) and a high noise (yellow curve) drives xL to be the global maxima (thus low investment as
an optimal strategy).

In short, the above observations suggest that an accurate (low noise) but not overly strict/difficult audit
(so it is possible to pass) is the best choice: it minimizes opportunistic behavior and reliance on chance and
encourages higher levels of effort earlier on in the process.

(a) G(x) with fixed σ = 10 (b) G(x) with fixed δ = 9.13

Figure 4: Different curves of the opt-in objective G(x) under different audit parameters δ and σ. (a) and
(b) respectively show the influence of δ and σ.

5.2 On the Vendor’s Choice of Participation

Clearly, the vendor only has an incentive to participate in the audit mechanism if U in,∗ ≥ U out,∗ , assuming
ties are broken in favor of participation. To highlight the vendor’s opt-out utility’s dependency on its risk
attitudes, we will write U out,∗ (γ) instead of U out,∗ with liability loss taking the form given in Eq. (3). The
following results follow immediately.
Theorem 5.1. There exists γ ∈ [0, ∞] such that for γ ≥ γ, U out,∗ (γ) ≤ U in,∗ and the vendor has an
incentive to participate in the audit mechanism; for γ < γ, U out,∗ (γ) > U in,∗ and the vendor prefers to
stay outside. Specifically, when γ = ∞, the vendor never participates; and when γ = 0, the vendor always
participates.

The value γ is the boundary risk attitude at which the vendor is indifferent between getting the waiver/audit
or not. Above this level the vendor is relatively risk averse and therefore interested in participating and trans-
ferring its risk to the auditor. Below this level the vendor is relatively risk seeking and does not have an
incentive to participate.
As γ is nonnegative, participation is increased with a lower γ. Below we show how the auditor can lower
this value by adjusting its auditing threshold and noise.
We will write the maximum opt-in utility as U in,∗ (δ, σ) to emphasize its dependence on the auditing
parameters. For each pair of (δ, σ), we can calculate γ by solving the equation U out,∗ (γ) = U in,∗ (δ, σ) for γ.
We will similarly write it as γ(δ, σ). Define the coverage of an audit mechanism with a fixed threshold δ as
γ δ := inf σ≥0 γ(δ, σ). Similarly, define the coverage associated with a fixed accuracy σ as γ σ := inf δ≥0 γ(δ, σ).
The coverage of the audit mechanism where both δ and σ are free variables is denoted simply as γ 0 .

Theorem 5.2. (1) γ 0 = 0, i.e., there exists an audit mechanism (a pair of audit parameters) that can
ensures full coverage (of all vendor types).
(2) For fixed σ and δ1 ≤ δ2 , γ(δ1 , σ) ≤ γ(δ2 , σ) and γ σ = γ(0, σ). This means that γ(δ, σ) increases in
the audit threshold δ and the maximum coverage is reached when the threshold is zero. However, this

14
 maximum is practically undesirable since a zero threshold means a non-investing vendor, which should
not be waived.
(3) γ σ1 ≤ γ σ2 for every σ1 ≤ σ2 . This implies higher accuracy increases the coverage by attracting less
risk-averse vendors.

Figure 5 shows some numerical results highlighting the above result.

Figure 5: Contour plot of γ(δ, σ) against various values of δ and σ. The red dotted line signifies the zero
boundary γ(δ, σ) = 0.

We make a similar observation that in terms of maximizing the mechanism’s coverage or participation,
it is once again best to have a high accurate audit but not a very strict/difficult one.

