Skip to main content
SpringerLink
Log in

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

  • Chapter
Book cover ISSE 2013 Securing Electronic Business Processes

Abstract

Cybersecurity practice lags behind cyber technology achievements. Solutions designed to address many problems may and do exist but frequently cannot be broadly deployed due to economic constraints. Whereas security economics focuses on the cost/benefit analysis and supply/demand, we believe that more sophisticated theoretical approaches, such as economic modeling, rarely utilized, would derive greater societal benefits. Unfortunately, today technologists pursuing interesting and elegant solutions have little knowledge of the feasibility for broad deployment of their results and cannot anticipate the influences of other technologies, existing infrastructure, and technology evolution, nor bring the solutions lifecycle into the equation. Additionally, potentially viable solutions are not adopted because the risk perceptions by potential providers and users far outweighs the economic incentives to support introduction/adoption of new best practices and technologies that are not well enough defined. In some cases, there is no alignment with predominant and future business models as well as regulatory and policy requirements.

This paper provides an overview of the economics of security, reviewing work that helped to define economic models for the Internet economy from the 1990s. We bring forward examples of potential use of theoretical economics in defining metrics for emerging technology areas, positioning infrastructure investment, and building real-time response capability as part of software development. These diverse examples help us understand the gaps in current research. Filling these gaps will be instrumental for defining viable economic incentives, economic policies, regulations as well as early-stage technology development approaches, that can speed up commercialization and deployment of new technologies in cybersecurity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://en.wikipedia.org/wiki/Northeast_blackout_of_2003

References

  1. Asghari, Hadi, et al. “Security Economics in the HTTPS Value Chain.” Available at SSRN 2277806 (2013).

    Google Scholar 

  2. Akerlof, G. A. “The Market for “Lemons”: Quality Uncertainty and The Market Mechanism,” Quarterly Journal of Economics, 1973, 488-500.

    Google Scholar 

  3. Anderson, R., “Why Information Security is Hard-An Economic Perspective,” In Proc. 17th Annual Computer Security Applications Conference (Dec. 10 - 14, 2001), IEEE CS, Wash. DC, 358.

    Google Scholar 

  4. Arthur, W B. “Increasing Returns and the New World of Business.” Harvard Business Review, Ju- ly-Aug. 1996, 74(4), pp. 100-109.

    Google Scholar 

  5. Bannerjee, A. and Maskin, E., “Fiat Money in the Kitoyaka-Wright Model,” Quarterly Journal of Economics, 111 (4) 1996, p. 9551005.

    Google Scholar 

  6. Bhattacharya, S. & Hagerty, K. Dealerships, training externalities, and general equilibrium. In Pres- cott, E.C.and Wallace, N. (eds.). Contractual Arrangements for Intertemporal Trade. Minnesota Series in Macroeconomics, Minneapolis: University of Minnesota Press, 1989.

    Google Scholar 

  7. Bojanc, R. and Jerman-Blaic, B., “Towards a standard approach for quantifying an ICT security investment,” Comput. Stand. Interfaces 30, 4 (May. 2008), 216-222.

    Google Scholar 

  8. Bose, G. and Pingle, M. Stores. Economic Theory, 6 (1995), p. 251-262.

    Google Scholar 

  9. Cavusoglu, H., and Raghunathan, S., “Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge,” IEEE TSE, 33:3 (Mar. ’07), 171-185.

    Google Scholar 

  10. Cavusoglu, H., and Raghunathan, S. 2007. Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge. IEEE Trans. Softw. Eng. 33, 3 (Mar. 2007), 171-185.

    Google Scholar 

  11. Drucker, P.F. The Theory of Business. Harvard Business Review, September/October 1994, pp. 95-104.

    Google Scholar 

  12. Gal-Or, E. and Ghose, A. 2005. The Economic Incentives for Sharing Security Information. Info. Sys. Research 16, 2 (Jun. 2005), 186-208.

