The economics of cybersecurity: Principles and policy options

Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failure, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we outline the various economic challenges plaguing cybersecurity in greater detail: misaligned incentives, information asymmetries and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and reporting to the World Trade Organization (WTO).

[1]  A. Acquisti,et al.  Privacy Costs and Personal Data Protection: Economic and Legal Perspectives , 2009 .

[2]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[3]  A. Felix,et al.  FEDERAL RESERVE BANK OF KANSAS CITY , 1999 .

[4]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[5]  Wolter Lemstra,et al.  The Economics of Malware , 2007 .

[6]  Tyler Moore,et al.  The Impact of Incentives on Notice and Take-down , 2008, WEIS.

[7]  Tyler Moore,et al.  The consequence of non-cooperation in the fight against phishing , 2008, 2008 eCrime Researchers Summit.

[8]  L. Jean Camp,et al.  Pricing Security - A Market in Vulnerabilities , 2004, Economics of Information Security.

[9]  Mark MacCarthy What Internet Intermediaries Are Doing About Liability and Why It Matters , 2009 .

[10]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications , 2009, WEIS.

[11]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[12]  Tyler Moore,et al.  Security Economics and European Policy , 2008, WEIS.

[13]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[14]  Shameek Konar,et al.  Information As Regulation: The Effect of Community Right to Know Laws on Toxic Emissions , 1997 .

[15]  Steven Shavell,et al.  A MODEL OF THE OPTIMAL USE OF LIABILITY AND SAFETY REGULATION , 1984 .

[16]  Richard J. Sullivan The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States , 2009 .

[17]  Francesco Parisi,et al.  The Law and Economics of Cybersecurity , 2005 .

[18]  Charles D. Kolstad,et al.  Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements? , 1990 .

[19]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[20]  Stephen J. Lukasik,et al.  Deterring CyberAttacks : Informing Strategies and Developing Options for U . S . Policy Committee on Deterring Cyberattacks : Informing Strategies and Developing Options , 2010 .

[21]  Douglas A. Barnes Deworming the Internet , 2004 .

[22]  Michael Freeman,et al.  Cyber Security: Are Economic Incentives Adequate? , 2007, Critical Infrastructure Protection.

[23]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[24]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[25]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[26]  Ross J. Anderson,et al.  The snooping dragon: social-malware surveillance of the Tibetan movement , 2009 .

[27]  Steven J. Murdoch,et al.  Thinking Inside the Box: System-Level Failures of Tamper Proofing , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[28]  Alessandro Acquisti,et al.  Do Data Breaches Disclosure Laws Reduce Identity Theft? , 2010, WEIS.

[29]  Eric A. Posner,et al.  Holding Internet Service Providers Accountable , 2006, Supreme Court Economic Review.

[30]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[31]  M. Eric Johnson,et al.  Managing Information Risk and the Economics of Security , 2008, Managing Information Risk and the Economics of Security.

[32]  Tridib Bandyopadhyay,et al.  Why IT managers don't go for cyber-insurance products , 2009, Commun. ACM.

[33]  Richard Clayton,et al.  Might Governments Clean-Up Malware? , 2011, WEIS.

[34]  Mark MacCarthy Information Security Policy in the U.S. Retail Payments Industry , 2010, WEIS.

[35]  Giornalismo The Sunday Times , 2012 .

[36]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[37]  Sujeet Shenoi,et al.  Critical infrastructure protection , 2007 .