Policy, Statistics, and Questions: Reflections on UK Cyber Security Disclosures

Empirical analysis within the field of information security economics is fraught with difficulty, primarily due to a lack of data. Over the last three years, the UK Government, through the Department for Business, Innovation & Skills (BIS), has taken a lead in the area of public disclosure on corporate cyber intrusions via their Information Security Breaches Survey. The recent development of the Cyber Essentials scheme by the same department presents a unique opportunity for reasonably correlated data to be analysed against public policy. We describe some initial steps in undertaking such an analysis by performing standard economics calculations on this data. Through the examination of three key questions that are central to the relationship between these documents, economic implications of the existing policy are highlighted against the reported threats. Somewhat inevitably, the results echo the well-worn ‘it depends’ answer to the question of cyber security expenditure need; nevertheless, in doing so, they do point out the dependencies. We aim to provide further insight into the method with a view to helping inform a range of stakeholders: policy-makers; those who make decisions with respect to data disclosures; and those looking to policy to help guide their investment in cyber security.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  Christian Rossow,et al.  RUHR-UNIVERSITÄT BOCHUM , 2014 .

[3]  Rolf Hulthén,et al.  Communicating the Economic Value of Security Investments; Value at Security Risk , 2008, WEIS.

[4]  Thomas Nowey,et al.  A Closer Look at Information Security Costs , 2012, WEIS.

[5]  Barry M. Horowitz,et al.  The potential for underinvestment in internet security: implications for regulatory policy , 2006, WEIS.

[6]  Gary McGraw,et al.  Risk Analysis in Software Design , 2004, IEEE Secur. Priv..

[7]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[8]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[9]  Ross Anderson,et al.  Economics and Internet Security: A Survey of Recent Analytical, Empirical, and Behavioral Research , 2011 .

[10]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[11]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[12]  Rachel Rue,et al.  A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making , 2007, WEIS.

[13]  M. Eric Johnson,et al.  Managing Information Risk and the Economics of Security , 2008, Managing Information Risk and the Economics of Security.

[14]  Russell C. Thomas,et al.  How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches , 2013 .

[15]  Bruce Schneier,et al.  Economics of Information Security and Privacy III , 2013, Springer New York.

[16]  Nancy R. Mead,et al.  SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies , 2004 .

[17]  Tyler Moore,et al.  Security Economics and European Policy , 2008, WEIS.

[18]  Cormac Herley,et al.  Why do Nigerian Scammers Say They are From Nigeria? , 2012, WEIS.

[19]  Rainer Böhme,et al.  The economics of information security and privacy , 2013 .

[20]  M. Spence Signaling in Retrospect and the Informational Structure of Markets , 2002 .