    Google Scholar 

  13. Herrmann, P. and Herrmann, G. 2006. Security requirement analysis of business processes. Electronic Commerce Research 6, 3-4 (Oct. 2006), 305-335

    Google Scholar 

  14. Jevons, WS., “Money and the mechanism of exchange,” New York:D. Appleton, 1920.

    Google Scholar 

  15. Klos, T. B. and Alkemade, F. 2005. Trusted intermediating agents in electronic trade networks. In Proceedings of the Fourth international Joint Conference on Autonomobus Agents and Multiagent Systems (The Netherlands, July 25 - 29, 2005). AAMAS ’05. ACM, New York, NY, 1249-1250

    Google Scholar 

  16. Merwe, J.V.D., Dawoud, D, and McDonald, S, “A survey on peer-to-peer key management for mobile ad hoc networks,” ACM Comp. Surveys, 39:1, 2007.

    Google Scholar 

  17. Moore, T., “Introducing the Economics of Cybersecurity: Principles and Policy Options.” Proc. Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for US Policy, 2010.

    Google Scholar 

  18. Poindexter, J. C., Earp, J. B., and Baumer, D. L., “An experimental economics approach toward quantifying online privacy choices,” Information Systems Frontiers 8, 5 (Dec. 2006), 363-374.

    Google Scholar 

  19. Priest, W C. An information framework for the planning and design of the information highways. Center for Information, Technology, and Society, February, 1994.

    Google Scholar 

  20. Thomas, R.C., et al. “How Bad Is It?-A Branching Activity Model to Estimate the Impact of Information Security Breaches” WEIS 2013.

    Google Scholar 

  21. Varian, H. R., “Economic Mechanism Design for Computerized Agents,” In The First Usenix Workshop on Electronic Commerce, New York: Usenix Assoc., 1995, p. 13-21.

    Google Scholar 

  22. Williamson, S. D., “Recent developments in modeling financial intermediation,” Federal Reserve Bank of Minneapolis, Quarterly Review, 11, Summer (1987), 19-29.

    Google Scholar 

  23. Williamson, S. and Wright, R., “Barter and Monetary Exchange under Private Information,” The American Economic Review, March (1994), p. 101-123.

    Google Scholar 

  24. Wellman, Michael P., Tae Hyung Kim, and Quang Duong. “Analyzing Incentives for Protocol Compliance in Complex Domains: A Case Study of Introduction-Based Routing.” arXiv preprint arX- iv:1306.0388 (2013).

    Google Scholar 

  25. Stolfo, S., Bellovin, S. M. and Evans, D., “Measuring Security” IEEE Security & Privacy, pp. 60-65, May/June 2011.

    Google Scholar 

  26. Sheldon, F. T., Abercrombie, R. K. and Mili A., “Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission,” in Proceedings of 42nd Annual Hawaii International Conference on System Sciences (HICSS-42), Waikoloa, HI, 2009, pp. 1-10.

    Google Scholar 

  27. Aissa, A. B., Abercrombie, R. K., Sheldon, F. T. and Mili, A., “Quantifying Security Threats And Their Potential Impacts: A Case Study,” Innovations in Systems and Software Engineering, vol. 6, pp. 269-281, 2010.

    Google Scholar 

  28. Abercrombie, R. K., Sheldon, F. T. and Grimaila, M. R., “A Systematic Comprehensive Computational Model for Stake Estimation in Mission Assurance,” in IEEE International Conference on Social Computing/ IEEE International Conference on Privacy, Security, Risk and Trust, Mpls, MN, 2010, pp. 1153-1158.

    Google Scholar 

  29. Hefner, R., Silva, H., and Patrican, R., “Mission Assurance and Capability Maturity Model Integration (CMMI),” presented CMMI Tech. Conf. & User Grp. Meeting, 2004.

    Google Scholar 

  30. "Cyberspace Policy RevIew - Assuring a Trusted and Resilient Information and Communications Infrastructure," ed: The White House, 2009, p. 76.

    Google Scholar 

  31. Rhodes, K., Cybersecurity Must start with Mission Assurance. Washington Technology. Available: http://washingtontechnology.com/Articles/2010/01/13/Predict-globally-protect-locally.aspx-?s = wtdaily_190110&Page = 1, 2010.

