Cybersecurity economics strategies benefit a safer society

Digitalization opens up new opportunities for society as a whole. In recent decades, both the private and public sectors have developed new digital ways of working. This development makes it possible to do the same things faster and more efficiently, and to do completely new things that were previously impossible. The potential is therefore very great, even if it is not always clear either how we can best take full advantage of it or how productivity improvements as a result of digitization and automation should be properly measured. What is clear is that digitalization is here to stay. We work, study and socialize in new ways today compared to a couple of decades ago, and the COVID-19 pandemic has further accelerated this development. 

However, this brings not only new opportunities, but also new challenges. News of cyber incidents, both accidental mistakes and accidents and deliberate attacks, are constantly emerging. A selection from recent years includes the insecure storage of driving license data and patient records, disruptions to services such as Bank ID, Swish and card payments, and high-profile cases of ransomware. The latter phenomenon perhaps made its breakthrough into the public consciousness in 2021; first with the attack on the Colonial Pipeline in May that severely affected fuel supplies across the US East Coast, and then with the REvil attack in July that shut down hundreds of Coop stores in Sweden. Unfortunately, this state of affairs is the rule rather than the exception: there is no indication that incidents will diminish in the future. This is serious, as safe and reliable services are a prerequisite for achieving the benefits of digitalization. Neither autonomous industrial robots, self-driving cars nor innovative fintech services can live up to their potential if they are constantly interrupted or easily manipulated by attackers.

Cybersecurity is often seen as a purely technical problem. Attack simulations, AI-based reconnaissance of suspicious activity and better cryptography are examples of technical solutions that receive a lot of attention. Undoubtedly, such technological developments are important and have the potential to make our systems more secure. But cybersecurity is not just a technical problem. Security, or the lack of it, arises when a human user uses technology in an organizational and economic context. This means that better cybersecurity can also be achieved through means other than technical measures. 

In 2006, Anderson and Moore introduced the subject of economics of information security in an influential article in Science. They argue convincingly that the root causes of many information and cyber security problems can be understood from economics. Why do companies not invest enough in security? Because those who spread malware or cause downtime for others do not bear the full cost. Cloud services and integration solutions connect modern IT environments so that invoices, orders, balances, metrics and more constantly flow between different actors. This increases productivity, but at the same time allows both outages and malware to spread in the same way. A lack of security in one party puts everyone at risk (see, for example, Dieye et al. for an empirical study of the spillover effects of cyber-attacks). In such circumstances, it is of course still worth investing some in security, but hardly worth paying for major security investments in everyone else with whom you are connected, with the risk that one of them will screw up anyway. This kind of reasoning is a strong argument that there is probably too little investment in cybersecurity (see, for example, Gordon et al. but note that Acemoglu et al. nuance the picture). In short, cybersecurity deficiencies are negative externalities, just like pollution emissions. 

Why isn't vulnerable or unreliable software outcompeted by better alternatives? Anderson and Moore answer that it's because it's almost impossible for buyers to distinguish between secure and insecure software. They cannot and will not pay extra for security. The markets for almost all digital services thus suffer from asymmetric information in the same way as Akerlof's[1] famous used cars. As a result, the willingness to pay for security is low and the incentive for sellers to develop secure products is reduced. As with used cars, there are certainly mechanisms that can mitigate the effects of the information asymmetry, such as warranties or brands: large software companies with strong brands have quite a lot to lose by selling insecure products because they want to sell to customers with high purchasing power over a long period of time. On the contrary, for small and start-up software producers, it may be rational from a growth strategy point of view to postpone security: first create a product and get customers, then try to make it more secure. 

It is this kind of illuminating reasoning that leads Anderson and Moore to conclude that poor safety is at least as likely to arise from poor incentives as from poor design. If they are right, this in turn means that as much effort and research should be devoted to studying and fixing bad incentives as to studying and fixing bad engineering design. Such research is not only academically interesting, but also practically useful: Moore argues that quite small interventions that adjust incentives and correct obvious market failures can have a large positive effect on cybersecurity in a country. In this case, it can be considerably cheaper than large technology projects to achieve the corresponding increase in security. 

Unfortunately, the economics of cybersecurity has not yet attracted much attention among Swedish researchers (some exceptions exist; see Hermelin et al. and Franke. Perhaps this is because the area lies between different academic disciplines and requires economists interested in technology or economists interested in technology (like yours truly) - perhaps preferably both - to be rewarding. Either way, there is every reason for more economists to take an interest in cybersecurity. Some examples of exciting research questions, without claiming to be exhaustive, are the following:

• What do cyber incidents actually cost? While it is not difficult to find glowing reports of high incident costs, there are significant methodological problems (see Florêncio and Herley and Anderson et al. and many of those conducting incident cost studies have their own agendas. Even statutory mandatory incident reporting under the EU NIS Directive does not seem to provide cost data of particularly good quality. 
   
• When should cyber incidents be made public? Based on the reasoning on asymmetric information above, it may be reasonable to require the disclosure of incidents to provide the market with more information on which products are safe and which are not. However, the picture is complicated by the fact that disclosure of incidents not only provides more information to buyers and sellers, but also to malicious attackers. Whether attackers or defenders benefit most is an open question and each type of disclosure must therefore be carefully evaluated on its own merits. 
   
• How does cybersecurity relate to competition and market concentration? Geer et al. illustrate the problem pedagogically: On the one hand, there are good reasons to believe in economies of scale in cybersecurity: A small company that barely even has a full-time IT manager obviously cannot afford to keep a cybersecurity expert. On the other hand, there are also reasons to believe in economies of scale in cybersecurity. First, large companies are often more attractive targets for targeted attacks, as there is more to steal there. Secondly, systems with many users are often large, complex and constantly evolving. This makes them difficult to monitor and keep secure. The complexity itself becomes a security risk - a clear disadvantage of scale. Which tendency prevails in which context is an exciting empirical question. 
   
• What role can and should the insurance industry play in cybersecurity? Twenty years ago, security expert Bruce Schneier enthusiastically stated that “in the future, the insurance industry will rule the computer security industry”. The evidence for this thesis is that insurance companies are experts in risk management, that they can make large risks manageable by spreading them across many players, and that they can use premiums to incentivize customers to become more secure. But while we have reliable and more or less comprehensive statistics on road accidents, fires and floods, we do not have correspondingly good statistics on cyber incidents. This means that cyber insurance premiums may be too high or too low - no one knows for sure (see for example the OECD and Franke for a Swedish perspective). In 2018, Warren Buffett condemned the industry, saying that no one really knows what they are getting into when they issue cyber insurance.
   
• How should we look for vulnerabilities effectively? More and more software developers are rewarding those who report vulnerabilities in their products (bug bounty), reducing the temptation to exploit them for personal gain. However, designing vulnerability reward programs is not easy, partly because different programs compete with each other for the attention of vulnerability hunters.

These - and other - issues in cybersecurity economics have in common that they are both academically interesting and practically relevant. Economists have much to contribute to making today's and tomorrow's digitalized society safer. 

Text: Ulrik Franke, Senior researcher, RISE