Cyber Economic Incentives

Despite the growing focus on and widespread interest in cybersecurity, at least one aspect of this multi-dimensional problem has received relatively little attention from the research community—the economic, behavioral, or business factors that induce the private sector to select and implement cybersecurity measures. For example, little data has been collected or validated regarding how much is being spent on cybersecurity in the private sector, let alone the government sector. Likewise, the amount of damage—immediate and long term—caused by various cyberattacks or threats has not been accurately measured. Furthermore, there are no tested models to determine the ultimate value of cybersecurity measures, or business-oriented measures such as return on investment or competitive advantage obtained from adopting cybersecurity.

Incentives

The federal government can use various techniques to broaden the appeal and implementation of cybersecurity measures by the private sector. These incentives include, but are not limited to, regulatory, policy, legal, insurance or financial means. Determining how effective incentives are in helping private firms, critical infrastructure operators, and industry organizations better secure their networks and data is one of several objectives of CSD’s Cyber Economic Incentives research efforts.

Disincentives

A complementary interest for government is identifying disincentives that will discourage criminal organizations from engaging in cybercrime or cyberattacks. It is important for law enforcement agencies and security staff at private sector firms to anticipate criminal or terrorist behaviors and to identify specific internet nodes they are likely to use for their attacks. Such information can make it more difficult or too expensive and resource-intensive for criminal groups to operate. This research will also help law enforcement agencies ensure the integrity of evidence collected through investigations of cybercrime.

Three efforts in CSD’s Cyber Economic Incentives Project

Where and how much should the private sector invest in cybersecurity?
How can law enforcement alter the behaviors and motives of criminal enterprises investing in cybercrime?
In the absence of incentives, how effective are cyber security measures adopted through the self-regulating or self-motivated actions of firms or organizations?

Impact

The impact of this work will be realized through the production and use of:

Actual data on the relative value of cybersecurity measures.
Testable models or mathematical rules for determining where, how much and on what measures to invest.
Models for cybercriminal activities and Internet supply chains applicable to financial crimes and Internet trafficking of drugs and humans.
Affordable and usable information-sharing schemes and networks that enable law enforcement agencies or private organizations to coordinate and prevent crimes or minimize threats.

Unlike other research efforts, the methods being investigated focus on business aspects rather than technical aspects. By measuring the market or business value of cybersecurity targeted, lower-cost investments can be made that both control the effects of cyberthreats and mitigate the risks of cybercrime and cyberattacks.

Program Highlights and Successes

Developed an analytical model for business investments that extends the widely accepted model for the implicit (or internal) cost and value of cybersecurity measures to cover externalities, such as the total social and infrastructure costs.
Developed and tested survey instruments for five case studies
Developed large-scale industry surveys to collect actual data on cybersecurity expenditures and damages from cyberattacks.
Identified cybercrime indicators and developed models of criminal cybersupply chains for online pharmacies, including the domain chokepoints (or nodes used for managing illegal transactions).
Developed formats and standards for exchanging cybercrime data across government, law enforcement, industry and academia.