    Google Scholar 

  32. Yates, H. and Grimaila, M. R., “A Systematic Approach to Securing our Space Assets,” High Frontier Journal, vol. 4, pp. 48-53, 2008.

    Google Scholar 

  33. Grimaila, M. R., Fortson, L. W. and Sutton, J. L., “Design Considerations for a Cyber Incident Mission Impact Assessment (CIMIA) Process,” Proc. of 2009 Int’l Conf. on Security and Management (SAM09), Las Vegas, NV, 2009, pp. 386-391.

    Google Scholar 

  34. Pipkin, D. L., Information Security Protecting the Global Enterprise: Hewlett-Packard Company, 2000.

    Google Scholar 

  35. Abercrombie, R. K., Sheldon, F. T., Hauser, K. R., Lantz, M. W., and Mili, A., “Risk Assessment Methodology Based on the NISTIR 7628 Guidelines,” in 2013 46th Hawaii Int’l Conf. on System Sciences (HICSS), Wailea, Maui, HI USA, 2013, pp. 1802-1811

    Google Scholar 

  36. Roy, S., Ellis, Shiva, C., S., Dasgupta, D., Shandilya, V, and Wu, Q. S., “A Survey of Game Theory as Applied to Network Security,” in 43rd Hawaii International Conference on Systems Sciences Vols 1-5, ed, 2010, pp. 880-889.

    Google Scholar 

  37. Gintis, H., Thee Bounds of Reason: Game Theory and the Unification of the Behavioral Sciences: Princeton University Press, 2009.

    Google Scholar 

  38. Gordon, L. A. and Loeb, M. P. 2002. The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5, 4 (Nov. 2002), 438-457.

    Google Scholar 

  39. Lye, K. and Wing, J. M., “Game strategies in network security” International Journal of Information Security, vol. 4, pp. 71-86, 2005.

    Google Scholar 

  40. Mahimkar, A. and Shmatikov, V, “Game-based analysis of denial-of-service prevention protocols,” in Computer Security Foundations, 2005. CSFW-18 2005. 18th IEEE Workshop, 2005, pp. 287-301.

    Google Scholar 

  41. Liu, P., Zang, W. and Yu, M., “Incentive-based modeling and inference of attacker intent, objectives, and strategies,” ACM Trans. Inf. Syst. Secur., vol. 8, pp. 78-118, 2005.

    Google Scholar 

  42. Schlicher, B. G. and Abercrombie, R. K., “Information Security Analysis Using Game Theory and Simulation,” in WORLDCOMP’12 - The 2012 World Congress in Computer Science, Computer Engineering, and Applied Computing; SAM’12 - 2012 International Conference on Security and Management, Las Vegas, NV, 2012, pp. 540-546.

    Google Scholar 

  43. Bonabeau, E., “Agent-Based Modeling: Methods and Techniques for Simulating Human Systems,” Proc. of Nat. Academy of Sciences, 99:3, pp. 7280-7287, 2002.

    Google Scholar 

  44. Nowak, A., “On Stochastic Games in Economics,” Mathematical Methods of Operations Research, vol. 66, pp. 513-530, 2007.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Oak Ridge National Laboratory, Oak Ridge

    Frederick Sheldon

Authors
  1. Claire Vishik
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frederick Sheldon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Ott
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. TeleTrusT – Bundesverband IT-Sicherheit e.V., Erfurt, Germany

    Helmut Reimer

  2. Gelsenkirchen, Germany

    Norbert Pohlmann

  3. Darmstadt, Germany

    Wolfgang Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Fachmedien Wiesbaden

About this chapter

Cite this chapter

Vishik, C., Sheldon, F., Ott, D. (2013). Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment. In: Reimer, H., Pohlmann, N., Schneider, W. (eds) ISSE 2013 Securing Electronic Business Processes. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-03371-2_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-658-03371-2_12

  • Publisher Name: Springer Vieweg, Wiesbaden

  • Print ISBN: 978-3-658-03370-5

  • Online ISBN: 978-3-658-03371-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation