Maturity-Aware Cyber Insurance Optimization in IoT Networks

Abstract

As the rapid evolution and expansion of Internet of Things (IoT) devices continues to accelerate, modern infrastructures face increasing cyber risks, largely driven by device inter-connectivity, limited security maturity, and interdependent attack propagation across networks. Traditional cyber insurance models often overlook these IoT-specific characteristics, relying on uniform or simplified risk assumptions that fail to capture real-world vulnerabilities. To address this gap, this paper presents a maturity-aware cyber insurance optimization framework tailored for interconnected IoT environments. The framework integrates organizational security maturity, interdependent risk propagation modeled through a modified Susceptible–Infected–Susceptible (SIS) process, and a Stackelberg game formulation that captures strategic interactions between the insurer and the defender. Through numerical studies on representative IoT topologies, we demonstrate that maturity-aware, risk-sensitive premium structures quantitatively outperform uniform pricing baselines in cost-efficiency and insurer sustainability. Specifically, our experimental results reveal that operating at an optimal intermediate maturity level ($M=3$) reduces the defender’s total expected cost by approximately $40\%$ (from $255.38$ k to $152.36$ k) compared to the baseline state ($M=1$). Furthermore, this structural hardening triggers an $88.3\%$ reduction in full-coverage insurance premiums (from $225.38$ k to $26.36$ k). In contrast, our uniform-pricing baseline exhibits reduced profitability in our experiments due to cross-subsidization effects, reinforcing the value of tiered, risk-proportional pricing for mitigating adverse-selection incentives. In summary, this work establishes a tractable, economically viable framework for cyber insurance in IoT ecosystems and provides a foundation for future extensions to richer network settings.

1. Introduction

Cyber insurance has emerged as a critical risk management strategy for modern Internet of Things (IoT) infrastructures, serving as a necessary mechanism to mitigate the consequences of cyber incidents [1,2]. By transferring part of the cyber risk from IoT operators to insurers, cyber insurance incentivizes security investments while providing economic resilience against attacks. In this setting, multiple stakeholders interact strategically, where insurers design insurance contracts and premiums, defenders are responsible for securing IoT networks, and attackers adapt their strategies in response to deployed defenses [3,4,5]. However, a central challenge in IoT settings is that security effectiveness is strongly shaped by the organization’s security maturity to consistently implement, monitor, and improve cybersecurity controls and response processes [6,7,8]. While insurance provides economic resilience, it does not reduce the underlying probability of attack. On the contrary, investing in higher security maturity reduces risk at the source but incurs escalating implementation costs. This creates a complex decision problem: relying solely on insurance can lead to negligence (moral hazard), while striving for maximum maturity may be economically infeasible.

This trade-off is particularly drastic in the rapidly expanding IoT landscape, which forms the complex background of this study. The hyper-connectivity of modern infrastructures enables widespread connectivity across devices in homes, industries, transportation, and healthcare [9,10]. However, this widespread connectivity increases the attack surface and allows compromise to propagate across interdependent devices, so that local vulnerabilities can generate system-wide cascading risk [11,12]. Consequently, risk management in IoT requires models that jointly capture (i) dynamic infection/risk propagation, (ii) maturity-driven mitigation and recovery capability, and (iii) strategic insurance design that aligns incentives between insurers and defenders.

A central challenge in securing IoT systems is developing effective mechanisms to quantify and manage cyber risk under varying levels of network-wide security maturity in a way that aligns defender incentives with insurer profitability, while risk propagation across interconnected devices is important, conventional models often fail to capture both maturity differences and strategic interactions between insurer and defender. In this context, security maturity refers to the level of defensive capability of an organization or system, reflecting its ability to prevent, mitigate, and recover from cyber incidents, as characterized by established cybersecurity maturity models [8]. Despite its importance, security maturity is often treated implicitly or abstracted into a single investment variable in existing cyber insurance models. Such abstractions fail to capture how maturity-driven defensive capabilities interact with network connectivity and strategic insurance decisions. As a result, current models struggle to accurately reflect risk differentiation, premium fairness, and incentive alignment in IoT environments. This gap motivates the need for cyber insurance frameworks that explicitly incorporate security maturity alongside network-based risk propagation and strategic stakeholder interactions.

The existing research on IoT cyber insurance has laid valuable groundwork. Lau et al. [13,14] propose defense-aware and mutual insurance strategies for critical infrastructure. Game-theoretic frameworks such as FlipIn [3], and non-cooperative models [15] explore the strategic alignment of incentives and premiums. Meanwhile, AI-driven approaches [16,17,18] seek to improve prediction and risk assessment. Despite these advances, many models simplify the problem by assuming uniform risk parameters or ignoring complex topological dependencies and threat propagation. While our framework also adopts certain simplifying assumptions for tractability, it explicitly incorporates variations in organizational security maturity and interdependent risks across the network, which enables a more representative assessment of systemic risk than uniform models.

In this paper, we propose a maturity-aware cyber insurance framework tailored for interconnected IoT networks that models insurance design, defensive investment, and network-based cyber risk. The proposed framework enables insurers to price coverage based on maturity-aware, network-driven risk exposure, while allowing defenders to optimally balance security investment and insurance adoption. Our model captures variations in device-level risk exposure and network-wide security maturity, while also modeling interdependent risk propagation across the network. The interaction between insurer and defender is formulated as a Stackelberg game, capturing the strategic interdependence between premium design and defensive decision-making.

To address the challenges of cyber insurance design in IoT, this paper incorporates the following key contributions:

• Maturity-Aware Insurance Mechanisms: This work proposes insurance mechanisms that explicitly account for device-specific risk levels and organizational security maturity. The insurer premium-setting process is designed to incentivize better security practices while ensuring profitability and fairness in the IoT ecosystem.
• Topology-Aware Risk Modeling in IoT Networks: The paper develops a tractable framework that captures how cyber risk propagates across interconnected IoT devices. Unlike traditional models that ignore interdependence, this approach incorporates network structure, security maturity levels, and risk mitigation, enabling accurate assessment of systemic cyber threats.
• Optimization of Cyber Insurance Policies Using Game Theory: This work formulates a dual-optimization approach for both defender and insurer, leveraging game-theoretic principles. By balancing security investments, insurance premiums, and risk mitigation efforts, the model enhances decision-making for cyber insurance policies in interconnected IoT environments.

Our formulation includes interdependent optimization problems, and we validate the framework through numerical experiments on a representative IoT network. The results illustrate that maturity-aware pricing can shift the defender’s optimal decisions toward improved security at lower total expected cost, while preserving insurer profitability constraints. Across the tested parameter settings, we observe a non-trivial trade-off in which intermediate maturity levels can be cost-efficient when implementation costs exhibit diminishing returns in risk reduction.

The rest of this paper is organized as follows. Section 2 reviews related work. Section 3 presents the system model, detailing the interaction flow, Susceptible–Infected–Susceptible (SIS)-based risk propagation dynamics, and the security maturity framework. Section 4 formulates the optimization problems and game-theoretic modeling to analyze insurer–defender strategies. Section 5 provides numerical results, demonstrating the effectiveness of the maturity-aware framework and its economic superiority over conventional baselines. Finally, Section 6 concludes the paper and outlines future research directions.

2. Related Work

Cyber insurance has been extensively studied as a risk transfer mechanism for digital infrastructures, particularly in contexts where direct prevention of all cyber incidents is infeasible. Prior works have addressed both the theoretical formulation of cyber insurance policies and their application to real-world systems, including IoT networks and critical infrastructure.

2.1. Cyber Insurance for Infrastructure and IoT Networks

Lau et al. [13,14] investigate cyber insurance schemes for power systems, focusing on defense-aware premium strategies and mutual insurance among smart grid participants. These models highlight how collaborative insurance pools and optimized premium structures can incentivize stronger security investments. Pal et al. [2] propose sustainable cyber-risk management frameworks, integrating insurance with proactive defense strategies to minimize long-term system-level risk.

2.2. Game-Theoretic Models

Game theory has emerged as a powerful tool in modeling the strategic interactions between insurer and defender. Zhang et al. [3] introduce FlipIn, a Stackelberg-based incentive-compatible cyber insurance model for IoT networks that aligns defender behavior with insurer goals. Shah et al. [15] develop non-cooperative models to optimize the balance between insurance premiums and individual device-level security investments under constrained resources.

2.3. Dynamic and Game-Theoretic Optimization in Cyber Insurance

Recent research has emphasized the importance of dynamic optimization and strategic decision-making in cyber insurance modeling. Building upon static frameworks, several studies have proposed game-theoretic approaches to capture the incentive alignment between insurers and defenders in interconnected IoT systems. For example, Zhang et al. [3] develop FlipIn, a Stackelberg-based model that aligns defender behavior with insurer profit strategies, while Shah et al. [15] investigate non-cooperative games that balance insurance premiums with device-level investments. Furthermore, Zhang et al. [5] explore game-theoretic defenses against Advanced Persistent Threats (APTs), and Huang et al. [4] investigate dynamic games for proactive defense, distinguishing time-varying strategies from static baselines. These studies highlight the need for maturity-aware and incentive-compatible insurance mechanisms that adapt to varying maturity levels rather than relying on uniform risk assumptions.

Table 1. Comparison of representative cyber-insurance and network-risk frameworks and their limitations.

Framework (Ref.)	Main Contribution	Limitations/Simplifications
Lau et al. [13,14]	Defense-aware and mutual insurance mechanisms for cyber risk management in critical infrastructures	Typically abstracts IoT topology and/or assumes static risk; does not explicitly model topology-driven propagation coupled with discrete maturity tiers
Zhang and Zhu [3]	Game-theoretic cyber insurance (FlipIn) for incentive-compatible risk management in IoT systems	Risk is primarily modeled through strategic payoff structures; limited integration of maturity-tier implementation costs with topology-weighted propagation dynamics
Shah et al. [15]	Non-cooperative game balancing security decisions under resource constraints in IoT networks	Often relies on simplified/homogeneous parameterization; does not capture correlated losses arising from topology-driven propagation
Pal et al. [2]	Sustainable catastrophic cyber-risk management in IoT societies using insurance-aware strategies	Focuses on catastrophic/system-level risk abstraction; does not explicitly link discrete maturity tiers to SIS-style propagation and premium optimization
This work	Maturity-aware SIS propagation + topology-weighted exposure + Stackelberg insurance optimization	Assumes organization-level maturity M (uniform across devices); device-group-specific maturity remains future work

summarizes these representative cyber-insurance and network-risk frameworks and their limitations.

2.4. Limitations of Existing Models

While these efforts have laid a solid foundation for cyber insurance in digital ecosystems, several limitations remain. Most notably, many of the existing works assume simplified network topologies, uniform risk exposure, or centralized control, which do not reflect the topological complexity and volatility inherent in IoT systems. Few models explicitly incorporate time-varying device infection, or security maturity dynamics into the risk and contract formulation. This gap motivates the need for dynamic, topology-aware cyber insurance models that co-evolve with the IoT environment.

Many existing cyber-insurance and network-risk models adopt simplifying mathematical assumptions for tractability. Common examples include:

• Mean-field/homogeneous-mixing approximations: infection (or compromise) dynamics are modeled using a single aggregate prevalence state (or population-average infection probability), implicitly assuming homogeneous contact rates and ignoring device-to-device adjacency effects. This removes explicit graph/topology dependence and cannot represent localized cascades or high-degree “hub” exposure.
• Static expected-loss models: risk is computed from stationary vulnerability/exposure scores (or independent breach probabilities) without an explicit propagation process over network links. Under such models, devices are treated as conditionally independent and correlated loss amplification via neighboring compromise is not captured.
• Uniform risk parameters: heterogeneous IoT devices are often assigned identical (or class-agnostic) parameters (e.g., uniform infection/breach rate, uniform recovery/remediation rate, or uniform loss severity), which effectively assumes all devices share the same exposure and control effectiveness.
• Simplified topological dependence: when topology is included, it is frequently represented via coarse summaries (e.g., average degree) or unweighted links, rather than adjacency-weighted dependencies. As a result, the influence of specific neighbors and edge weights (i.e., $w_{n,m}$) on a device’s risk is typically omitted.

In contrast, our framework explicitly incorporates (i) topology-weighted propagation through neighbor influence terms, (ii) device heterogeneity via exposure/loss coefficients, and (iii) maturity-dependent mitigation that links organizational security posture to risk propagation and pricing incentives. These design choices enable us to capture systemic risk and adverse selection effects that are obscured under the above simplifications.

Furthermore, while our proposed framework introduces maturity dynamics, it currently models security maturity (M) as a uniform, organizational-level parameter. This approach effectively captures macro-level security governance and compliance but mathematically simplifies the Stackelberg game by constraining the defender’s strategy space to a single discrete variable. However, real-world IoT networks are highly heterogeneous. Treating M as uniform limits the model’s ability to precisely capture deeply segmented environments, such as those where highly vulnerable legacy sensors operate alongside heavily secured modern controllers. Consequently, device-specific or subnetwork-specific maturity variations ($M_n$ or $M_{subnet}$) remain an important limitation that future models must address to provide maximum fidelity.

3. System Model

In this section, we describe the system model, which consists of four key components: the attacker, IoT devices/nodes, defender, and insurer. Figure 1 illustrates the interactions among these components. A comprehensive summary of all mathematical notations used throughout this model is provided in

Table 2. Summary of notations.

Network Parameters
$G=(N,E)$	IoT network graph
N	Set of devices (nodes)
$\left|N\right|$	Total number of devices
E	Set of connections (edges)
W	Weighted adjacency matrix
$\rho \left(W\right)$	Spectral radius of the adjacency matrix W
$p_l$	Probability of lateral links (Erdos–Rényi model)
$\beta$	Base infection transmission rate in SIS model
$\rho$	Base recovery rate in SIS model
$\lambda$	Attacker adaptation rate
Risk Modeling
$I_n\left(t\right)$	Infection level of device n at time t
$R_n(t,M)$	Effective risk of device n at time t
$R_n\left(M\right)$	Steady-state effective risk for device n
${\gamma }_n$	Loss magnitude per breach ($) for device n
$\eta$	Risk propagation discount factor, $\eta \in [0,1]$
$w_{n,m}$	Influence weight from device m to n
$\mathcal{N}\left(n\right)$	Set of neighbors of device n
$\mu \left(M\right)$	Mitigation factor, $e^{-\alpha (M-1)}$
$\alpha$	Mitigation decay rate
${\rho }_M$	Maturity-aware recovery rate
${\beta }_{\mathrm{eff}}$	Effective infection rate, $\beta (1+\lambda )\mu \left(M\right)$
Defender Parameters
M	Risk maturity level, $M\in \{1,2,3,4,5\}$
p	Continuous operational security investment level
$\theta$	Efficiency of continuous security investment
$c_n(p,M)$	Total security investment cost for device n
k	Investment cost scaling factor
$\varphi \left(M\right)$	Organizational maturity cost function
$c_{mat}$	Scaling parameter for organizational maturity cost
$\tau$	Exponential scaling factor for organizational maturity cost
$B_n$	Security investment budget for device n
$C_{\mathrm{def}}$	Defender total expected cost
$L_n(M,C_n,p)$	Expected effective loss for device n
Insurance Parameters and Optimization
$C_n$	Insurance coverage level, $C_n\in [0,1]$
$T_n$	Insurance premium for device n
$T_n^{\mathrm{uni}}$	Uniform insurance premium
${\Pi }_n$	Insurer expected profit for device n
$\overline{\Pi }$	Average expected profit under uniform pricing
$\chi$	Premium loading factor, $\chi \ge 0$
${\chi }_n$	Device-specific premium loading factor
${\chi }_{min}$	Minimum feasible loading factor
$\delta$	Aggregate profit margin, $\delta \ge 0$
$A_c$	Per-device fixed administrative expense loading
$M^{*},p^{*},C_n^{*},{\chi }^{*}$	Stackelberg equilibrium strategies

.

