Economics of cybersecurity

Abstract

The Internet has enabled tremendous economic and social innovation yet the underlying systems, networks and services sometimes fail miserably to protect the security of communications and data. Security incidents occur in many forms, including but not limited to the leaking and theft of private information, unauthorized access to information, malicious alteration of data, or software and service unavailability. Given the complexity of the problem, it seems improbable that security can be attained by eliminating all vulnerabilities. Moreover, preventative security measures are costly. Some level of uncertainty will therefore have to be accepted and choices need to be made, trading off competing objectives and limited resources. Recent research has developed approaches to better explain why certain security failures occur and others do not. These contributions clarified that security is not merely a technical problem that can be fixed with engineering solutions but that is also has important economic and behavioral dimensions that need to be addressed. Examining the incentives of players in the information and communication technology (ICT) ecosystem has been particularly fruitful in explaining the landscape of vulnerabilities and attacks that can be observed. The core of this work is rooted in information security economics. This chapter surveys the state of the art of the existing research with a focus on the criminal threats to cybersecurity.