The economics of cybersecurity: Principles and policy options
Tyler Moore
International Journal of Critical Infrastructure Protection, 2010, vol. 3, issue 3, 103-117
Abstract:
Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failures, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we examine the economic challenges that plague cybersecurity: misaligned incentives, information asymmetries, and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and providing them to the World Trade Organization (WTO).
Keywords: Information security; Economics; Payment card security; Malware; Incentives; Information asymmetries; Externalities; Intermediary liability (search for similar items in EconPapers)
Date: 2010
References: Add references at CitEc
Citations: View citations in EconPapers (15)
Downloads: (external link)
http://www.sciencedirect.com/science/article/pii/S1874548210000429
Full text for ScienceDirect subscribers only
Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.
Export reference: BibTeX
RIS (EndNote, ProCite, RefMan)
HTML/Text
Persistent link: https://EconPapers.repec.org/RePEc:eee:ijocip:v:3:y:2010:i:3:p:103-117
DOI: 10.1016/j.ijcip.2010.10.002
Access Statistics for this article
International Journal of Critical Infrastructure Protection is currently edited by Leon Strous
More articles in International Journal of Critical Infrastructure Protection from Elsevier
Bibliographic data for series maintained by Catherine Liu (repec@elsevier.com).