The Need for Public Policy Interventions in Information Security

… Security Applications Conference, 2001. …, 2001

According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved.

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions.

2017

Cyber-security tends to be viewed as a highly dynamic continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing ‘nothing’ is the optimal strategy when substantial fixed adjustments costs are present. Indeed, anecdotal experience off chief information security officers by the authors indicates that uncertain costs that might be incurred by rapid adoption of security updates does induce substantial delay, so the industry does appear to understand this aspect of economics quite well. From a policy perspective the inherently discontinuous adjustment path taken by firms can cause difficulties in determining a) the most effective public policy remit and b) assessing the effectiveness of any enacted policies ex-post. This article provides a short summary of the key ideas of the pressing policy issues on the cyber security agenda.

Computers & security, 2005

This article introduces to the reader the sceptic of the economic evaluation of a security framework. We identify that there must be an economic evaluation of security investment, in order to avoid cost and risks of a security breach. We vindicate why the security economic plan must encompass our choices to provide security solutions. Furthermore, what are the measurements that are employed to provide the confidence of security to an acceptable level.

Lecture Notes in Computer Science, 2010

The disconnect between meager user investments in security technology and the resulting potential losses can be partially explained by negative externalities: that is, the level of effective protection that security-conscious users obtain is considerably lowered by the insecure behavior from their peers, which in turn provides a personal disincentive to invest in security primitives. Likewise, the lack of accurate understanding of threats is commonly held to significantly weaken the quality of security decision-making.

Cyber security breaches inflict costs to consumers and businesses. The possibility also exists that a cyber security breach may shut down an entire critical infrastructure industry, putting a nation’s whole economy and national defense at risk. Hence, the issue of cyber security investment has risen to the top of the agenda of business and government executives. This paper examines how the existence of well-recognized externalities changes the maximum a firm should, from a social welfare perspective, invest in cyber security activities. By extending the cyber security investment model of Gordon and Loeb [1] to incorporate externalities, we show that the firm’s social optimal investment in cyber security increases by no more than 37% of the expected externality loss.

International Journal of Information Management, 2008

This paper presents an approach enabling economic modelling of information security risk management in contemporaneous businesses and other organizations. In the world of permanent cyber attacks to ICT systems, risk management is becoming a crucial task for minimization of the potential risks that can endeavor their operation. The prevention of the heavy losses that may happen due to cyber attacks and other information system failures in an organization is usually associated with continuous investment in different security measures and purchase of data protection systems. With the rise of the potential risks the investment in security services and data protection is growing and is becoming a serious economic issue to many organizations and enterprises. This paper analyzes several approaches enabling assessment of the necessary investment in security technology from the economic point of view. The paper introduces methods for identification of the assets, the threats, the vulnerabilities of the ICT systems and proposes a procedure that enables selection of the optimal investment of the necessary security technology based on the quantification of the values of the protected systems. The possibility of using the approach for an external insurance based on the quantified risk analyses is also provided. r

Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp on - HoTSoS, 2017

Most security defenses can be breached by motivated adversaries, therefore in addition to attack-prevention technologies, rms investing in cyber-security for their information technology infrastructure need to consider attack-detection and restoration tools to detect intruders, and restore their system to a safe condition. Attackers face similar investment alternatives; they need to invest resources to nding vulnerabilities in a protected system, and once the protection has been broken, they need to invest in the infrastructure necessary to exploit these attacks and maintain stealthy persistence in the compromised infrastructure. We model this dual considerations as a dynamic programming problem between attackers and defenders and then study the Nash equilibrium of this game. Our goal is to nd models and alternatives that can help us understand optimal security investments in prevention and detection against advanced rational adversaries.

Telecommunications Policy, 2009

Information security breaches are increasingly motivated by fraudulent and criminal motives. Reducing their considerable costs has become a pressing issue. Although cybersecurity has strong public good characteristics, most information security decisions are made by individual stakeholders. Due to the interconnectedness of cyberspace, these decentralized decisions are afflicted with externalities that can result in sub-optimal security levels. Devising effective solutions to this problem is complicated by the global nature of cyberspace, the interdependence of stakeholders, as well as the diversity and heterogeneity of players. The paper develops a framework for studying the co-evolution of the markets for cybercrime and cybersecurity. It examines the incentives of stakeholders to provide for security and their implications for the ICT ecosystem. The findings show that market and non-market relations in the information infrastructure generate many security-enhancing incentives. However, pervasive externalities remain that can only be corrected by voluntary or government-led collective measures. (J.M. Bauer), m.j.g.vaneeten@tudelft.nl (M.J.G. van Eeten). Telecommunications Policy 33 (2009) 706-719

Information Systems Frontiers, 2007

This paper chronicles the development of economics of information security as an academic area of research. It also describes the contributions of the papers in the special section of this issue devoted to the topic.