3.1. Components and System Workflow

We consider an IoT network represented by an undirected graph $G=(N,E)$, where N is the fixed set of devices and E is the set of communication links. Each device $n\in N$ can be in either a secure or compromised state. Attacks propagate along the edges E, with weights $w_{n,m}$ representing the vulnerability of communication from device m to device n. Defender invests in security controls to reduce infection and improve recovery. Security investments are represented through a maturity parameter $M\in \{1,2,3,4,5\}$, treated as a discrete variable, where higher values correspond to stronger security practices and resilience. This discrete scale is consistent with widely adopted cybersecurity maturity frameworks, such as the CMMI Cybermaturity Platform [7,8] and the NIST Cybersecurity Framework [6]. In this work, the security maturity level M is modeled as an organizational-level policy rather than a device-specific parameter. This reflects the fact that maturity corresponds to enterprise-wide governance, processes, and compliance practices that apply uniformly across all deployed IoT assets, rather than being tied to individual device capabilities.

The operation of the system can be summarized as follows:

• The attacker compromises IoT devices, thereby increasing the risk levels within the network.
• The defender evaluates these risks via risk assessment and applies mitigation measures along with security investments.
• In response, the insurer analyzes the assessed risk and offers cyber insurance through tailored premiums and coverage.
• The defender receives the insurance, which helps offset potential losses, and may further adjust their security posture based on the coverage received.

3.2. Risk Management Maturity Model

The mitigation factor $\mu \left(M\right)$ and recovery rate ${\rho }_M$ are modeled to capture the diminishing returns of security investments. We map the discrete maturity levels $M\in \{1,\dots ,5\}$ to the tiers of the NIST Cybersecurity Framework (CSF) [6] using an expert rubric over governance, monitoring cadence, incident response readiness, and control coverage. For practical use, we assume M is assigned via a standard security maturity assessment aligned with the NIST CSF implementation tiers, based on evidence that is commonly available during internal/external audits and cyber-insurance underwriting. Such evidence typically includes security policy/process documentation, asset inventories, vulnerability/patch records, logging/monitoring configurations, incident-response plans, and records of exercises or past incidents. To make the mapping reproducible, we use the following evidence-based criteria:

• $M=1$ (Partial): Security activities are largely ad hoc and reactive. Typical evidence includes incomplete IoT asset inventory, irregular vulnerability/patch practices (no defined cadence or SLA), limited centralized logging/monitoring, and incident response handled case-by-case with minimal documented playbooks.
• $M=2$ (Risk-informed): Some practices exist but are not consistently applied. Evidence may include partial inventories, periodic patching/scanning for subsets of devices, and monitoring enabled for some systems without routine review procedures.
• $M=3$ (Repeatable): Processes are documented and consistently executed. Evidence includes a maintained IoT asset inventory with ownership, defined patch/vulnerability management cadence (or SLA targets) that is routinely followed, centralized logging for major IoT segments with regular review, and a documented incident-response plan that is exercised at least occasionally.
• $M=4$ (Adaptive): Controls are measured and improved. Evidence includes continuous/near-continuous monitoring for critical assets, formal metrics tracking (e.g., patch compliance rates or response time targets), and post-incident reviews that drive process improvements.
• $M=5$ (Optimized): Security is continuously optimized and threat-informed. Evidence includes proactive testing, automation/orchestration for response or containment, and continuous control validation across the IoT environment.

In our model, higher M represents stronger and more consistent security capability (e.g., better prevention/detection and faster remediation), which corresponds to lower effective infection propagation and higher recovery effectiveness.

Mathematical Mapping of Maturity to SIS Dynamics

To explicitly bridge the organizational maturity tiers described above to our dynamic infection model, we introduce two critical maturity-dependent modifiers to the standard SIS framework.

First, the mitigation factor, denoted as $\mu \left(M\right)=e^{-\alpha (M-1)}$ (where $\alpha >0$), captures the reduction in vulnerability exploitability. Higher maturity exponentially suppresses the effective infection rate, modeling the diminishing returns of preventative controls (e.g., transitioning from ad hoc patching to automated vulnerability management).

Second, the maturity-aware recovery rate, defined as ${\rho }_M=\rho {\displaystyle \frac{M}{1+M}}$, explicitly dictates the transition from the Infected (I) to the Susceptible (S) state. This formulation ensures that organizations with higher maturity remediate compromised devices faster due to better incident response readiness, while mathematically bounding the maximum recovery speed to reflect practical operational limits in IoT environments.

3.3. Modified SIS Risk Propagation Dynamics

We adopt a modified Susceptible–Infected–Susceptible (SIS) model to describe the infection dynamics within the IoT network. The traditional SIS framework captures the characteristic vulnerability lifecycle where devices transition between a Susceptible (S) operational state and an Infected (I) compromised state. However, standard SIS models assume static transmission and recovery rates. To capture the strategic realities of IoT environments, we modify this process to explicitly incorporate organizational security maturity (M) and attacker adaptivity ($\lambda$). In this context, the states of the model correspond to:

• Susceptible (S): A device is operational, but contains an unpatched vulnerability and can be compromised.
• Infected (I): The device has been successfully compromised by an attacker.
• Transition $I\to S$ (Recovery): This transition, captured by the recovery rate ${\rho }_M$, represents the successful remediation and patching of the device by the defender. This action removes the current infection, but the device returns to a susceptible state, meaning it can still be compromised again via a new vulnerability or attack vector (e.g., a new malware variant or zero-day exploit).

This dynamic reflects the reality where complete and permanent immunity to cyber threats is practically unattainable in interconnected IoT systems. Thus, the SIS framework provides a tractable and representative baseline for modeling persistent cyber risk and mitigation efforts in our optimization problem.

Formal Definition of Model Parameters

The transition probabilities in our modified model are governed by the following dynamic parameters:

• Base Infection Rate ($\beta$): The inherent transmission probability of a vulnerability traversing a network edge.
• Attacker Adaptivity ($\lambda \ge 0$): A multiplier representing the attacker’s ability to intensify their efforts (e.g., deploying zero-day exploits or increasing scanning frequency).
• Maturity-Dependent Mitigation Factor ($\mu \left(M\right)$): An exponentially decaying function, $\mu \left(M\right)=e^{-\alpha (M-1)}$, where $\alpha >0$. This multiplicatively scales down risk, reflecting how higher maturity suppresses exposure.
• Maturity-Aware Recovery Rate (${\rho }_M$): Defined as ${\rho }_M$, this captures the transition $I\to S$ representing successful remediation. It ensures recovery grows with diminishing returns under higher maturity while remaining bounded ($0<{\rho }_M<\rho$).