6 Discussion and Conclusion

In this work, we explored the liability waiver mechanism enabled by security investment auditing and its
feasibility to incentivize beneficial software security practices. We formulated the mechanism as a stopping-
time problem and fully characterized the properties of an optimal strategy. Most interesting of these is the
result that there can be many equally optimal strategies, in the form of a sequence of security investments over
time, that reflect very different attitudes and tradeoffs on the part of the vendor, from low investments/slow
return to high investment and rapid return. We further showed how such an audit mechanism relates
to liability insurance and how the audit parameters (accuracy and difficulty) impact the vendor’s optimal
strategy once it opts in. We also examined how the audit parameters affect the vendor’s participation
incentive. We showed that the threshold audit mechanism could incentivize participation while inducing
high security investment at the same time. Our general conclusion is that an accurate (low noise) but not
very strict (difficult) audit can increase participation while incentivizing higher security investment.
There are a number of very interesting future directions to pursue. As mentioned earlier, a more com-
prehensive and quantitative comparison with liability insurance is of great interest and value.
Secondly, our present model assumes independent and identical audit processes being used repeatedly.
This resulted in some less desirable behavior of the vendor, such as repeating the audit till it passed without
making any real change/improvement. A worthwhile extension is to make successive audits a function of
the history, e.g., with each failure, the audit may become more strict (increasing threshold) or more/less
accurate (lower/higher noise), and so on.

15
 Our result suggests that voluntary participation over all risk-averse vendors cannot be guaranteed simul-
taneously with high security investments. Thus, a trade-off is unavoidable if the auditor is strategic and
tasked to maximize customers’ benefits. This might suggest a constrained optimization problem that intends
to maximize the worst-case coverage capacity while keeping all participants incentive compatible and their
security investment no less than some pre-determined value. Any solution to this problem, if it exists, should
be the maximum-coverage liability waiver mechanism in which the induced security investments are no worse
than some pre-defined baseline. Based on the new mechanism, a proper “optimality” of the trade-off can be
defined and discussed from the perspective of a strategic auditor.

References
[1] R. J. Anderson, “Why information security is hard-an economic perspective,” in 17th Annual Computer
Security Applications Conference (ACSAC 2001), 11-14 December 2001, New Orleans, Louisiana, USA,
IEEE Computer Society, 2001, pp. 358–365. doi: 10.1109/ACSAC.2001.991552. [Online]. Available:
https://doi.org/10.1109/ACSAC.2001.991552.
[2] MacPherson v Buick Motor Co. 1916. [Online]. Available: https://casetext.com/case/macpherson-
v-buick-motor-co-2.
[3] Donoghue v Stevenson, 1932. [Online]. Available: https://www.bailii.org/uk/cases/UKHL/1932/
100.html.
[4] United States v. Carroll Towing Co. 1947. [Online]. Available: https://casetext.com/case/united-
states-v-carroll-towing-co-2/.
[5] White House, Executive Order on Improving the Nation’s Cybersecurity, 2021. [Online]. Available:
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-
order-on-improving-the-nations-cybersecurity/.
[6] P. G. Chiara, “The cyber resilience act: The eu commission’s proposal for a horizontal regulation on
cybersecurity for products with digital elements: An introduction,” International Cybersecurity Law
Review, vol. 3, no. 2, pp. 255–272, 2022.
[7] Sonatype, The global regulatory landscape for the software supply chain in 2023, 2023.
[8] World Economic Forum, The global risks report 2023, 18th edition, 2023.
[9] S. Dejung, M. Liu, A. Lüder, and E. Weippl, “Managing Industrial Control Systems Security Risks
for Cyber Insurance (Dagstuhl Seminar 21451),” Dagstuhl Reports, vol. 11, no. 10, S. Dejung, M. Liu,
A. Lüder, and E. Weippl, Eds., pp. 36–56, 2022, issn: 2192-5283. doi: 10.4230/DagRep.11.10.36.
[Online]. Available: https://drops.dagstuhl.de/entities/document/10.4230/DagRep.11.10.36.
[10] J. D. Cummins et al., “Should the government provide insurance for catastrophes,” Federal Reserve
Bank of St. Louis Review, vol. 88, no. 4, pp. 337–379, 2006.
[11] White House, “National cybersecurity strategy,” White House, Washington, DC, 2023. [Online]. Avail-
able: https://www.whitehouse.gov/wp- content/uploads/2023/03/National- Cybersecurity-
Strategy-2023.pdf.
[12] M. Lelarge and J. Bolot, “Economic incentives to increase security in the internet: The case for insur-
ance,” in IEEE INFOCOM 2009, IEEE, 2009, pp. 1494–1502.
[13] M. Liu, Embracing Risk Cyber Insurance as an Incentive Mechanism for Cybersecurity. Springer.
[14] D. W. Woods and J. Wolff, “A history of cyber risk transfer,” Available at SSRN 4493171, 2023.
[15] R. Böhme, G. Schwartz, et al., “Modeling cyber-insurance: Towards a unifying framework.,” in WEIS,
2010.
[16] R. Böhme, “Security audits revisited,” in International conference on financial cryptography and data
security, Springer, 2012, pp. 129–147.

