Cyber-Insurance as a Signaling Game: Self-Reporting and External Security Audits