We emphasize that $\mu \left(M\right)$ and ${\rho }_M$ are intended as simple, tractable mappings from discrete maturity tiers to reduce exposure/propagation and improve remediation capability, with diminishing returns. We adopt the exponential form $\mu \left(M\right)=e^{-\alpha (M-1)}$ because it is monotone, bounded in $(0,1)$, and captures diminishing returns in a concise way as each increase in maturity reduces the remaining exposure by a constant proportional factor governed by $\alpha$. This type of bounded diminishing-returns behavior is widely used in security economics and breach-probability/risk-reduction modeling [19,20].

3.4. Infection Propagation Model

We model infection propagation in the IoT network $G=(N,E)$. Let $I_n\left(t\right)$ denote the infection level of device n at time t. The topology is assumed to remain fixed to reflect short-term underwriting periods in which IoT connectivity patterns remain effectively stable. The infection dynamics are given by:

$$\begin{array}{cc}\hfill I_n(t+1)& =(1-{\rho }_M)I_n\left(t\right)\hfill \\ \hfill & +\left(1-I_n\left(t\right)\right){\beta }_{\mathrm{eff}}\left(M\right)\sum _{m\in \mathcal{N}\left(n\right)}{w}_{n,m}{I}_m\left(t\right),\hfill \end{array}$$

(1)

where $\mathcal{N}\left(n\right)$ is the set of neighbors of device n. The term $w_{n,m}\ge 0$ represents the specific neighbor influence weight from device m to n. Unlike standard mean-field SIS models that assume uniform mixing and homogeneous contact rates, this topology-weighted propagation explicitly captures how a highly vulnerable or highly connected neighbor (e.g., a central gateway) disproportionately increases the risk to device n.

Within this dynamic process, the modifications explicitly manifest in two ways: the recovery of device n is directly governed by the maturity-driven recovery rate ${\rho }_M$, dictating how quickly an existing infection is contained ($I\to S$); concurrently, the probability of contracting a new infection from compromised neighbors is scaled by ${\beta }_{eff}\left(M\right)$. To avoid unintuitive coupling between attacker adaptivity and defender maturity, we decompose this effective infection rate as:

$${\beta }_{\mathrm{eff}}(M,\lambda )=\beta (1+\lambda )\mu \left(M\right),$$

(2)

where $\beta$ denotes the infection transmission rate, $\lambda$ scales overall attacker aggressiveness, and $\mu \left(M\right)$ decreases with maturity, so higher M suppresses the effective infection rate ${\beta }_{\mathrm{eff}}\left(M\right)$. Here, $\mu \left(M\right)\in (0,1]$ is a maturity-dependent mitigation factor that multiplicatively scales down the exposure-based risk (and thus expected loss/premium), with higher M implying smaller $\mu \left(M\right)$. We use an exponentially decaying form

$$\mu \left(M\right)=e^{-\alpha (M-1)},$$

(3)

with $\alpha >0$, so that $\mu \left(1\right)=1$ (no mitigation at the lowest maturity) and $\mu \left(M\right)$ decreases monotonically with M. Hence, higher-maturity M reduces ${\beta }_{\mathrm{eff}}\left(M\right)$, while larger $\lambda$ intensifies attack pressure against weakly protected systems.

3.4.1. Spectral Stability Condition

To ensure that the infection probabilities remain within the valid range ($I_n\left(t\right)\in [0,1]$), we impose a standard spectral-radius-based stability requirement for discrete-time SIS models. Let W denote the weighted adjacency matrix and $\rho \left(W\right)$ its spectral radius. A sufficient condition for preventing probability overflow in the update (1) is

$${\beta }_{\mathrm{eff}}(1,0)\rho \left(W\right)<1,$$

(4)

which constrains the worst-case effective transmission rate (at $M=1$ and $p=0$) relative to the structural amplification factor of the network. This condition is enforced when selecting $(\beta ,\lambda ,W)$ in the numerical studies.

3.4.2. Maturity-Aware Recovery Rate

To ensure that the recovery rate remains bounded and numerically stable for all maturity levels, we define the effective recovery rate as

$${\rho }_M=\rho {\displaystyle \frac{M}{1+M}},$$

(5)

which satisfies $0<{\rho }_M<\rho$ for any $M>0$, since $M/(1+M)<1$. Empirical and game-theoretic studies [21] show that mitigation effectiveness grows with diminishing returns under cyber insurance. Consistent with these findings, the bounded, saturating form in (5) preserves the monotonic increase in recovery with higher maturity M, while preventing instability in the infection dynamics of Equation (1). Maturity affects both exploitability (via $\mu \left(M\right)$) and remediation speed (via ${\rho }_M$), capturing two distinct stages of the attack lifecycle without double counting.

4. Optimization with Game-Theoretic Modeling

4.1. Defender Optimization Problem

The defender chooses their investment in security maturity M, coverage $C_n$, and continuous investment p to minimize their total expected cost, which combines direct security expenditure with expected loss from infection. A linear risk model is adopted for tractability and consistency with additive actuarial pricing, while still capturing direct and propagated infections.

The effective risk of device n at time t is modeled as:

$$R_n(t,M)=\mu \left(M\right)\left(I_n\left(t\right)+\eta \sum _{m\in \mathcal{N}\left(n\right)}{w}_{n,m}{I}_m\left(t\right)\right).$$

(6)

where $R_n(t,M)$ is a maturity-adjusted risk exposure at time t that incorporates both local and propagated infections. $\mu \left(M\right)$ decreases with maturity, and $\eta \in [0,1]$ scales the indirect liability risk. The term $I_n\left(t\right)$ captures the direct infection probability of the device itself, representing primary first-party loss potential. The summation ${\sum }_{m\in \mathcal{N}\left(n\right)}{w}_{n,m}{I}_m\left(t\right)$ accounts for risk propagated from neighboring devices, weighted by their influence $w_{n,m}$, representing correlated liability risk (e.g., third-party damages or cross-contamination cleanup). Although both terms are expressed in terms of infection levels, they represent distinct risk channels: direct compromise versus indirect propagation.

Since the insurance contract covers a fixed period, the pricing and cost analysis rely on the long-term, asymptotic behavior of the network. For the economic optimization, we define the steady-state risk exposure, $R_n\left(M\right)$, derived directly from the limit of the modified SIS process:

$$R_n\left(M\right)=\underset{t\to \infty }{lim}{R}_n(t,M)$$

(7)

This metric, $R_n\left(M\right)$, precisely quantifies the composite expected financial exposure of device n under organizational maturity level M. It encapsulates both the steady-state likelihood of direct compromise and the weighted collateral liability propagating from its topological peers. Consequently, $R_n\left(M\right)$ serves as the foundational risk signal used by the insurer to dynamically price the premium.

4.2. Expected Effective Loss

The loss faced by the defender is mitigated by insurance. The insurance coverage level $C_n\in [0,1]$ represents the proportion of risk covered for device n, while ${\gamma }_n$ denotes the unit cost incurred per unit risk. The expected effective loss depends on the infection level and maturity-based mitigation. Furthermore, continuous security investment p reduces the magnitude of losses by a factor of $e^{-\theta p}$. The expected loss is given by:

$$L_n(M,C_n,p)=(1-C_n){\gamma }_n{R}_n\left(M\right)e^{-\theta p},$$

(8)

where $\theta$ represents the efficiency of continuous investment. A higher M reduces the effective risk $R_n\left(M\right)$, while higher p mitigates the financial impact of residual breaches. The variable p represents severity-reducing controls (e.g., monitoring, backups) that lower financial loss but do not influence infection frequency, which is governed solely by M in the SIS dynamics.

