Mapping the Cybersecurity Institutional Landscape

Purpose There is growing contestation between states and private actors over cybersecurity responsibilities, and its governance is ever more susceptible to nationalization. The authors believe these developments are based on an incomplete picture of how cybersecurity is actually governed in practice and theory. Given this disconnect, this paper aims to attempt to provide a cohesive understanding of the cybersecurity institutional landscape. Design/methodology/approach Drawing from institutional economics and using extensive desk research, the authors develop a conceptual model and broadly sketch the activities and contributions of market, networked and hierarchical governance structures and analyze how they interact to produce and govern cybersecurity. Findings Analysis shows a robust market and networked governance structures and a more limited role for hierarchical structures. Ex ante efforts to produce cybersecurity using purely hierarchical governance structures, even buttressed with support from networked governance structures, struggle without market demand like in the case of secure internet identifiers. To the contrary, ex post efforts like botnet mitigation, route monitoring and other activities involving information sharing seem to work under a variety of combinations of governance structures. Originality/value The authors’ conceptual framework and observations offer a useful starting point for unpacking how cybersecurity is produced and governed; ultimately, we need to understand if and how these governance structure arrangements actually impact variation in observed levels of cybersecurity.

[1]  Janine S. Hiller Civil Cyberconflict: Microsoft, Cybercrime, and Botnets , 2014 .

[2]  Tyler Moore,et al.  Abuse Reporting and the Fight Against Cybercrime , 2017, ACM Comput. Surv..

[3]  Lillian Ablon,et al.  Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits , 2017 .

[4]  Testart Pacheco,et al.  Understanding the institutional landscape of cyber security , 2016 .

[5]  Scott J. Shackelford,et al.  Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices , 2014 .

[6]  Bruce H. Kobayashi An Economic Analysis of the Private and Social Costs of the Provision of Cybersecurity and other Public Security Goods , 2006, Supreme Court Economic Review.

[7]  E. Ostrom Beyond Markets and States: Polycentric Governance of Complex Economic Systems , 2010, American Economic Review.

[8]  Scott J. Shackelford,et al.  Bottoms Up: A Comparison of Voluntary Cybersecurity Frameworks , 2015 .

[9]  D. North,et al.  Economic performance through time , 2012 .

[10]  Fabio Martinelli,et al.  Cyber-insurance survey , 2017, Comput. Sci. Rev..

[11]  Telecommunications Board,et al.  At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues , 2014 .

[12]  Andreas Schmidt,et al.  Hierarchies in Networks: Emerging Hybrids of Networks and Hierarchies for Producing Internet Security , 2014 .

[13]  L. Jean Camp,et al.  Ex Ante vs. Ex Post: Economically Efficient Sanctioning Regimes for Online Risks , 2013 .

[14]  Milton L. Mueller Networks and States: The Global Politics of Internet Governance , 2010 .

[15]  Dallas Wood,et al.  Are Home Internet Users Willing to Pay ISPs for Improvements in Cyber Security? , 2013, WEIS.

[16]  The Cyber-Law of Nations , 2014 .

[17]  Giovane C. M. Moura,et al.  Evaluating the Impact of AbuseHUB on Botnet Mitigation , 2016, ArXiv.

[18]  Andrew Nolan,et al.  Cybersecurity and Information Sharing: Legal Challenges and Solutions , 2015 .

[19]  Martin C. Libicki,et al.  The Defender's Dilemma: Charting a Course Toward Cybersecurity , 2015 .

[20]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[21]  Milton L. Mueller,et al.  Negotiating a New Governance Hierarchy: An Analysis of the Conflicting Incentives to Secure Internet Routing , 2011 .

[22]  Nicolás Guarda Governing the ungovernable: international relations, transnational cybercrime law, and the post-Westphalian regulatory state , 2015 .

[23]  Milton L. Mueller,et al.  Internet routing registries, data governance, and security , 2017 .

[24]  F. Stephen,et al.  Ex Post Monitoring Versus Ex Ante Screening in the New Institutional Economics , 1993 .

[25]  J. Nye Deterrence and Dissuasion in Cyberspace , 2017, International Security.

[26]  E. G. Furubotn,et al.  Institutions and Economic Theory: The Contribution of the New Institutional Economics , 2005 .

[27]  J. Knight Institutions and Social Conflict , 1992 .

[28]  Barack Obama,et al.  Statement on the Release of the 'Framework for Improving Critical Infrastructure Cybersecurity' by the National Institute of Standards and Technology, February 12, 2014 , 2014 .

[29]  Kim Andreasson,et al.  Cybersecurity: Public Sector Threats and Responses , 2011 .

[30]  Roxana Radu,et al.  Power Technology and Powerful Technologies: Global Governmentality and Security in the Cyberspace , 2014 .

[31]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[32]  O. Williamson,et al.  The mechanisms of governance , 1996 .

[33]  Stuart E. Madnick,et al.  Institutions for Cyber Security: International Responses and Global Imperatives , 2014, Inf. Technol. Dev..

[34]  Richard J. Harknett,et al.  The New Policy World of Cybersecurity , 2011 .

[35]  Arben Asllani,et al.  Viewing Cybersecurity as a Public Good: The Role of Governments, Businesses, and Individuals , 2013 .

[36]  K. Irion The Governance of Network and Information Security In the European Union: The European Public-Private Partnership for Resilience (EP3R) , 2012 .

[37]  Deirdre K. Mulligan,et al.  Doctrine for Cybersecurity , 2011, Daedalus.

[38]  C. Ménard Markets as institutions versus organizations as markets? Disentangling some fundamental concepts , 1995 .

[39]  F. Scharpf,et al.  Games in Hierarchies and Networks: Analytical and Empirical Approaches to the Study of Governance Institutions , 1994 .

[40]  Tyler Moore,et al.  Measuring the Impact of Sharing Abuse Data with Web Hosting Providers , 2016, WISCS@CCS.

[41]  Scott J. Shackelford,et al.  PROACTIVE CYBERSECURITY: A COMPARATIVE INDUSTRY AND REGULATORY ANALYSIS , 2015 .

[42]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[43]  Francesco Parisi,et al.  The Law and Economics of Cybersecurity , 2005 .

[44]  Johannes M. Bauer,et al.  Economics of Fighting Botnets: Lessons from a Decade of Mitigation , 2015, IEEE Security & Privacy.

[45]  Johannes M. Bauer,et al.  The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data , 2010, WEIS.

[46]  Milton L. Mueller,et al.  Internet Security and Networked Governance in International Relations , 2013 .

[47]  D. North,et al.  Institutional Change and American Economic Growth. , 1972 .

[48]  Stephen D. Krasner Structural causes and regime consequences: regimes as intervening variables , 1982, International Organization.

[49]  Thomas M. Palay,et al.  Comparative Institutional Economics: The Governance of Rail Freight Contracting , 1984, The Journal of Legal Studies.

[50]  Paulo Shakarian,et al.  Introduction to Cyber-Warfare: A Multidisciplinary Approach , 2013 .

[51]  Johannes M. Bauer,et al.  Cybersecurity: Stakeholder incentives, externalities, and policy options , 2009 .

[52]  Seymour E. Goodman,et al.  Global Initiatives to Secure Cyberspace - An Emerging Landscape , 2008, Advances in Information Security.

[53]  Milton L. Mueller,et al.  Analyzing Bug Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities , 2014 .

[54]  Oona A. Hathaway,et al.  The Law of Cyber-Attack , 2012 .