16
[17] M. M. Khalili, P. Naghizadeh, and M. Liu, “Designing Cyber Insurance Policies: The Role of Pre-
Screening and Security Interdependence,” IEEE Transactions on Information Forensics and Security,
vol. 13, no. 9, pp. 2226–2239, Sep. 2018, Conference Name: IEEE Transactions on Information Forensics
and Security, issn: 1556-6021. doi: 10.1109/TIFS.2018.2812205.
[18] S. Panda, D. W. Woods, A. Laszka, A. Fielder, and E. Panaousis, “Post-incident audits on cyber
insurance discounts,” Computers & Security, vol. 87, p. 101 593, 2019.
[19] L. A. Gordon, M. P. Loeb, T. Sohail, C.-Y. Tseng, and L. Zhou, “Cybersecurity, capital allocations
and management control systems,” European Accounting Review, vol. 17, no. 2, pp. 215–241, 2008.
[20] P. J. Steinbart, R. L. Raschke, G. Gal, and W. N. Dilla, “The influence of a good relationship between
the internal audit and information security functions on information security outcomes,” Accounting,
Organizations and Society, vol. 71, pp. 15–29, 2018.
[21] H. S. Herath and T. C. Herath, “It security auditing: A performance evaluation decision model,”
Decision Support Systems, vol. 57, pp. 54–63, 2014.
[22] P. Rosati, F. Gogolin, and T. Lynn, “Audit firm assessments of cyber-security risk: Evidence from audit
fees and sec comment letters,” The International Journal of Accounting, vol. 54, no. 03, p. 1 950 013,
2019.
[23] P. Rosati, F. Gogolin, and T. Lynn, “Cyber-security incidents and audit quality,” European Accounting
Review, vol. 31, no. 3, pp. 701–728, 2022.
[24] D. Dowson and A. Wragg, “Maximum-entropy distributions having prescribed first and second mo-
ments (corresp.),” IEEE Transactions on Information Theory, vol. 19, no. 5, pp. 689–693, Sep. 1973,
issn: 0018-9448. doi: 10.1109/TIT.1973.1055060. [Online]. Available: http://ieeexplore.ieee.
org/document/1055060/ (visited on 12/09/2023).
[25] E. T. Jaynes, “Information theory and statistical mechanics,” Phys. Rev., vol. 106, pp. 620–630, 4 May
1957. doi: 10.1103/PhysRev.106.620. [Online]. Available: https://link.aps.org/doi/10.1103/
PhysRev.106.620.
[26] O. Hernández-Lerma, Adaptive Markov Control Processes (Applied Mathematical Sciences), en, F.
John, J. E. Marsden, and L. Sirovich, Eds. New York, NY: Springer, 1989, vol. 79, isbn: 978-1-4612-
6454-5 978-1-4419-8714-3. doi: 10.1007/978- 1- 4419- 8714- 3. [Online]. Available: http://link.
springer.com/10.1007/978-1-4419-8714-3 (visited on 12/02/2023).

Appendices
A Bellman Equation with Unbounded Rewards
We prove the Bellman equation theorem when the rewards are unbounded and take specific forms in (5) and
(4). The idea is to modify the function sup-norm used in Theorem 2.2 in [26] so that it remains bounded for
linearly increasing functions such as (4).
Define the weighted norm
|V (z)|
||V ||w = sup , V ∈B (17)
z∈Z w(z)

where w(z) is the (positive) weight function defined as follows

 
1
w(z) = w(f, s, x) := 1 + 1{f = 0}, z ∈ Z,
1+s+x

with 1{f = 0} being the indicator function that returns 1 when f = 0 and zero otherwise. It is easy to verify
that || · ||w is a valid norm. Let B be the set of real-valued bounded functions with norm || · ||w on the state
2
space Z := {0, 1} × R+ . In fact, the space (B, || · ||w ) is a Banach space as shown by the lemma below.
Lemma A.1. (B, || · ||w ) is a Banach space provided that || · ||w is a valid norm.