4.3. Security Investment Cost

Security investments reduce risk but incur increasing marginal costs. The total security cost for device n is defined as:

$$c_n(p,M)=k{p}^2+{\displaystyle \frac{\varphi \left(M\right)}{\left|N\right|}}$$

(9)

This cost function consists of two distinct components representing different economic realities of cybersecurity defense:

Continuous Operational Investment ($k{p}^2$): Here, $p\ge 0$ represents the fractional level of continuous operational investment (e.g., frequency of patch deployment, intensity of active network monitoring), and $k>0$ is a cost-scaling coefficient. The quadratic form, $k{p}^2$, is widely adopted in classical security economics literature, such as the Gordon–Loeb model [19], to represent the strictly increasing marginal cost of day-to-day operational defenses. In practice, achieving initial basic coverage (low p) is relatively inexpensive, but incrementally pushing toward perfect, zero-day threat prevention requires an exponentially larger allocation of human and computational resources (e.g., expanding a security team’s hours to review diminishing numbers of edge-case logs).

Organizational Maturity Cost ($\varphi \left(M\right)$): The term ${\displaystyle \frac{\varphi \left(M\right)}{\left|N\right|}}$ denotes the per-device share of the global organizational maturity cost. $\varphi \left(M\right)$ represents the discrete, structural capital expenditure required to achieve and maintain a specific NIST CSF maturity tier [6]. We model $\varphi \left(M\right)$ as a strictly convex discrete function (e.g., $\varphi \left(M\right)=c_{mat}(e^{\tau (M-1)}-1)$, where $c_{mat}$ and $\tau$ are scaling parameters) to reflect the disproportionate capability jumps required at higher tiers. From a real-world perspective, transitioning from $M=1$ (Partial) to $M=2$ (Risk-informed) may only require relatively low-cost investments like purchasing basic inventory scanning tools. However, advancing from $M=4$ (Adaptive) to $M=5$ (Optimized) demands massive organizational overhauls, such as deploying fully automated SOAR (Security Orchestration, Automation, and Response) platforms, hiring specialized red-teams, and maintaining a continuous 24/7 Security Operations Center (SOC).

4.4. Insurance Premium (Tiered by Risk)

The premium charged for device n is given by the insurer pricing rule in (11), and enters the total cost of defender through $T_n(C_n,M)$.

4.5. Objective Function

The total cost of the defender is given by:

$$\underset{M,I}{min}\sum \left[L_n(M,C_n,p)+c_n(p,M)+T(C_n,M)\right]$$

(10)

subject to:

$$M\in \{1,2,3,4,5\},c_n(p,M)\le B_n,C_n\in [0,1]$$

As illustrated in Figure 2, the model forms a feedback loop in which defender decisions affect infection dynamics, which in turn affects premiums and subsequent decisions.

4.6. Insurer Optimization Problem

The insurer is modeled as the Stackelberg leader and sets the premium $T_n(C_n,M)$ anticipating the subsequent choice of maturity of the defender M, coverage $C_n$, and investment p.

The premium for device n is given by

$$T_n=(1+\chi )C_n{\gamma }_n{R}_n\left(M\right)e^{-\theta p}+A_c,$$

(11)

where $\chi \ge 0$ is the loading factor and $A_c$ is per-device fixed expense loading, chosen as 5% of the average per-device baseline risk at maturity ($M=1$). This component accounts for operational overheads (e.g., underwriting and administration) that remain fixed regardless of subsequent risk mitigation by the defender. The term $R_n\left(M\right)$ is interpreted as the insurer assessed risk level for maturity M, obtained from the SIS-based risk model. Thus, although $R_n\left(M\right)$ arises from the infection dynamics, it is treated as a known quantity once M is chosen. In the premium model, we assume the continuous investment p (e.g., configuration hardness, patch frequency) is observable by the insurer. In modern IoT contexts, this is increasingly feasible through remote attestation protocols and automated compliance auditing, while moral hazard remains a challenge in general insurance, IoT devices allow for higher observability than traditional IT. We account for the cost of this monitoring in the fixed administrative loading $A_c$.

The insurer’s expected profit for device n, denoted as ${\Pi }_n$, is defined as the premium received minus the expected claim payout. The defender’s loss function $L_n$ Equation (8) represents the retained loss (the portion $1-C_n$ not covered by insurance). The insurer is responsible for the covered portion. Thus, the profit function is:

$${\Pi }_n=T_n-C_n{\gamma }_n{R}_n\left(M\right)e^{-\theta p},$$

(12)

where $L_n(M,C_n,p)$ is the expected loss expression of the defender defined in Equation (8) which already reflects the remaining loss of the defender after insurance (via the factor $(1-C_n)$). It represents the insurer expected net balance, since the covered portion of the loss is implicitly accounted for through $C_n$ in the defender loss expression.

To avoid underpricing, premiums must satisfy the constraint

$$T_n\ge (1+{\chi }_{min})C_n{\gamma }_n{R}_n\left(M\right)+A_c,$$

(13)

which ensures that the loading factor $\chi$ remains above a minimum feasible value ${\chi }_{min}$.

Aggregating across all devices, an additional profitability constraint is imposed:

$$\sum _{n\in N}{\Pi }_n\ge \delta ,$$

(14)

where $\delta \ge 0$ represents the minimum acceptable profit margin of the insurer. The insurer optimization problem is therefore

$$\begin{array}{cc}\hfill \underset{\{C_n,\chi \}}{max}& \sum _{n\in N}{\Pi }_n\hfill \\ \hfill \mathrm{s}.\mathrm{t}.& T_n\mathrm{satisfies}\left(13\right),\hfill \\ \hfill & \sum _{n\in N}{\Pi }_n\ge \delta ,\hfill \\ \hfill & \chi \ge {\chi }_{min}.\hfill \end{array}$$

(15)

Under the Stackelberg timing, the insurer commits to the pricing parameters (e.g., $\chi$ and $A_c$) that define the schedule $T_n(C_n,M)$. After observing this schedule, the defender chooses $(M,\left\{C_n\right\},p)$ to minimize total cost.

4.7. Stackelberg Game Formulation and Equilibrium

The interaction between the insurer and the defender is formally modeled as a single-leader, single-follower Stackelberg game. This structure captures the strategic interdependence between premium design and defensive decision-making, coupled entirely through the maturity-aware risk exposure $R_n\left(M\right)$. The steady-state risk exposure $R_n\left(M\right)$, derived from the topology-aware SIS process, acts as the central bridge in this game. The defender’s choice of maturity M structurally determines $R_n\left(M\right)$. The insurer utilizes this explicit risk signal to price the premium $T_n$, which in turn drives the defender’s economic optimization.

Follower’s Problem (defender): Given an announced premium pricing schedule by the insurer, the defender aims to minimize their total expected cost (TEC), which consists of residual expected losses, implementation costs, and insurance premiums. The defender’s decision variables are the organizational maturity level M, continuous investment p, and per-device coverage levels $C_n$. For a given premium schedule $T_n$, the defender solves:

$$(M^{*},p^{*},\left\{C_n^{*}\right\})\in arg\underset{M,p,\left\{C_n\right\}}{min}\sum _{n\in N}\left[L_n(M,C_n,p)+c_n(p,M)+T_n(C_n,M)\right]$$

(16)

subject to the constraints:

$$M\in \{1,2,3,4,5\},c_n(p,M)\le B_n,C_n\in [0,1]$$

(17)

where $L_n$ is the residual expected loss Equation (8) and $c_n$ is the implementation cost Equation (9).

Leader’s Problem (insurer): Anticipating the defender’s rational optimal response $(M^{*},p^{*},\left\{C_n^{*}\right\})$, the insurer designs the premium structure to maximize aggregate expected profit. The primary decision variable for the insurer is the premium loading factor $\chi$, which scales the premium relative to the assessed risk $R_n\left(M\right)$. The insurer solves:

$${\chi }^{*}\in arg\underset{\chi \ge {\chi }_{min}}{max}\sum _{n\in N}{\Pi }_n(\chi ,M^{*},p^{*},C_n^{*})$$

(18)

subject to the profitability and feasibility constraints:

$$T_n\ge (1+{\chi }_{min})C_n{\gamma }_n{R}_n\left(M\right)+A_c\forall n\in N,\mathrm{and}\sum _{n\in N}{\Pi }_n\ge \delta$$

(19)

where ${\Pi }_n$ is the per-device profit Equation (12) and $\delta$ is the minimum acceptable aggregate profit margin.

A Stackelberg equilibrium is reached at the strategy profile $({\chi }^{*},M^{*},p^{*},\left\{C_n^{*}\right\})$ where neither party can improve their respective objective by unilateral deviation. Because M is chosen from a finite discrete set and $(\left\{C_n\right\},p,\chi )$ lie in compact feasible sets, standard continuity arguments ensure that an equilibrium exists for this timing structure.

4.8. Equilibrium Behavior and Tiered Incentives

The interaction between defender decisions and insurer pricing naturally leads to an equilibrium under the Stackelberg structure. The insurer pricing rule influences the defender choice of maturity, coverage, and investment, while the defender response is taken into account when the insurer sets premiums. When both optimization problems are satisfied simultaneously, neither party benefits from unilaterally adjusting its decision, resulting in a consistent equilibrium outcome.

A key feature of the model is the emergence of tiered incentives. Higher maturity levels reduce the effective risk $R_n\left(M\right)$ and therefore yield lower premiums, while low maturity results in higher premiums due to elevated risk exposure. This structure aligns the incentives of both parties: defenders are encouraged to improve their security posture when economically beneficial, and the insurer maintains sustainable profitability across different maturity levels.

5. Validation and Numerical Results

We evaluate the proposed cyber-insurance framework using a numerical simulation of a representative IoT environment. This unified study validates the key components of the model: (i) SIS infection dynamics with attacker adaptivity, (ii) maturity-saturated recovery, and (iii) maturity-aware premium optimization.

5.1. Simulation Environment and Topology

To ensure the evaluation reflects modern deployment conditions, we construct a representative single-site enterprise IoT network. We refer to the 2024 IoT Security Benchmark Report (Starfleet Research/Palo Alto Networks) [22], the ENISA Threat Landscape 2025 [12], and established hierarchical IoT topologies [10] to motivate the device roles and structural hierarchy.

The network consists of $\left|N\right|=60$ devices organized in a tiered hierarchical topology: 1 controller, 4 gateways, 10 cameras, 30 sensors/actuators, and 15 utility devices (APs/HVAC). Edges are deterministically connected vertically (Controller ↔ Gateways, Gateways ↔ Endpoints). To model localized connectivity and the risk of lateral movement across the same network segment, we introduce sparse lateral links among endpoints using an Erdós–Rényi random graph model with probability $p_l=0.03$. This results in a hybrid topology with a heavily skewed degree distribution: gateways act as highly connected routing “hubs” (average degree $\approx 12$), while endpoints have low localized connectivity (average degree $\approx 2.5$).

5.2. Baseline Parameterization

Table 3. Baseline parameterization for numerical studies.

Parameter	Value(s)	Justification
$\left|N\right|$	60	Represents a standard single-site enterprise IoT deployment.
$\beta$	0.35	Base transmission rate. Models an environment with highly exploitable IoT vulnerabilities and rapid lateral movement (e.g., Mirai-like propagation).
$\rho$	0.12	Base recovery rate. Reflects notoriously slow IoT remediation challenges, including limited maintenance windows and heterogeneous firmware support [23].
${\gamma }_n$ (k$)	Gateways: $[15,30]$ Cameras: $[8,15]$ Sensors: $[2,6]$	Financial loss potential assigned uniformly within bands based on asset criticality and potential operational downtime.
$\alpha$	0.6	Mitigation decay rate for $\mu \left(M\right)$. Selected to yield significant risk reduction at early maturity tiers, plateauing at higher tiers (diminishing returns).
k	800	Scales fractional continuous investment $p\in [0,1]$ into monetary cost (k$), ensuring comparability with loss severity coefficients.
$\varphi \left(M\right)$ (k$)	$\{30,60,126,$210, 318}	Convex structural capital expenditure mapped to NIST CSF tiers. Derived to reflect the escalating costs of transitioning from ad hoc tools ($M=1$) to a fully automated 24/7 SOC ($M=5$).
$\chi$	0.15	Premium loading factor (15%), standard in cyber-insurance to cover volatility and risk margin.

comprehensively details the parameters utilized in the numerical studies, alongside their justifications.

The baseline parameters are selected to represent operational constraints and threat conditions commonly observed in enterprise IoT deployments. We note that changing baseline parameters (e.g., $\beta$, $\rho$, and k) primarily shifts the magnitude and the exact location of the minimum total cost, but does not change the qualitative mechanism: diminishing returns in $\mu \left(M\right)$ combined with convex investment cost $\varphi \left(M\right)$ preserves a U-shaped total cost curve, naturally yielding an intermediate economically optimal maturity level.

5.3. Infection Dynamics

Before evaluating economic outcomes, we validate the temporal behavior of the infection model. Figure 3 illustrates the network infection prevalence over time for varying maturity levels.

For low maturity ($M=1$), the infection rapidly spreads, reaching a high steady-state prevalence due to slow recovery and high transmission rates. In contrast, at high maturity ($M=5$), the combination of robust mitigation ($\mu \left(M\right)$) and rapid recovery (${\rho }_M$) suppresses the outbreak almost immediately, maintaining near-zero prevalence.

Crucially, at the intermediate maturity ($M=3$), the system demonstrates a controlled but persistent infection level, confirming that the underlying SIS dynamics correctly capture the non-linear impact of security investments where total eradication is distinct from containment.

5.4. Defender Strategy and Economic Efficiency

In this section, we analyze the total cost minimization problem of the defender and quantify the economic advantage of the proposed framework against a static baseline. We further evaluate the impact of varying insurance coverage levels $C_n$ on the defender’s total cost.

5.4.1. Optimality Analysis

Table 4. Defender cost breakdown and coverage sensitivity across maturity levels.

Maturity	Coverage	Expected Loss	Premium	Implementation Cost	Total Cost
(M)	(Cn)	(k$)	(k$)	(k$)	(k$)
1 (Baseline)	1.0	0.00	225.38	30.00	255.38
	0.8	35.42	184.65	30.00	250.07
	0.5	88.55	123.55	30.00	242.10
3 (Optimal)	1.0	0.00	26.36	126.00	152.36
	0.8	0.81	25.43	126.00	152.24
	0.5	2.02	24.04	126.00	152.05
5	1.0	0.00	21.95	318.00	339.95
	0.8	0.04	21.91	318.00	339.95
	0.5	0.10	21.84	318.00	339.94

details the numerical breakdown of the defender cost components across all maturity levels. The “Impl. Cost” column represents the total security expenditure, comprising both the fixed structural hardening cost $\varphi \left(M\right)$ and the continuous operational investment cost $k{p}^2$.

