Devising the Theory of Economic Incentives for Cybersecurity

Technologists pursuing interesting and elegant solutions in cybersecurity frequently lack the knowledge of economics to anticipate the influences of other technologies, existing infrastructure, and technology evolution on the potential  success of the technologies they are creating.  Viable solutions may not be adopted because the risk perceptions by potential providers and users appear to outweigh the economic benefits of new best practices and technology solutions. In some cases,  new technologies  are not aligned with emerging business models or regulatory and policy requirements.

On the policy side, regulatory processes are frequently developed without supporting models that could illustrate a representative set of economic flaws or benefits of proposed approaches. Improving cybersecurity is very important for the society, and well designed economic incentives could stimulate faster emergence and deployment of new cybersecurity solutions, in the technology and regulatory areas. However, we don’t yet have a broadly applicable economic theory to help devise viable economic incentives for cybersecurity.

Applications of theoretical economics to security, in the areas of development and deployment of new technologies, already exist. In addition, studies of asymmetric information in computing environments, models used in monetary economics, economic models studying liability, as well as explorations of the economic positioning of informational products could be helpful for developing a solid theory of economic incentives for cybersecurity.

A large number of outstanding studies in the economics of security were published following the burst of interest in the theoretical economics of the Internet in the 1990s, but this work hasn’t resulted in the creation of general  and broadly applicable models that could be used to check the economic viability of new technologies or  employed to model the influences of new regulations on global technology markets.

Several gaps will need to be filled before pragmatic models can be created.  Among these gaps, we can mention:

  • Lack of broadly applicable theoretical frameworks. Research studies indicated that many issues arise simply because the economic models used today lack coherence. Misaligned economic incentives for security can slow down the introduction of new cybersecurity defenses.
  • Lack of economic theory on the role of infrastructure in the development of security defenses. Security technologies frequently require significant infrastructure investment. Federated identities, multi-tenant cloud environments and trusted computing are only a few examples of technologies that require significant infrastructure support to fully implement their vision. But there are no accepted approaches in evaluating the economic impact of the infrastructure for security.
  • Structured theoretical approach for designing viable economic incentives: Design of economic incentives that can be linked to existing and developing cybersecurity technologies remains an emerging research topic. Model-based and simulation based studies highlighted the need for faster development in this area.
  • Mechanisms for embedding predictable economic incentives in regulatory frameworks focusing on cybersecurity. With the theory of cybersecurity economic incentives still immature, theoretical work on economic policies in cybersecurity has progressed slowly. This is especially true for devising positive incentives that are broadly applicable to different stakeholders with different levels of available resources.

The analysis of literature in economics, technologies, and policy studies in cybersecurity seems to indicate that the focus in the last two decades has been on specific problems. These studies provided very useful insights into the many elements of economics of security, but they did not build theoretical foundations of the field.

In order to pave the way towards the scientific design of economic incentives for cybersecurity, we need to continue to build the theory of the cybersecurity markets as a foundation for multi-disciplinary work that includes economic incentives. This work, supplemented by the case studies  in technology development and deployment  will help researchers and practitioners gain better insight into the complex interactions  of security technologies, economics incentives, and regulatory space and to generalize the results of earlier theoretical and practical initiatives.

 

 

One Response to Devising the Theory of Economic Incentives for Cybersecurity

  1. Matthew Rosenquist says:

    The foundations of economic incentives for cybersecurity are not new, as the same basic challenges faced today, have remained true in the past. The lack of robustness at a holistic level is due to the vast numbers chaotic elements presented. Hence much of the work appears tactical, where fewer variables allow for more accurate and relevant work.

    Cybersecurity economics are simply an evolution of older models/theories which is applied to new technology tools of the time. The principles are the same and derived from older forms of security, such as physical security and military value models. History is chalked full of failures, successes, political debates, models, and tests. I recommend you look at the work from various military/political schools of thought for historical lessons, as well as Carnegie Mellon and the SecurityMetrics.org teams for modern cybersec insights.