Abstract
Cybersecurity practice lags behind cyber technology achievements. Solutions designed to address many problems may and do exist but frequently cannot be broadly deployed due to economic constraints. Whereas security economics focuses on the cost/benefit analysis and supply/demand, we believe that more sophisticated theoretical approaches, such as economic modeling, rarely utilized, would derive greater societal benefits. Unfortunately, today technologists pursuing interesting and elegant solutions have little knowledge of the feasibility for broad deployment of their results and cannot anticipate the influences of other technologies, existing infrastructure, and technology evolution, nor bring the solutions lifecycle into the equation. Additionally, potentially viable solutions are not adopted because the risk perceptions by potential providers and users far outweighs the economic incentives to support introduction/adoption of new best practices and technologies that are not well enough defined. In some cases, there is no alignment with predominant and future business models as well as regulatory and policy requirements.
This paper provides an overview of the economics of security, reviewing work that helped to define economic models for the Internet economy from the 1990s. We bring forward examples of potential use of theoretical economics in defining metrics for emerging technology areas, positioning infrastructure investment, and building real-time response capability as part of software development. These diverse examples help us understand the gaps in current research. Filling these gaps will be instrumental for defining viable economic incentives, economic policies, regulations as well as early-stage technology development approaches, that can speed up commercialization and deployment of new technologies in cybersecurity.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Asghari, Hadi, et al. “Security Economics in the HTTPS Value Chain.” Available at SSRN 2277806 (2013).
Akerlof, G. A. “The Market for “Lemons”: Quality Uncertainty and The Market Mechanism,” Quarterly Journal of Economics, 1973, 488-500.
Anderson, R., “Why Information Security is Hard-An Economic Perspective,” In Proc. 17th Annual Computer Security Applications Conference (Dec. 10 - 14, 2001), IEEE CS, Wash. DC, 358.
Arthur, W B. “Increasing Returns and the New World of Business.” Harvard Business Review, Ju- ly-Aug. 1996, 74(4), pp. 100-109.
Bannerjee, A. and Maskin, E., “Fiat Money in the Kitoyaka-Wright Model,” Quarterly Journal of Economics, 111 (4) 1996, p. 9551005.
Bhattacharya, S. & Hagerty, K. Dealerships, training externalities, and general equilibrium. In Pres- cott, E.C.and Wallace, N. (eds.). Contractual Arrangements for Intertemporal Trade. Minnesota Series in Macroeconomics, Minneapolis: University of Minnesota Press, 1989.
Bojanc, R. and Jerman-Blaic, B., “Towards a standard approach for quantifying an ICT security investment,” Comput. Stand. Interfaces 30, 4 (May. 2008), 216-222.
Bose, G. and Pingle, M. Stores. Economic Theory, 6 (1995), p. 251-262.
Cavusoglu, H., and Raghunathan, S., “Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge,” IEEE TSE, 33:3 (Mar. ’07), 171-185.
Cavusoglu, H., and Raghunathan, S. 2007. Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge. IEEE Trans. Softw. Eng. 33, 3 (Mar. 2007), 171-185.
Drucker, P.F. The Theory of Business. Harvard Business Review, September/October 1994, pp. 95-104.
Gal-Or, E. and Ghose, A. 2005. The Economic Incentives for Sharing Security Information. Info. Sys. Research 16, 2 (Jun. 2005), 186-208.
Herrmann, P. and Herrmann, G. 2006. Security requirement analysis of business processes. Electronic Commerce Research 6, 3-4 (Oct. 2006), 305-335
Jevons, WS., “Money and the mechanism of exchange,” New York:D. Appleton, 1920.
Klos, T. B. and Alkemade, F. 2005. Trusted intermediating agents in electronic trade networks. In Proceedings of the Fourth international Joint Conference on Autonomobus Agents and Multiagent Systems (The Netherlands, July 25 - 29, 2005). AAMAS ’05. ACM, New York, NY, 1249-1250
Merwe, J.V.D., Dawoud, D, and McDonald, S, “A survey on peer-to-peer key management for mobile ad hoc networks,” ACM Comp. Surveys, 39:1, 2007.
Moore, T., “Introducing the Economics of Cybersecurity: Principles and Policy Options.” Proc. Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for US Policy, 2010.
Poindexter, J. C., Earp, J. B., and Baumer, D. L., “An experimental economics approach toward quantifying online privacy choices,” Information Systems Frontiers 8, 5 (Dec. 2006), 363-374.
Priest, W C. An information framework for the planning and design of the information highways. Center for Information, Technology, and Society, February, 1994.
Thomas, R.C., et al. “How Bad Is It?-A Branching Activity Model to Estimate the Impact of Information Security Breaches” WEIS 2013.
Varian, H. R., “Economic Mechanism Design for Computerized Agents,” In The First Usenix Workshop on Electronic Commerce, New York: Usenix Assoc., 1995, p. 13-21.
Williamson, S. D., “Recent developments in modeling financial intermediation,” Federal Reserve Bank of Minneapolis, Quarterly Review, 11, Summer (1987), 19-29.
Williamson, S. and Wright, R., “Barter and Monetary Exchange under Private Information,” The American Economic Review, March (1994), p. 101-123.
Wellman, Michael P., Tae Hyung Kim, and Quang Duong. “Analyzing Incentives for Protocol Compliance in Complex Domains: A Case Study of Introduction-Based Routing.” arXiv preprint arX- iv:1306.0388 (2013).
Stolfo, S., Bellovin, S. M. and Evans, D., “Measuring Security” IEEE Security & Privacy, pp. 60-65, May/June 2011.
Sheldon, F. T., Abercrombie, R. K. and Mili A., “Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission,” in Proceedings of 42nd Annual Hawaii International Conference on System Sciences (HICSS-42), Waikoloa, HI, 2009, pp. 1-10.
Aissa, A. B., Abercrombie, R. K., Sheldon, F. T. and Mili, A., “Quantifying Security Threats And Their Potential Impacts: A Case Study,” Innovations in Systems and Software Engineering, vol. 6, pp. 269-281, 2010.
Abercrombie, R. K., Sheldon, F. T. and Grimaila, M. R., “A Systematic Comprehensive Computational Model for Stake Estimation in Mission Assurance,” in IEEE International Conference on Social Computing/ IEEE International Conference on Privacy, Security, Risk and Trust, Mpls, MN, 2010, pp. 1153-1158.
Hefner, R., Silva, H., and Patrican, R., “Mission Assurance and Capability Maturity Model Integration (CMMI),” presented CMMI Tech. Conf. & User Grp. Meeting, 2004.
"Cyberspace Policy RevIew - Assuring a Trusted and Resilient Information and Communications Infrastructure," ed: The White House, 2009, p. 76.
Rhodes, K., Cybersecurity Must start with Mission Assurance. Washington Technology. Available: http://washingtontechnology.com/Articles/2010/01/13/Predict-globally-protect-locally.aspx-?s = wtdaily_190110&Page = 1, 2010.
Yates, H. and Grimaila, M. R., “A Systematic Approach to Securing our Space Assets,” High Frontier Journal, vol. 4, pp. 48-53, 2008.
Grimaila, M. R., Fortson, L. W. and Sutton, J. L., “Design Considerations for a Cyber Incident Mission Impact Assessment (CIMIA) Process,” Proc. of 2009 Int’l Conf. on Security and Management (SAM09), Las Vegas, NV, 2009, pp. 386-391.
Pipkin, D. L., Information Security Protecting the Global Enterprise: Hewlett-Packard Company, 2000.
Abercrombie, R. K., Sheldon, F. T., Hauser, K. R., Lantz, M. W., and Mili, A., “Risk Assessment Methodology Based on the NISTIR 7628 Guidelines,” in 2013 46th Hawaii Int’l Conf. on System Sciences (HICSS), Wailea, Maui, HI USA, 2013, pp. 1802-1811
Roy, S., Ellis, Shiva, C., S., Dasgupta, D., Shandilya, V, and Wu, Q. S., “A Survey of Game Theory as Applied to Network Security,” in 43rd Hawaii International Conference on Systems Sciences Vols 1-5, ed, 2010, pp. 880-889.
Gintis, H., Thee Bounds of Reason: Game Theory and the Unification of the Behavioral Sciences: Princeton University Press, 2009.
Gordon, L. A. and Loeb, M. P. 2002. The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5, 4 (Nov. 2002), 438-457.
Lye, K. and Wing, J. M., “Game strategies in network security” International Journal of Information Security, vol. 4, pp. 71-86, 2005.
Mahimkar, A. and Shmatikov, V, “Game-based analysis of denial-of-service prevention protocols,” in Computer Security Foundations, 2005. CSFW-18 2005. 18th IEEE Workshop, 2005, pp. 287-301.
Liu, P., Zang, W. and Yu, M., “Incentive-based modeling and inference of attacker intent, objectives, and strategies,” ACM Trans. Inf. Syst. Secur., vol. 8, pp. 78-118, 2005.
Schlicher, B. G. and Abercrombie, R. K., “Information Security Analysis Using Game Theory and Simulation,” in WORLDCOMP’12 - The 2012 World Congress in Computer Science, Computer Engineering, and Applied Computing; SAM’12 - 2012 International Conference on Security and Management, Las Vegas, NV, 2012, pp. 540-546.
Bonabeau, E., “Agent-Based Modeling: Methods and Techniques for Simulating Human Systems,” Proc. of Nat. Academy of Sciences, 99:3, pp. 7280-7287, 2002.
Nowak, A., “On Stochastic Games in Economics,” Mathematical Methods of Operations Research, vol. 66, pp. 513-530, 2007.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Fachmedien Wiesbaden
About this chapter
Cite this chapter
Vishik, C., Sheldon, F., Ott, D. (2013). Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment. In: Reimer, H., Pohlmann, N., Schneider, W. (eds) ISSE 2013 Securing Electronic Business Processes. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-03371-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-658-03371-2_12
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-03370-5
Online ISBN: 978-3-658-03371-2
eBook Packages: Computer ScienceComputer Science (R0)