17
Proof. Let {Vn }n≥0 ⊆ B be a Cauchy sequence with norm || · ||w . Define V := lim supn→∞ Vn pointwise.
Then, there exists a subsequence {Vnk }k≥0 such that V = limk→∞ Vnk pointwise. Fix arbitrary ε > 0, the
Cauchy-ness of {Vnk }k≥0 implies the existence of K > 0 such that

Vnk (z) − Vnl (z) ε

< , ∀z ∈ Z, ∀k, l ≥ K.
w(z) 2
By sending l to ∞ and the pointwise convergence, we obtain
Vnk (z) − V (z) ε
< , ∀z ∈ Z, ∀k ≥ K,
w(z) 2
which implies
ε
||Vnk − V ||w <∀k ≥ K
2
ε
Besides, the Cauchy-ness of {Vn }n≥0 also implies the existence of N > 0 such that ||Vn − Vm ||w < 2 for
every n, m ≥ N . Therefore, letting M := max{N, nK } and choosing k such that nk > M , we have
ε ε
||Vn − V ||w ≤ ||Vn − Vnk ||w + ||Vnk − V ||w ≤ + = ε, ∀n ≥ M.
2 2
Thus, the Cauchy sequence {Vn }n≥0 has a limit V . Choosing any n > M and by the triangle inequality, we
obtain
ε
||V ||w ≤ ||V − Vn ||w + ||Vn ||w < + ||Vn ||w < ∞.
2
So, the limit V is also in B. ■
Define the dynamic programming operator for any function in B as
Z
T V (z) := sup r(z, u) + α V (z ′ )Q(dz ′ |z, u), ∀z ∈ Z,
u∈U

where U := {0, 1} × R+ is the action space and Q(z ′ |z, u) is the probability density of the next state
represented by z ′ given the current state-action pair (z, u). Notice the Bellman equation is the same as
V = TV .
The theory of discounted-reward MDP requires the following claims [26]:
(a) The Bellman equation V = T V has a unique solution V ∗ .
(b) V ∗ equals the maximum objective, i.e., V ∗ = supg E { t r(ztg , ugt )}
P

Furthermore, if g ∗ (z) := arg supu r(z, u) + α V (z ′ )Q(z ′ |z, u) exists for every z ∈ Z, then g ∗ is the
R

optimal stationary policy of the MDP.

To show (a), it is sufficient to prove that T is a contraction mapping and the existence and unique will
follow by Banach fixed-point theorem. We construct this notion in Lemma A.2 and A.3.
Lemma A.2 (self-mapping). Suppose r is bounded above by M , which includes our specialization in (5) and
(4). Then, for any V ∈ B, we have T V ∈ B.
Proof. Let V ∈ B with upperbound ||V ||w ≤ B. Given any z = (f, s, x) ∈ Z,
Z
T V (z) ≤ sup {r(z, u)} + α sup V (z ′ )Q(dz ′ |z, u)
u∈U u∈U
Z
≤ M + αB · sup w(z ′ )Q(dz ′ |z, u) ≤ M + 2αB.
u∈U

The lowerbound is obtained by plugging in arbitrary action u ∈ U, i.e,

Z
T V (z) ≥ r(z, (1, 0)) + α V (z ′ )Q(z ′ |z, (1, 0))

≥ αV (1, s, x).

18
Therefore, the weighted norm of T V is
 
|T V (z)| M + 2αB V (1, s, x)
||T V ||w = sup ≤ sup max , α .
z∈Z w(z) z∈Z w(z) w(z)

The first term in the curly bracket is bounded for all z ∈ Z since w(·) ≥ 1. The second term is also bounded
because for arbitrary z ∈ Z,
V (1, s, x) V (1, s, x) w(1, s, x) B
= ≤ ≤ B.
w(z) w(1, s, x) w(z) w(z)

Therefore, ||T V ||w < ∞ and consequently T V ∈ B. ■

Lemma A.3 (contraction). T is a contraction mappings over B.
Proof. Define the operator H over B as
Z
HV (z, u) = r(z, u) + α V (z ′ )Q(dz ′ |z, u), V ∈ B.

