POLICY OPTIONS

We have so far looked at the incentives of various actors in the Internet economy and how these affect their security decisions. We have seen that actors impose positive and negative externalities on others and the problems caused by asymmetric information.

These are classic examples of market failures that weaken security incentives and will typically lead to suboptimal investment in security. We also saw that some actors, notably among Internet intermediaries operating in multi-sided markets, are willing to bear the costs of mitigating security failures of others. The unique competitive position of this group puts it in a position to make trade-offs between security and other qualities, possibly bringing the entire sector closer to a social optimum. However, in many situations no such endogenous mechanisms are available. This raises the question of whether and how forms of market failure can be remedied and what could be done to strengthen incentives to provide security. A traditional response to market failure is government intervention but, given the conflicting incentives of the state, other forms of governance have been proposed as more effective (Moore and Anderson, 2012; Brown and Marsden, 2013). We continue with a brief discussion of theoretical and empirical contributions to the literature on policy options.

13.7.1 The Costs of Cybersecurity Breaches

Ideally, private and public policy measures would take the actual and potential cost of cybersecurity breaches into account. This is one of the preconditions of rational investment decisions by the private sector and of rational policy design. Unfortunately, while estimates and numbers abound, their reliability and representativeness is difficult to assess. Many reports are generated by players with a stake in inflating the numbers. They are often based on weak evidence and/or overly simplified strong assumptions.

The employed methods typically are not publicly available, complicating an assessment of the validity and reliability of the information. Damage is typically assessed at a highly aggregated level and difficult to link to specific incidents. Florencio and Herley (2013a) show that estimates are frequently biased by a few individual observations. Anderson et al. (2013) argue that the cost of prevention often exceeds the actual damage by orders of magnitude. With these caveats in mind, it is noteworthy that a joint study conducted by McAfee and the Center for Strategic and International Studies (CSIS) estimated the global costs of cybercrime at $445 billion, or about 0.6 percent of global GDP (CSIS and McAfee, 2014).

Absent systematic and reliable metrics, it is at least possible to identify the types of costs good metrics would include. Because of the highly interconnected nature of the Internet, security incidents not only affect the immediate targets of an attack but also have second- and third-round effects on other stakeholders. From a policy perspective, the relevant cost is the total cost to society, which also includes the costs incurred by stakeholders other than those immediately affected. A comprehensive assessment of the costs and benefits of cybersecurity therefore should include the entire ecosystem of players including: users, private sector organizations, public sector organizations, Internet infrastructure providers (software vendors, ISPs, hosting providers, registrars), incident response units, and society at large (including opportunity costs, lost efficiency gains, diminished trust and use of the Internet, etc.). It should also include revenues and profits made by cybercriminals, malevolent hackers, and all those seeking to profit from undermining the security of the Internet as these constitute ‘bads’ (i.e., costs) to society (Van Eeten et al., 2009).

13.7.2 Addressing Information Asymmetries

Several approaches can help address information asymmetries, including mandatory breach disclosure, vulnerability disclosure, certification schemes, and the publication of security metrics.

13.7.2.1 Mandatory breach disclosure

Data and security breach disclosure laws aim to reduce harms caused to consumers resulting from breaches, and to incentivize organizations to invest in security, by requiring them to notify all affected individuals when personal information has been compromised as a result of an attack or negligence. Critics of mandatory breach disclosure argue that they might perversely desensitize consumers or cause them to overreact. Breach disclosure laws have been enacted in past years across a number of countries and most US states. Romanosky et al. (2011) found only weak empirical evidence in support of the effectiveness of disclosure laws. Between 2002 and 2009 disclosure requirements reduced identity theft by a mere 6.1 percent. This might be related to a finding by Nieuwesteeg (2013) that the vast majority of security breaches remain unreported, possibly due to firms calculating the risks of being discovered as smaller than notification and reputation costs. These costs include impacts of disclosure on stock market valuations of firms (Gordon et al., 2011). As other countries are considering adopting similar laws, there are discussions on how to design the details of such requirements. Thomas et al. (2013), for instance, recommend estimating and communicating the severity of breaches.

13.7.2.2 Vulnerability disclosure

Should there be a mandate to publicly disclose a newly discovered software vulnerability? On the one hand, it forces vendors to acknowledge and prioritize releasing a patch; on the other hand it gives attackers information they might otherwise not have. Arora et al. (2010) looked at past evidence by analyzing the US National Vulnerability Database (NVD) from 2000 to 2003. The data suggest that disclosures accelerated patch release. Ransbotham and Mitra (2013) evaluated differences between immediate disclosure and ‘responsible disclosure’, a procedure for first revealing the vulnerability in private to vendors before making it public after a certain period.

Combining a dataset of intrusion detections from several hundred clients with the NVD for 2006 and 2007, the findings cautiously suggest that responsible disclosure is indeed beneficial.

13.7.2.3 Certification schemes

Security certifications by trusted third parties have been proposed as fixes to the ‘lemons market’ problem affecting security aspects of products. Certification schemes have been tried for software (Anderson and Moore, 2006), for websites using various ‘trust seals’, and the ISO 27000 information security standards. The success of these schemes hinges on who pays for the certification, who bears the costs of errors and what the certificates actually measure. Product sellers paying for certification have incentives to go to lax certification authorities. Even worse, Edelman (2011) observes an ‘adverse selection’ problem in that fraudulent websites have a higher probability of purchasing trust seals. Some certificates only demonstrate compliance with legal provisions. A great example of this is that DigiNotar passed the WebTrust EV audit for CAs just months before its spectacular collapse, while forensics revealed serious security problems (Fox-IT, 2011). This is not to say that security certification is not useful. It can still guarantee a basic level of good practices. However, it will not fully solve information asymmetry.

13.7.2.4 Publishing security metrics

Other market signals have also been proposed that simultaneously reduce asymmetry and allow organizations to self-evaluate. Organizations often believe they are doing enough to safeguard security. If they are presented with evidence that they do worse than their peers, they might increase efforts (e.g., Tang et al., 2013). The need for reliable measurements in cybersecurity has been known for a long time (Geer et al., 2003; Pfleeger and Cunningham, 2010). However, getting security metrics or measurements right is not an easy task. One should take care not to confuse measurable properties with metrics that function as security indicators (Bohme, 2010 provides a systematic overview).

Designing, measuring and reporting security metrics is a promising way to help markets produce security more efficiently.

13.7.3 Addressing Externalities

Among the instruments proposed to help mitigate externalities are cyber insurance, liability rules, and better law enforcement.

13.7.3.1 Cyber insurance

Insurance for cybersecurity incidents was proposed early on as a solution to align incentives, reduce information asymmetries, and enable firms to better manage risks (Schneier, 2004; Bohme, 2005). Scholars suggested that insurers would charge different premiums for different levels of cybersecurity and contingent on security practices, which would increase incentives for users to purchase more secure products and adopt better security policies. Nonetheless, these expectations did not materialize and the market for cyber insurance shrunk relative to the Internet economy (Bohme and Schwartz, 2010). Shetty et al. (2010) argue that quantifying cyber risks is fundamentally hard for insurers because of information asymmetries. In addition, the interdependent nature of cyber risks deviates from how risk is typically addressed in insurance markets, complicating the design of workable insurance policies.

13.7.3.2 Assigning liability

Making users, organizations and intermediaries liable for online harms caused by security breaches in their systems could tip security incentives toward higher investment. Fryer et al. (2013) examine the issue thoroughly by looking at liability theories and reviewing proposals in the security economics literature, for example, to make software vendors liable for bugs (August and Tunca, 2011) or early calls to make users of bots liable for negligence attacks. In general, ‘hard liability’ will be a difficult sell in cybersecurity. In cases of clear negligence it might make sense; however, tort law, existing ‘duty to care’ and consumer protection laws might be sufficient for the courts. Moreover, the forensics of establishing the facts of a case and measuring harm might not be easy.

Due to the interdependencies, cascading harms might occur, implying that firms may go bankrupt, become extremely risk-averse innovators, or resolve to create ‘shell’ companies. ‘Softer’ mechanisms - such as peer pressure, reputation effects, and regulatory coordination - might be much more effective. An alternative approach suggested by Ioannidis et al. (2013b) is to have an ‘information steward’ value harms to the ecosystem and allocate costs derived from externalities fairly among targets. Certain intermediaries such as Amazon Marketplace might be doing exactly this.

13.7.3.3 Better law enforcement

An alternative way to reduce externalities - and cybercrime - is to increase costs for attackers. This can be achieved by improving defenses, stricter law enforcement and by increasing the punishment for cybercriminals. Looking at the direct, indirect and defense costs imposed by cybercrime, Anderson et al. (2013) conclude that a more balanced approach is to spend less in anticipation of crime and more in response to it. Given the trans-border nature of many forms of cybercrime, this will also require improved international collaboration among law enforcement agencies.

13.8

<< | >>

↑

Source: Bauer J., Latzer M. (Eds.). Handbook on the Economics of the Internet. Edward Elgar,2016. — 603 p.. 2016

More economic literature on Economics.Studio

POLICY OPTIONS

More on the topic POLICY OPTIONS: