Abstract
Data breaches, occurring either on the customer’s PCs or on the service provider’s equipment, expose customers to significant economic losses. An ex-ante regulation policy that apportions a fraction of the losses to the service provider (a damage-sharing policy) may reduce the burden for the customer and lead the service provider to invest more in security. We analyse this regulation policy through a game-theoretic approach, where the customer acts on the amount of personal information it reveals, and the service provider acts on the amount of security investments. We show that the game exhibits a single Nash equilibrium in a realistic scenario. In order to optimize the social welfare, the regulator has to choose the fraction of damage apportioned to the service provider. We show that the policy is relatively ineffective unless the fraction of damage charged to the service provider is quite large, beyond 60%. On the other hand, if the policy is applied with a large damage-sharing factor, the overall social welfare falls heavily.
The support of the Euro-NF Network of Excellence is gratefully acknowledged by the third author. The paper reflects the personal opinion of the authors and cannot be regarded as an official position of the Garante on the subject.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Verizon Risk Team: 2011 Data Breach Investigations Report. Technical report, Verizon (2011)
Hoffmann, L.: Risky business. Commun. ACM 54(11), 20–22 (2011)
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)
European Network and Information Security Agency (ENISA): Economics of Security: Facing the Challenge (2011)
Lee, Y.J., Kauffman, R.J., Sougstad, R.: Profit-maximizing firm investments in customer information security. Decision Support Systems 51(4), 904–920 (2011)
D’Acquisto, G., Flamini, M., Naldi, M.: A Game-Theoretic Formulation of Security Investment Decisions under Ex-ante Regulation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 412–423. Springer, Heidelberg (2012)
Gibbons, R.: A Primer in Game Theory. Prentice-Hall (1992)
D’Acquisto, G., Naldi, M., Italiano, G.F.: Personal data disclosure and data breaches: the customer’s viewpoint. ArXiv e-prints (2012)
Javelin: 2011 identity fraud survey report. Technical report, Javelin Strategy (2011)
Romanosky, S., Sharp, R., Acquisti, A.: Data breaches and identity theft: When is mandatory disclosure optimal? In: The Ninth Workshop on the Economics of Information Security (WEIS), June 7-8. Harvard University, USA (2010)
Osservatorio eCommerce B2c: B2c eCommerce in Italy. Technical report, Netcomm-School of Management of Politecnico di Milano (2011) (in Italian)
Casaleggio Associati: E-commerce in Italy 2011. Technical report (April 2011) (in Italian), http://www.casaleggio.it/e-commerce/
AGCOM (Italian Communications Regulatory Authority): Annual report (2011), http://www.agcom.it
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
D’Acquisto, G., Flamini, M., Naldi, M. (2012). Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2012. Lecture Notes in Computer Science, vol 7449. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32287-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-32287-7_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32286-0
Online ISBN: 978-3-642-32287-7
eBook Packages: Computer ScienceComputer Science (R0)