The results reveal a clear convex cost structure (a ‘U-curve’). At low maturity ($M=1$), costs are dominated by high premiums (up to $225.38 k) or significant residual losses (up to $88.55 k at $C_n=0.5$). Conversely, at high maturity ($M=5$), while risk is negligible, the implementation costs become exorbitant ($318.00 k), exceeding the potential losses they are meant to prevent.

The global minimum occurs at the intermediate maturity $M=3$, where the total expected cost is minimized at ≈$\$152.02$ k. This indicates under the chosen parameterization that the economically optimal strategy is not to maximize security at all costs, but to balance risk reduction with investment efficiency.

5.4.2. Marginal Cost–Benefit Analysis Across Maturity

The existence of an optimal intermediate maturity (here, $M=3$) is driven by the interaction of two competing structural forces: increasing marginal implementation cost and diminishing marginal returns in risk mitigation. The organizational maturity cost $\varphi \left(M\right)$ is convex, implying that progressing to highly adaptive security tiers requires disproportionately larger capital and operational expenditure. In contrast, the mitigation factor $\mu \left(M\right)=e^{-\alpha (M-1)}$ exhibits diminishing returns: increasing maturity sharply reduces exposure at low tiers, but additional reductions become progressively smaller at higher tiers. This is reflected in the numerical breakdown in Table 4. Moving from $M=1$ to $M=3$ yields a dramatic reduction in the risk-driven premium component (e.g., from $225.38$ k to $26.36$ k at full coverage), whereas moving from $M=3$ to $M=5$ produces only marginal additional premium reduction (from $26.36$ k to $21.95$ k) while implementation cost increases substantially (from $126.00$ k to $318.00$ k). Consequently, the total expected cost becomes U-shaped across maturity levels, and the minimum occurs at an intermediate maturity where marginal risk-related savings are approximately balanced by marginal implementation cost.

Table 5. Marginal cost vs. marginal savings across maturity (derived from Table 4).

Coverage	Step	$\mathbf{\Delta }\mathit{M}$	$\mathbf{\Delta }$ Impl. Cost	$\mathbf{\Delta }$ (Loss+Premium)	$\mathbf{\Delta }$ Total Cost
Cn			(k$)	(k$ Saved)	(k$)
$1.0$	$1\to 3$	2	$+96.00$	$+199.02$	$-103.02$
$1.0$	$3\to 5$	2	$+192.00$	$+4.41$	$+187.59$
$0.8$	$1\to 3$	2	$+96.00$	$+193.83$	$-97.83$
$0.8$	$3\to 5$	2	$+192.00$	$+4.29$	$+187.71$
$0.5$	$1\to 3$	2	$+96.00$	$+186.04$	$-90.05$
$0.5$	$3\to 5$	2	$+192.00$	$+4.12$	$+187.89$

makes the economic mechanism behind the intermediate optimum explicit by comparing (i) the marginal increase in implementation cost when moving to a higher maturity tier against (ii) the marginal savings in risk-related costs (expected loss + premium). Across all coverage levels, the transition $M=1\to 3$ yields large risk-related savings (e.g., $199.02$ k at $C_n=1.0$), which substantially exceed the added implementation cost of $96.00$ k, producing a net reduction in total cost (negative $\Delta$ total cost). In contrast, the transition $M=3\to 5$ provides only negligible additional risk-related savings (approximately 4–5 k across all $C_n$), while requiring a much larger implementation cost increase of $192.00$ k, resulting in a strong increase in total cost (positive $\Delta$ total cost). This sharp drop in marginal savings reflects diminishing returns in maturity-driven risk reduction, whereas the implementation cost grows rapidly with M. Consequently, the total expected cost exhibits a U-shaped structure across maturity levels, and the economic optimum occurs at an intermediate maturity level (here, $M=3$) where marginal risk-related savings are no longer outweighed by marginal implementation cost.

5.4.3. Comparative Analysis: Maturity-Aware vs. Static Frameworks

To demonstrate the superiority of the proposed framework, we compare the optimal state ($M=3$) against a traditional static model that does not treat security maturity as a decision variable (e.g., [3]) ($M=1$) where security maturity is not treated as a decision variable.

As illustrated in Figure 4 and detailed in Table 4, the static baseline ($M=1$) suffers from high costs, reaching a total expected cost of $255.38 k at full coverage. In contrast, our maturity-aware framework ($M=3$) requires a higher upfront implementation investment ($126.0 k vs. $30.0 k). However, this structural hardening creates a shielding effect that drastically dampens infection rates.

Consequently, at $M=3$ and full coverage, insurance premiums drop by 88.3% (from $225.38 k to $26.36 k). Overall, the proposed model achieves a significant reduction in total expected cost compared to the static baseline. This confirms that investing in structural security maturity is significantly more cost-effective than relying solely on financial risk transfer. We specifically compare against the $M=1$ baseline because it represents the “factory default” state of many IoT deployments where devices are deployed with minimal security configuration. This comparison highlights the economic gap between negligence and the optimal maturity-aware posture. Furthermore, while the specific optimal maturity ($M=3$) depends on the cost function $\varphi \left(M\right)$, the convexity of the total cost curve is a robust structural property driven by the diminishing returns of the mitigation factor $\mu \left(M\right)$.

5.5. Insurer Strategy: Premium Structure

Next, we evaluate the insurer profitability under different premium allocation as the defender increases continuous operational investment p. We compare three pricing strategies:

• Uniform Pricing: Premiums are averaged across the network regardless of individual device risk, with an inefficiency penalty to model adverse selection. Under uniform pricing, all devices are charged the same premium computed from the average expected loss:

  $$\overline{\Pi }={\displaystyle \frac{1}{N}}\sum _{n=1}^N\mathbb{E}\left[{\Pi }_n\right],T_n^{\mathrm{uni}}=(1+\chi )\overline{\Pi }+A_c,\forall n.$$

  (20)
  The insurer profit is computed as total premiums minus total realized payout, and we apply a fixed $15\%$ penalty to the resulting profit as a simple proxy for inefficiency/overhead under uniform (non-risk-aligned) pricing.
• Risk-Proportional Pricing (proposed): Premiums are strictly proportional to individual device risk $R_n\left(M\right)$, following the standard pricing schedule defined in Equation (11).
• Aggressive Pricing: High-risk devices face a steeper loading factor [24,25]. Specifically, we apply a stepped multiplier to the loading factor $\chi$ based on the potential loss magnitude ${\gamma }_n$:

  $${\chi }_n=\left\{\begin{array}{cc}2.5\chi \hfill & \mathrm{if}{\gamma }_n\ge 20\hfill \\ 1.5\chi \hfill & \mathrm{if}10\le {\gamma }_n<20\hfill \\ \chi \hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

  (21)
  This structure imposes a 150% surcharge on critical infrastructure (e.g., controllers) and a 50% surcharge on mid-tier devices (e.g., cameras), while leaving low-risk sensors at the baseline rate.

Figure 5 shows that insurer profitability tracks the reduction in systemic risk, decreasing slightly as the defender continuous investment level p rises, thereby ensuring that premiums remain fair and proportional to the actual threat exposure. The risk-proportional strategy (orange) and aggressive strategy (green) represent the efficient frontier. As shown in the top panel, these strategies maintain robust profitability (≈$\$23.5$ k) across all investment levels. The curves exhibit a marginal downward slope, which confirms the incentive compatibility of the model: as the defender increases investment p to reduce risk, the insurer dynamically lowers premiums (11). This prevents windfall profits and passes savings back to the defender, while the fixed administrative component ($A_c$) ensures the insurer remains solvent even in a high-security state.

In contrast, the uniform pricing strategy performs significantly worse, yielding aggregate profits approximately 10–15% lower than the maturity-aware strategies.

To explicitly illustrate the magnitude of this inefficiency,

Table 6. Quantifying cross-subsidization: uniform vs. risk-proportional pricing at $M=3$.

Device Profile	Expected	Uniform Pricing		Risk-Prop. Pricing
	Loss (k$)	Premium	Profit Margin	Premium	Profit Margin
Gateway (High-Risk)	$3.50	$1.25	−180.0%	$4.13	+15.1%
Sensor (Low-Risk)	$0.30	$1.25	+76.0%	$0.45	+32.2%

breaks down the per-device economics for two distinct device profiles operating at the optimal maturity level ($M=3$): a high-risk routing gateway and a low-risk peripheral sensor.

Under uniform pricing, the premium is fixed across the entire network based on average expected loss. Consequently, as shown in Table 6, the insurer suffers a severe negative profit margin (−180.0%) on the high-risk gateway. This loss is heavily cross-subsidized by the low-risk sensor, which is drastically overcharged, yielding an artificially inflated margin (+76.0%) for the insurer.

In a real-world market, this massive overcharging creates strong economic incentives for low-risk participants to exit the insurance pool altogether (a classic moral hazard scenario). Once the low-risk devices drop out due to adverse selection, the insurer is left holding only the loss-making high-risk devices, directly causing the 10–15% drop in aggregate profitability observed in Figure 5. In contrast, risk-proportional pricing correctly aligns premiums with individual exposure, maintaining sustainable, positive margins across all device types. This explicit quantification confirms that maturity-aware, risk-proportional pricing is necessary not only for fairness but for the long-term economic viability of the cyber-insurance market.

5.6. Comparison with State of the Art

Our results reinforce and extend key insights from prior cyber-insurance and security economics literature, while highlighting differences that arise when topology and maturity are modeled explicitly.

• Static (non-propagating) risk and maturity-agnostic baselines: Many of the existing cyber-insurance models treat breach risk as static and independent across assets, and do not incorporate a propagation process over network links. Under such assumptions, premiums scale primarily with device value or a fixed breach probability, and improvements in organizational maturity can only be represented implicitly (e.g., via a single global risk scalar). In contrast, our SIS-driven propagation model explicitly captures correlated losses and neighbor-driven exposure via $R_n\left(M\right)$, which produces larger benefits from improving maturity at low tiers and explains the observed U-shaped total-cost curve with an interior optimum.
• Mean-field/homogeneous-mixing epidemic approximations: A common simplification in epidemic-style security modeling is to use a population-average (mean-field) infection level, which suppresses topology-specific effects and cannot represent hub-driven cascades. Our topology-weighted formulation preserves adjacency-driven dependencies and shows that risk-proportional premiums better align incentives in heterogeneous IoT graphs, because highly exposed devices face stronger pricing pressure, reducing cross-subsidization.
• Uniform pricing vs. risk-proportional pricing (adverse selection): Consistent with insurance theory, we observe that uniform pricing induces cross-subsidization, which can lead low-risk devices to overpay and high-risk devices to underpay. Our maturity-aware, risk-proportional pricing reduces this distortion by tying premiums to $R_n\left(M\right)$, yielding a more economically efficient equilibrium and improved incentives for security investment.

Overall, compared to state-of-the-art baselines that omit propagation or maturity, our results show that explicitly modeling topology-driven risk coupling and maturity-dependent mitigation yields materially different pricing and investment outcomes: the emergence of tiered incentives, reduced adverse selection under risk-proportional pricing, and an economically optimal intermediate maturity level rather than maximal security.

6. Conclusions and Future Work

In this paper, we have proposed a maturity-aware risk modeling framework for cyber insurance in interconnected IoT networks. We developed a tractable model that accounts for topology and exposure-driven device heterogeneity, security maturity, and network-wide risk propagation. By formulating the problem as a Stackelberg game between an insurer and a defender, we demonstrated how optimal strategies emerge that balance security investments, premiums, and risk mitigation across varying coverage levels. Our numerical results confirm that the proposed framework yields economically consistent outcomes and highlights a non-trivial cost–benefit optimum. Under the adopted baseline parameterization, the defender’s total expected cost is minimized at an intermediate maturity level ($M=3$). Relative to the baseline state ($M=1$), moving to $M=3$ substantially reduces the risk-driven premium component (an 88.3% premium reduction under full coverage), resulting in a minimum total expected cost of $152.36$ k compared to $255.38$ k at $M=1$. This interior optimum arises because maturity-driven risk reduction exhibits diminishing returns (through $\mu \left(M\right)$ and the resulting decline in $R_n\left(M\right)$), while the implementation cost increases rapidly with higher maturity tiers, producing a U-shaped total-cost curve. Finally, the insurer-side results indicate that tiered, risk-proportional pricing better maintains profitability and incentive alignment than a uniform pricing baseline, which suffers reduced profitability in our experiments due to cross-subsidization effects. While this work provides a strong foundation, several avenues for future research exist:

• Dynamic Risk Modeling: Extending the static framework to a dynamic one that accounts for continuous network growth, device lifecycle changes (e.g., addition and removal), and time-varying attack patterns.
• Multiple Defenders: Exploring a non-cooperative game where multiple, self-interested defenders compete for resources and insurance, which may lead to different equilibrium outcomes and pricing dynamics.
• Data-Driven Risk Assessment: Integrating more advanced machine learning and AI models to provide real-time risk assessment and dynamic premium adjustment based on live threat intelligence and behavioral analytics.
• Heterogeneous and Device-Group-Specific Maturity: Extending this framework to incorporate subnetwork or device-specific maturity vectors ($M_n$ or $M_{subnet}$). In such an extension, the topology-aware propagation model would directly couple with localized mitigation factors (${\mu }_n\left(M_n\right)$) and individual recovery rates (${\rho }_{M_n}$). This would allow the SIS dynamics to capture complex cascading effects at boundaries. For instance, modeling how a low-maturity legacy subnetwork serves as a persistent infection reservoir, and how a high-maturity target subnetwork successfully dampens that propagation through localized effective infection rates (${\beta }_{eff}\left(M_n\right)$). Consequently, insurers could offer highly granular, component-specific premium optimizations.
• Expanded Dimensions of Security Maturity: While the current model maps maturity primarily to vulnerability mitigation ($\mu \left(M\right)$) and remediation speed (${\rho }_M$), comprehensive organizational maturity encompasses broader proactive capabilities. Future iterations could adopt a multi-dimensional maturity vector. For instance, integrating proactive threat intelligence could dynamically reduce the attacker adaptivity parameter ($\lambda$) over time. Similarly, advanced threat hunting and detection capabilities could be modeled by making recovery rates explicitly time-dependent rather than static. Furthermore, integrating maturity-dependent incident response readiness directly into the loss function ($L_n$) could provide a higher fidelity economic model for how advanced planning mitigates catastrophic tail-risk before an infection propagates.

By addressing these challenges, future work can further enhance the adaptability and applicability of cyber insurance in the evolving landscape of IoT cybersecurity.