IDEAS home Printed from https://ideas.repec.org/a/eee/ijocip/v3y2010i3p103-117.html
   My bibliography  Save this article

The economics of cybersecurity: Principles and policy options

Author

Listed:
  • Moore, Tyler

Abstract

Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failures, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we examine the economic challenges that plague cybersecurity: misaligned incentives, information asymmetries, and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and providing them to the World Trade Organization (WTO).

Suggested Citation

  • Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    • Handle: RePEc:eee:ijocip:v:3:y:2010:i:3:p:103-117
    DOI: 10.1016/j.ijcip.2010.10.002
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1874548210000429
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijcip.2010.10.002?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Konar, Shameek & Cohen, Mark A., 1997. "Information As Regulation: The Effect of Community Right to Know Laws on Toxic Emissions," Journal of Environmental Economics and Management, Elsevier, vol. 32(1), pages 109-124, January.
    2. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    3. Sari Pekkala Kerr & Tuomas Pekkarinen & Roope Uusitalo, 2013. "School Tracking and Development of Cognitive Skills," Journal of Labor Economics, University of Chicago Press, vol. 31(3), pages 577-602.
    4. George A. Akerlof, 1970. "The Market for "Lemons": Quality Uncertainty and the Market Mechanism," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 84(3), pages 488-500.
    5. Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
    6. Michel J. G. van Eeten & Johannes M. Bauer, 2008. "Economics of Malware: Security Decisions, Incentives and Externalities," OECD Science, Technology and Industry Working Papers 2008/1, OECD Publishing.
    7. Richard J. Sullivan, 2009. "The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States," Payments System Research Briefing, Federal Reserve Bank of Kansas City, issue October, pages 1-5.
    8. Steven Shavell, 1984. "A Model of the Optimal Use of Liability and Safety Regulation," RAND Journal of Economics, The RAND Corporation, vol. 15(2), pages 271-280, Summer.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Yugang He, 2024. "China’s digital shadows: unveiling the economic toll of cybercrime," Palgrave Communications, Palgrave Macmillan, vol. 11(1), pages 1-10, December.
    2. Toni Ahnert & Michael Brolley & David Cimon & Ryan Riordan, 2022. "Cyber Risk and Security Investment," Staff Working Papers 22-32, Bank of Canada.
    3. Tyler MOORE & Richard CLAYTON, 2011. "The Impact of Public Information on Phishing Attack and Defense," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 45-68, 1st quart.
    4. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    5. Richard J. Sullivan, 2014. "Controlling security risk and fraud in payment systems," Economic Review, Federal Reserve Bank of Kansas City, issue Q III, pages 5-36.
    6. Mezei, Péter & Verteș-Olteanu, Andreea, 2020. "Editorial: From trust in the system to trust in the content," Internet Policy Review: Journal on Internet Regulation, Alexander von Humboldt Institute for Internet and Society (HIIG), Berlin, vol. 9(4), pages 1-28.
    7. Moritz-C. Schlegel & Claudia Koch & Mona Mirtsch & Andrea Harrer, 2021. "Smart Products Enable Smart Regulations—Optimal Durability Requirements Facilitated by the IoT," Sustainability, MDPI, vol. 13(8), pages 1-14, April.
    8. Higgs, James & Flowerday, Stephen, 2024. "Towards Definitive Categories for Online Video Game Money Laundering," SocArXiv ckxa8, Center for Open Science.
    9. Dirk Wrede & Tino Stegen & Johann-Matthias Schulenburg, 2020. "Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 657-689, October.
    10. Alexander A. Ganin & Phuoc Quach & Mahesh Panwar & Zachary A. Collier & Jeffrey M. Keisler & Dayton Marchese & Igor Linkov, 2020. "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management," Risk Analysis, John Wiley & Sons, vol. 40(1), pages 183-199, January.
    11. Galbraith, John W. & Iuliani, Luca, 2019. "Measures of robustness for networked critical infrastructure: An empirical comparison on four electrical grids," International Journal of Critical Infrastructure Protection, Elsevier, vol. 27(C).
    12. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    13. Rajan, Rishabh & Rana, Nripendra P. & Parameswar, Nakul & Dhir, Sanjay & Sushil, & Dwivedi, Yogesh K., 2021. "Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management," Technological Forecasting and Social Change, Elsevier, vol. 170(C).
    14. Olaf Jonkeren & Piet Rietveld, 2016. "Protection of Critical Waterborne Transport Infrastructures: An Economic Review," Transport Reviews, Taylor & Francis Journals, vol. 36(4), pages 437-453, July.
    15. Andjelka Kelic & Zachary A. Collier & Christopher Brown & Walter E. Beyeler & Alexander V. Outkin & Vanessa N. Vargas & Mark A. Ehlen & Christopher Judson & Ali Zaidi & Billy Leung & Igor Linkov, 2013. "Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks," Environment Systems and Decisions, Springer, vol. 33(4), pages 544-560, December.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    2. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    3. Michael Faure, 2009. "Environmental Liability," Chapters, in: Michael Faure (ed.), Tort Law and Economics, chapter 10, Edward Elgar Publishing.
    4. Pat Akey & Ian Appel, 2021. "The Limits of Limited Liability: Evidence from Industrial Pollution," Journal of Finance, American Finance Association, vol. 76(1), pages 5-55, February.
    5. Bartsch, Elga, 1996. "Enforcement of environmental liability in the case of uncertain causality and asymmetric information," Kiel Working Papers 755, Kiel Institute for the World Economy (IfW Kiel).
    6. Kenneth S. Corts, 2013. "Prohibitions on False and Unsubstantiated Claims: Inducing the Acquisition and Revelation of Information through Competition Policy," Journal of Law and Economics, University of Chicago Press, vol. 56(2), pages 453-486.
    7. Tomas J. Philipson & George Zanjani, 2013. "Economic Analysis of Risk and Uncertainty induced by Health Shocks: A Review and Extension," NBER Working Papers 19005, National Bureau of Economic Research, Inc.
    8. Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," LIDAM Discussion Papers CORE 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    9. Suurmond, Guido, 2007. "The effects of the enforcement strategy," MPRA Paper 21142, University Library of Munich, Germany.
    10. Gérard Mondello, 2013. "Ambiguous Beliefs on Damages and Civil Liability Theories"," Post-Print halshs-00929948, HAL.
    11. Stefan Ambec & Paul Lanoie, 2007. "When and Why Does It Pay To Be Green?," CIRANO Working Papers 2007s-20, CIRANO.
    12. Andrzej Baniak & Peter Grajzl, 2014. "Controlling Product Risks when Consumers are Heterogeneously Overconfident: Producer Liability vs. Minimum Quality Standard Regulation," CESifo Working Paper Series 5003, CESifo.
    13. Gérard Mondello, 2022. "Strict liability, scarce generic input and duopoly competition," European Journal of Law and Economics, Springer, vol. 54(3), pages 369-404, December.
    14. Sébastien Pouliot & Daniel A. Sumner, 2008. "Traceability, Liability, and Incentives for Food Safety and Quality," American Journal of Agricultural Economics, Agricultural and Applied Economics Association, vol. 90(1), pages 15-27.
    15. Marcel Boyer & Donatella Porrini, 2010. "Optimal liability sharing and court errors: an exploratory analysis," Working Papers hal-00463913, HAL.
    16. Justus Wesseler & Gijs Kleter & Marthe Meulenbroek & Kai P. Purnhagen, 2023. "EU regulation of genetically modified microorganisms in light of new policy developments: Possible implications for EU bioeconomy investments," Applied Economic Perspectives and Policy, John Wiley & Sons, vol. 45(2), pages 839-859, June.
    17. Eberl, Jakob & Jus, Darko, 2012. "The year of the cat: Taxing nuclear risk with the help of capital markets," Energy Policy, Elsevier, vol. 51(C), pages 364-373.
    18. Jonathan Yoder, 2008. "Liability, Regulation, and Endogenous Risk: The Incidence and Severity of Escaped Prescribed Fires in the United States," Journal of Law and Economics, University of Chicago Press, vol. 51(2), pages 297-325, May.
    19. Boyer, Marcel & Porrini, Donatella, 2011. "The impact of court errors on liability sharing and safety regulation for environmental/industrial accidents," International Review of Law and Economics, Elsevier, vol. 31(1), pages 21-29, March.
    20. Bartsch, Elga, 1997. "Environmental liability, imperfect information, and multidimensional pollution control," International Review of Law and Economics, Elsevier, vol. 17(1), pages 139-146, March.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijocip:v:3:y:2010:i:3:p:103-117. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-critical-infrastructure-protection .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.