Let V1 , V2 ∈ B. Then, it follows that, for any z ∈ Z,

T V1 (z) − T V2 (z) = sup {HV1 (z, u)} − sup {HV2 (z, u′ )}

u u′
 
′
= sup HV1 (z, u) − sup {HV2 (z, u )}
u u′
≤ sup {HV1 (z, u) − HV2 (z, u)}
u
Z
= α sup (V1 (z ′ ) − V2 (z ′ )) Q(dz ′ |z, u).
u

Similarly, one can also prove by operating on the other term that
Z
T V1 (z) − T V2 (z) ≥ α sup (V2 (z ′ ) − V1 (z ′ )) Q(dz ′ |z, u).
u

Thus, we can derive an upperbound of the weighted absolute difference

|T V1 (z) − T V2 (z)| |V1 (z ′ ) − V2 (z ′ )|
Z
≤ α sup Q(dz ′ |z, u)
w(z) u w(z)
w(z ′ )
Z
≤ α||V1 − V2 ||w sup Q(dz ′ |z, u).
u w(z)
′
Define Γ(z, u) := w(z ) ′
R
w(z) Q(dz |z, u). Let’s denote the entries of z as z = (f, s, x). (1) When f = 1, then
z ′ = z =⇒ Γ(z, u) = w(z)/w(z) = 1. (2) When f = 0 and s = 1, we have z ′ = (1, 1, x) =⇒ Γ(z, u) =
w(1, 1, x)/w(0, 1, x) ≤ 1. (3) When f = 0 and s = 0, we obtain Γ(z, u) = w(0,0,x+u) w(0,0,x) (1 − p(x + u)) +
w(0,1,x+u)
w(0,0,x) p(x+ u) ≤ 1 as w(0, s, x) decreases in either s or x and 0 ≤ p(·) ≤ 1.
Therefore, we conclude

||T V1 − T V2 ||w ≤ α||V1 − V2 ||w ,

and that T is a contraction mapping in B for any 0 < α < 1. ■

Theorem A.4. The Bellman equation V = T V has a unique solution in B.
Proof. This result follows readily from Lemma A.2 and A.3 combined with Banach fixed-point theorem. ■
Theorem A.4 justifies claim (a) above. Claim (b) follows the standard arguments independent of the
unbounded-reward assumption so that we omit it here.

19
B Proof of Results
B.1 Lemma 4.2
Proof. Define the set B(x) := {−CX (y) + p(y)R + α(1 − p(y))V ∗ (y) : y ≥ x}. Notice that W (x) = max B(x).
Let x1 , x2 ≥ 0 and x1 ≤ x2 . Then, B(x1 ) ⊇ B(x2 ), which implies W (x1 ) ≥ W (x2 ). ■

B.2 Lemma 4.3

Proof. (i) According to Eq. (10), W can be expressed as

W (x) = max −(1 − α + αp(y))Cx (y) + p(y)R + α(1 − p(y))W (y)

y≥x

≥ − (1 − α + αp(x))Cx (x) + p(x)R + α(1 − p(x))W (x),

which implies
p(x)R
W (x) ≥ −CX (x) + ,
1 − α + αp(x)
as 1 − α + αp(x) > 0 for every x > 0. For any x ≥ 0, by Lemma 4.2, we have
p(y)R
W (x) ≥ W (y) ≥ −CX (y) + , ∀y ≥ x
1 − α + αp(y)
(18)
p(y)R
=⇒ W (x) ≥ max −CX (y) + .
y≥x 1 − α + αp(y)
To show the reverse direction, define the function over which W (x) takes supremum as

g(x) := −(1 − α + αp(y))Cx (y) + p(y)R + α(1 − p(y))W (y)

