Abstract
With the continuing growth of the use of the Internet for business purposes, the consequences of a possible cyber attack that could create a large scale outage of long time duration becomes a more and more serious economic issue. In this paper, we construct a game-theoretic model that addresses the economic motivations for investment in added Internet security and makes a case for a possible market failure in the form of underinvestment in the provision of Internet security. This result relies on the fact that the social value derived from consumption (which is at least equal to a fraction of the surplus derived from e-commerce) greatly exceeds the revenue at stake associated with the telecommunications companies’ and ISP’s security levels. If the ratio of social value to revenue at stake to Internet providers continues to grow, the likelihood of underinvestment in security becomes higher and some form of regulation may become necessary. We discuss the difficulties associated with designing and enforcing a regulatory scheme based upon mandatory security standards.
Similar content being viewed by others
References
Anderson, R. (2001). “Why Information Security is Hard-An Economic Perspective” , Proceedings of 17th annual computer security applications conference (ACSAC) 10–14.
AT&T News Release. (1998). “AT&T announces cause of frame-relay network outage”. In http://www.att.com/news/0498/980422.bsb.html
Breyer S. (1982) “Regulation and Its Reform.”. Harvard University Press, Cambridge MA
Cave M., Mason R. (2001). “The Economics of the Internet: Infrastructure and Regulation.”Oxford Review of Economic Policy 17, 188–201
Chinander K., Kleindorfer P., Kunreuther H. (1998). “Compliance Strategies and Regulatory Effectiveness of Performance-Based Regulation of Chemical Accident Risks”. Risk Analysis 18: 135–144
Ericson R., Pakes A. (1995). “Markov-Perfect Industry Dynamics: A Framework for Empirical Work”. Review of Economic Studies 62, 53–82
Fudenberg D., Tirole J. (1991). “Game Theory”. MIT Press.
Gal-Or E., Ghose A. (2005). “The Economic Incentives for Sharing Security Information”. Information Systems Research 16(2): 86–208
Garza, V. (2005). “Security Researcher Causes Furor by Releasing Flaw in Cisco Systems IOS”. In www.SearchSecurity.com
Giovannetti E. (2001). “Perpetual Leapfrogging in Bertrand Duopoly”. International Economic Review 42(3): 671–682
Gordon L., Loeb M. (2002). “The Economics of Information Security Investment”. ACM Transactions on Informations and System Security 5(4): 438–457
Haimes Y. (2004). “Risk Modeling, Assessment, and Management” Wiley-Interscience; 2 edition.
Kannan K., Telang R. (2005). “Market For Software Vulnerabilities? Think Again”. Management Science 51(5): 726–740
Maskin E., Tirole J. (2001). “Markov Perfect Equilibrium I. Observable Actions”. Journal of Economic Theory 100(2): 191–219
National Research Council. (2003). “Cyber Security of Freight Information Systems”. Special Report 274, Transportation Research Board.
Shapiro C. (1983). “Premiums for High Quality Products as Returns to Reputations”. Quarterly Journal of Economics 98, 659–680
White House. (2003). “National Strategy to Secure Cyberspace” available at www.whitehouse.gov
US Census Bureau. (2005). “Quarterly Retail E-Commerce Sales”.
Viscusi K. (1983). “Risk by Choice: Regulating Health and Safety in the Workplace”. Harvard University Press, Cambridge MA
Zetter, K. (2005). “Cisco Security Hole a Whopper” in www.wired.com
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Garcia, A., Horowitz, B. The potential for underinvestment in internet security: implications for regulatory policy. J Regul Econ 31, 37–55 (2007). https://doi.org/10.1007/s11149-006-9011-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11149-006-9011-y