Security Economics and European Policy

In September 2007, we were awarded a contract by the European Network and Information Security Agency (ENISA) to investigate failures in the market for secure electronic communications within the European Union, and come up with policy recommendations. In the process, we spoke to a large number of stakeholders, and held a consultative meeting in December 2007 in Brussels to present draft proposals, which established most had wide stakeholder support. The formal outcome of our work was a detailed report, “Security Economics and the Internal Market”, published by ENISA in March 2008. This chapter presents a much abridged version: in it, we present the recommendations we made, along with a summary of our reasoning.

[1]  W. S. Robinson Ecological correlations and the behavior of individuals. , 1950, International journal of epidemiology.

[2]  Stephen P. D'Arcy,et al.  Catastrophe Futures: A Better Hedge for Insurers , 1992 .

[3]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[4]  E. Fama EFFICIENT CAPITAL MARKETS: A REVIEW OF THEORY AND EMPIRICAL WORK* , 1970 .

[5]  Ramayya Krishnan,et al.  An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.

[6]  Rainer Böhme,et al.  Cyber-Insurance Revisited , 2005, WEIS.

[7]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[8]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[9]  Luke Georghiou,et al.  Innovation and Public Procurement. Review of Issues at Stake , 2005 .

[10]  A. Arora,et al.  An Empirical Analysis of Vendor Response to Software Vulnerability Disclosure , 2005 .

[11]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[12]  David Rice,et al.  Geekonomics - The Real Cost of Insecure Software , 2007 .

[13]  Hal R. Varian,et al.  Information rules - a strategic guide to the network economy , 1999 .

[14]  J. Wolfers,et al.  Prediction Markets , 2003 .

[15]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[16]  Emanuele Giovannetti,et al.  Agglomeration in Internet Co-operation Peering Agreements , 2005 .

[17]  Wolter Lemstra,et al.  The Economics of Malware , 2007 .

[18]  Michael E. Lesk,et al.  The New Front Line: Estonia under Cyberassault , 2007, IEEE Security & Privacy.

[19]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[20]  Ramayya Krishnan,et al.  Software Diversity for Information Security , 2005, WEIS.

[21]  H. Varian,et al.  A STRATEGIC GUIDE TO THE NETWORK ECONOMY , 2002 .

[22]  Zulfikar Ramzan,et al.  Phishing Attacks: Analyzing Trends in 2006 , 2007, CEAS.

[23]  Aaron Emigh The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond , 2006, J. Digit. Forensic Pract..

[24]  Dale A. Stirling,et al.  Information rules , 2003, SGMD.

[25]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[26]  Emanuele Giovannetti,et al.  Spatial Dispersion of Peering Clusters in the European Internet , 2006 .

[27]  Ewoud Hondius,et al.  Unfair Terms in Consumer Contracts , 1987 .

[28]  M. Mcclendon,et al.  Acquiescence and Recency Response-Order Effects in Interview Surveys , 1991 .

[29]  Leif Hommen,et al.  Public Technology Procurement and Innovation Theory , 2000 .

[30]  Vernon J. Richardson,et al.  Assessing the risk in e-commerce , 2001, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[31]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[32]  Marc Lelarge,et al.  A New Perspective on Internet Security using Insurance , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[33]  Nicholas Bohm,et al.  Electronic Commerce: Who Carries the Risk of Fraud? , 2000, J. Inf. Law Technol..

[34]  B. Campbell Table of Contents , 2018, Biological Psychiatry.

[35]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[36]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[37]  Markus Jakobsson,et al.  Crimeware: Understanding New Attacks and Defenses , 2008 .

[38]  Lynn Henderson,et al.  The unfair terms in consumer contracts regulations 1994 , 1995 .

[39]  William Yurcik,et al.  The Evolution of Cyberinsurance , 2006, ArXiv.

[40]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[41]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[42]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[43]  Elizabeth Macdonald,et al.  Unfair Terms in Consumer Contracts Regulations 1999 , 2010 .

[44]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[45]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[46]  Norbert Reich,et al.  Product safety and product liability — An analysis of the EEC Council Directive of 25 July 1985 on the approximation of the laws, regulations, and administrative provisions of the Member States concerning liability for defective products , 1986 .

[47]  Anat Hovav,et al.  The Impact of Virus Attack Announcements on the Market Value of Firms , 2004, Inf. Secur. J. A Glob. Perspect..

[48]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[49]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[50]  A. D’Ignazio,et al.  'Unfair' Discrimination in Two-Sided Peering? Evidence from Linx , 2006 .

[51]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[52]  Paul F. Syverson,et al.  What Price Privacy? - and why identity theft is about neither identity nor theft , 2004, Economics of Information Security.

[53]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[54]  A. Hovav,et al.  The Impact of Denial‐of‐Service Attack Announcements on the Market Value of Firms , 2003 .

[55]  Wei Zou,et al.  Characterizing the IRC-based Botnet Phenomenon , 2007 .

[56]  C. Withers,et al.  Jurisdiction clauses and the Unfair Terms in Consumer Contracts Regulations , 2002 .

[57]  Micah Schwalb Exploit Derivatives & National Security , 2007 .

[58]  Stefano Tarantola,et al.  Handbook on Constructing Composite Indicators: Methodology and User Guide , 2005 .

[59]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[60]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[61]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.

[62]  Lawrence A. Gordon,et al.  A framework for using insurance for cyber-risk management , 2003, Commun. ACM.

[63]  J. West,et al.  The Economic Realities of Open Standards : Black , White and Many Shades of Gray Joel West , 2005 .

[64]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[65]  Ralph Nader,et al.  Unsafe at Any Speed , 1965 .