and the quantity

y x := max D(x) := max{y ≥ x : g(y) = W (x)}. (19)
By monotonicity of W , it follows that W (x) = W (y x ) = g(y x ). The latter equality can be reorganized to
obtain
p(y x )R
W (y x ) = −CX (y x ) + = G(y x ),
1 − α + αp(y x )
where the second equality is from the definition of G(x), which further implies W (x) = G(y x ). Since
y x ∈ [x, ∞), we also have
p(y)R
W (x) ≤ max G(y) = max −CX (y) + .
y≥x y≥x 1 − α + αp(y)
Together with Eq. (18), we conclude that W (x) = maxy≥x G(y).
(ii) To show the optimal investment, define the set

G(x) := arg max G(y).

y≥x

Let yx∗ := a∗ + x. Then, yx∗ is optimal if and only if yx∗ ∈ D(x) with D(x) defined in Eq. (19). We obtain
from the above discussion

G(yx∗ ) = W (yx∗ ) = W (x) = max G(y) =⇒ yx∗ ∈ G(x),

y≥x

Now let yx′ ∈ G(x). Then, by our results in (i), W (x) = G(yx′ ). By monotonicity of W and that yx′ ≥ x,
we further obtain W (x) = W (yx′ ) = G(yx′ ). Transforming the latter equality by multiplying both sides with
1 − α + αp(yx′ ) and rearranging terms yield W (x) = W (yx′ ) = g(yx′ ). This implies yx′ ∈ D(x). Therefore,
D(x) = G(x), i.e., any investment obtained by maximizing G is optimal and any optimal investment must
maximize G. ■

20
B.3 Theorem 5.1
Proof. It is sufficient to show that U out,∗ (γ) is monotonically decreasing in the risk attitude γ.
We first show that CL (γ, x) given in Eq. (3) is increasing in γ. Then, the lemma follows directly
from the fact that any pair of functions f, g defined on the same domain s.t. f ≤ g point-wise satisfy
supx f (x) ≤ supx g(x).
It is sufficient to show the function
  
1 2 2 1 − Φ − µσZZ (x)
(x)
− γσZ (x)
g(γ) = γµZ (x) + γ σZ (x)    
2 1 − Φ − µσZZ (x)
(x)

is monotonicity increasing for each fixed x ≥ 0 on the interval [0, ∞). This is true since the first term is a
linear function in γ with a positive coefficient and the second term is the product of two positive increasing
functions. ■

C Local Maximums of G(x)

Proof. (sketch) To avoid long equations, we sketch the key steps used in this proof. Let’s first take the
first-order derivative of G(x) given as follows:
R(1 − α)p′ (x)
G′ (x) = −c + b exp(−bx) + .
(1 − α + αp(x))2
Any critical point of G(x) is given by zeroing the above equation, which is equivalent to
R(1 − α)p′ (x)
c − b exp(−bx) = .
(1 − α + αp(x))2
The left-hand side is monotonically increasing in x with diminishing derivative. If the right-hand side is first
increasing and then decreasing, then we are able to conclude that there are at most three critical points in
the function G(x), as illustrated in the figure below. Since the function G(x) is continuous with at most 3

critical points, the number of its local maximum is at most 2, which can be easily seen by contradiction.
To characterize the shape of the right hand side, let’s take the derivative of the right hand side and obtain

R(1 − α) p′ (x) δ−x ′

′ σ (1 − α + αp(x)) − 2ασp (x)
LHS = × .
σ (1 − α + αp(x))3
The sign of this derivative is solely determined by the term
δ−x
H(x) := (1 − α + αp(x)) − 2ασp′ (x).
σ
Define the function
h(x) = x(1 − αΦ(x)) − 2αφ(x),
where Φ(·) and φ(·) are respectively the CDF and PDF of the standard normal distribution. Due to the
′

of standard normal distribution that φ (x) = −xφ(x), we have the
definition of p(x) and the property
δ−x
following relation H(x) = h σ . Then, it is sufficient to prove that h(x) is increasing in x. This can be
done by taking two consecutive derivatives of h and using the fact xf (x) → 0 as x → ∞. ■

21