Security Economics and European Policy

  • Ross Anderson
  • Rainer Böhme
  • Richard Clayton
  • Tyler Moore


In September 2007, we were awarded a contract by the European Network and Information Security Agency (ENISA) to investigate failures in the market for secure electronic communications within the European Union, and come up with policy recommendations. In the process, we spoke to a large number of stakeholders, and held a consultative meeting in December 2007 in Brussels to present draft proposals, which established most had wide stakeholder support. The formal outcome of our work was a detailed report, “Security Economics and the Internal Market”, published by ENISA in March 2008. This chapter presents a much abridged version: in it, we present the recommendations we made, along with a summary of our reasoning.


Information Security Data Protection Directive Spam Message Unfair Contract Term Fixed Penalty 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Acquisti, A., Friedman, A., and Telang, R. “Is There a Cost to Privacy Breaches? An Event Study”, in 5th Workshop on the Economics of Information Security (WEIS), Cambridge, United Kingdom, 2006June.Google Scholar
  2. Akerlof, G. “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism”. Quart. J. Economics (84), 1970, pp. 488–500.CrossRefGoogle Scholar
  3. Anderson, N. “German ‘Anti-Hacker’ Law Forces Hacker Sites to Relocate”. Ars Technica, 14 August 2007. law-forcing-hacker-sites-to-relocate.html
  4. Anderson, R., and Moore, T. “The Economics of Information Security”, Science (314:5799), 2006, pp. 610–613October.CrossRefGoogle Scholar
  5. APACS. “Card Fraud Losses Continue to Fall”, Press Release, APACS, 14 March 2007.
  6. Arora, A., Krishnan, R., Telang, R., and Yang, Y. “An Empirical Analysis of Vendor Response to DisclosurePolicy”, in 4th WEIS, Cambridge, Massachusetts, 2005June.Google Scholar
  7. BBC. “Devices Attached to Cash Machines”, BBC News, 15 October 2007. Scholar
  8. Casper, C. “Examining the Feasibility of a Data Collection Framework”, ENISA, February 2008.Google Scholar
  9. Cavusoʇlu, H., Cavusoʇlu, H., and Zhang, J. “Economics of Patch Management”, in 5th WEIS, Cambridge, United Kingdom, 2006June.Google Scholar
  10. Clayton, R. “Hacking Tools are Legal for a Little Longer”, Light Blue Touchpaper, 19 June 2007. longer/
  11. Computer Security Institute. “The 12th Annual Computer Crime and Security Survey”, October 2007.
  12. Council of Europe. Convention on Cybercrime, CETS 185, November 2001.
  13. Edelman, B. “Advertisers Using WhenU”, July 2004. whenu-advertisers/
  14. Edelman, B. “Spyware: Research, Testing, Legislation, and Suits”, June 2008.http:/www. Scholar
  15. van Eeten, M., and Bauer, J. “The Economics of Malware: Security Decisions, Incentives and Externalities”, OECD, May 2008.
  16. European Commission. “i2010 Benchmarking Framework”, November 2006.http://ec. Scholar
  17. European Commission. “Report on the Outcome of the Review of the EU Regulatory Framework for Electronic Communications Networks and Services in Accordance with Directive 2002/21/EC and Summary of the 2007 Reform Proposals”, November 2007.
  18. European Economic Community. “Council Directive of 25 July 1985 on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Concerning Liabilityfor Defective Products (85/374/EEC)”, July 1985.Google Scholar
  19. European Union. “Directive 93/13/EEC of 5 April 1993 on Unfair Terms in Consumer Contracts”, April 1993.!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31993L0013&model=guichett
  20. European Union. “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications)”, July 2002. CELEX:32002L0058:EN:HTML
  21. European Union. “Directive 2006/123/EC of the European Parliament and of the Council of of 12 December 2006 on Services in the Internal Market”, December 2006.
  22. European Union. “Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on Payment Services in the Internal Market Amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and Repealing Directive 97/5/EC Text with EEA Relevance”, November 2007.
  23. House of Lords Science and Technology Committee. Personal Internet Security, 5th Report of 2006—07, The Stationery Office, London, August 2007.Google Scholar
  24. D’Ignazio, A., and Giovannetti, E. “Spatial Dispersion of Peering Clusters in the European Internet”, Cambridge Working Papers in Economics 0601, January 2006.http:// Scholar
  25. D’Ignazio, A., and Giovannetti, E. “‘Unfair’ Discrimination in Two-sided Peering? Evidence from LINX”, Cambridge Working Papers in Economics 0621, February 2006.
  26. Jakobsson, M., and Ramzan Z. Crimeware: Understanding New Attacks and Defenses, Addison Wesley, Upper Saddle River, New Jersey, 2008.Google Scholar
  27. McPherson, D., Labovitz, C., and Hollyman, M. “Worldwide Infrastructure Security Report Volume III”, Arbor Networks, 2007.
  28. Moore, T., and Clayton, R. “Examining the Impact of Website Take-down on Phishing” in 2nd Anti-Phishing Working Group eCrime Researcher’s Summit (APWG eCrime), Pittsburgh, Pennsylvania, October 2007, pp. 1—13.Google Scholar
  29. OpenDNS. “OpenDNS Shares April 2007 PhishTank Statistics”, Press Release, 1 May 2007.
  30. Pitcom. “Critical National Infrastructure, Briefings for Parliamentarians on the Politics of Information Technology”, November 2006. PitComms1-CNI.doc
  31. Serjantov, A., and Clayton, R. “Modelling Incentives for E-mail Blocking Strategies”, in 4th WEIS, Cambridge, Massachusetts, 2005June.Google Scholar
  32. Shapiro, C., and Varian, H. Information Rules. A Strategic Guide to the Network Economy, Harvard Business School Press, Boston, Massachusetts, 1999.Google Scholar
  33. Symantec. “Internet Security Threat Report Volume XII”, September 2007. http://www. symantec. com/business/theme.jsp?themeid=threatreportGoogle Scholar
  34. Zetter, K. “Router Flaw is a Ticking Bomb”, Wired, 1 August 2005. http://www.wired. com/politics/security/news/2005/08/68365Google Scholar
  35. Zhuge, J., Holz, T., Han, X., Guo, J., and Zou, W. “Characterizing the IRC-based BotnetPhenomenon”, Reihe Informatik Technical Report TR-2007-010, December 2007.

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • Ross Anderson
    • 1
  • Rainer Böhme
    • 2
  • Richard Clayton
    • 1
  • Tyler Moore
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeUK
  2. 2.Technische Universität DresdenDE

Personalised recommendations