INTRODUCTION
The Internet has enabled tremendous economic and social innovation yet the underlying systems, networks and services sometimes fail miserably to protect the security of communications and data.
Security incidents occur in many forms, including but not limited to the leaking and theft of private information, unauthorized access to information, malicious alteration of data, or software and service unavailability. Enumerating all the technical ways in which security may be breached would generate a lengthy list as the network, devices, users, and services can all be attacked. A typical network runs hundreds of protocols and hosts devices operating thousands of applications consisting of millions of lines of code. Looking for solutions opens up an equally unwieldy range of ideas, technologies and complications. Not surprisingly, books on information security are typically voluminous. For example, Anderson’s (2008) Security Engineering is over 1000 pages long. Despite its length the book can address most topics only briefly. Even research focusing on specific problems and solutions can be dauntingly complex. For example, the design and use of passwords has generated hundreds of papers but the jury on best practices is still out (Bonneau et al., 2012). Achieving cybersecurity under these conditions may appear like a hopeless endeavor and failure unavoidable.Given the complexity of the problem, it seems improbable that security can be attained by eliminating all vulnerabilities. Moreover, preventative security measures are costly. Some level of uncertainty will therefore have to be accepted and choices need to be made, trading off competing objectives and limited resources. Recent research has developed approaches to better explain why certain security failures occur and others do not. These contributions clarified that security is not merely a technical problem that can be fixed with engineering solutions but that is also has important economic and behavioral dimensions that need to be addressed (Anderson and Moore, 2006).
Examining the incentives of players in the information and communication technology (ICT) ecosystem has been particularly fruitful in explaining the landscape of vulnerabilities and attacks that can be observed. The core of this work is rooted in information security economics.A key insight that catalyzed the development of this field is that many systems do not fail for technical reasons but because of the specific incentives shaping the behavior of individuals and organizations. For instance, if the individuals in charge of protecting a system do not have to bear any costs or other consequences in case of failure, they may exert insufficient care (ibid.). Attackers similarly respond to the set of pertinent incentives, for example by selecting targets and attack strategies based on expected financial or political benefits and risks. Technical tools to carry out attacks are often chosen opportunistically as attackers will use whatever means happen to work in a given scenario. These insights and the abundance of technical and non-technical vulnerabilities and attack vectors imply that it is more promising to approach cybersecurity as a
262
defender-attacker dynamic with an emphasis on the incentives of players rather than with a focus on the vulnerabilities. Another consequence is that for the foreseeable future information systems will need to be defended against attacks with a combination of technology and human vigilance.
Given the abundance of interdependencies in the ICT ecosystem, cybersecurity at the individual and system levels is influenced by how the incentives of different actors align. Sometimes individual and group incentives are compatible with both the private and social costs and benefits so that decentralized decisions will be workable and effective to achieve desirable levels of security. However, more often such an alignment cannot be taken for granted and several questions arise. Are markets, networked governance, and individual organizational decisions - the predominant coordination mechanism in the Internet - sufficient to safeguard cybersecurity (Van Eeten and Mueller, 2012)? Or does such decentralized coordination fail because market and nonmarket players are not capable of or prepared for effectively dealing with the risks? If market failure is pervasive, the incentives of decentralized players will be systematically biased and may result in underinvestment or overinvestment in security (Lewis, 2005; Shim, 2006).
A classical response to market failure is government intervention but the incentives of government actors are not necessarily aligned with the common good. Parts of government, including secret services and the military, may have an interest in exploiting vulnerabilities for surveillance purposes. Consequently, conflicts within government may prevent effective public sector responses to information security risks. Moreover, the global scale and connectivity of the Internet has created interdependencies that may require coordinated action beyond the national or global level to design effective responses, greatly compounding the challenges. Security economics has in the past decade successfully examined many of these questions and helped greatly in the design of rational responses.Most of the work in the field has focused on information security as a means to fight criminal activities rather than on the protection of national security and cyberwar. The two topics, while at some level related, raise different theoretical and practical issues. It is important to understand the perspective used by each approach to conceptualize risk, costs and benefits, and the role of government (see, e.g., Singer and Friedman, 2013). Some scholars have argued that, due to its societal impact, cybercrime is more important than the hype-prone concept of cyberwar. Cybercrime is often discussed in a framework of risk management using cost-benefit and trial-and-error approaches, which makes it more amenable to empirical research. This approach typically results in tolerance for some level of risk and vulnerability. Protecting national security is more about scenarios and their potential impacts, often focusing on worst case circumstances, which typically imply massive economic and social disruption. Consequently, prevention and resilience are often the main emphases (Van Eeten and Bauer, 2009, 2013).
In this chapter, we set out to survey the state of the art of the existing research with a focus on the criminal threats to cybersecurity. The next section briefly outlines key topics addressed in economic analyses of information security. Sections 13.3 through
13.5 discuss software and platform security, end user and organizational security, and Internet intermediary security. Attacker behavior is addressed in section 13.6, followed by an exploration of policy options in section 13.7 and concluding remarks in section 13.8.
13.2