As a journalist at iTnews:
U.S. economists have launched a book that claims to document the first systematic analysis of the economics of protecting cyberspace.
Titled ‘Cyber Security: Economic Strategies and Public Policy Alternatives’, the book explores private sector security decisions, as well as the role of governments in facilitating and encouraging proactive cyber security investment strategies.
Besides individual concerns about identity theft, authors Michael Gallaher, Albert Link and Brent Rowe warn against larger threats such as a potential attack on national energy infrastructure.
Rowe, who is a research economist at research institute RTI International, spoke with iTnews about the book and its recommendations for private and public sector managers and strategists involved in cyber security.
Why is cyber security important?
Cyberspace is the nervous system of business today -- it links our critical infrastructures across both public and private institutions in sectors ranging from food and agriculture, water supply and public health, to energy, transportation and financial services.
This information control system is composed of hundreds of thousands of interconnected computers, servers, routers, switches and fibre-optic cables that allow our critical infrastructure to work. When this infrastructure is breached, the costs can mount very quickly.
Cyber security breaches are costly to businesses in terms of direct damages and future lost opportunities associated with stifling innovation, as well as to individuals in terms of identity theft.
In what way is cyber security a matter of national and homeland security?
In addition to time and monetary costs imposed on businesses and individuals as a result of cyber security breaches, a cyber attack could be aimed to have much more calamitous effects than described above.
For example, a complex and coordinated attack could be focused on the U.S. energy infrastructure, which has been shown to be relatively insecure, and potentially knock out power for days or weeks.
When did cyber security become an issue for private and public institutions? What has changed to make it an issue?
While there are no consistent estimates of the annual cost to the private sector or the public sector from security compromises, a rough estimate is that in 2006 cyber security breaches accounted for nearly US$1 billion in the United States.
Such costs have risen over the past decade to the point where organisations are focusing more on their information security investments. In many cases, information security officers in major corporations now have much more significant roles in company planning activities.
Companies are facing large costs, individuals confronting issues such as identify theft, and experts believe that larger threats -- for example, a potential attack on the U.S. energy infrastructure -- are looming.
What are some common mistakes that public and private sector organisations make in securing their IT infrastructure?
From a social perspective, organizations under-invest in cyber security because they are not penalised when their lacking security allows attackers to use them as a staging point or to compromise hosts and create botnets.
However, private sector organisations do not have the information they need to make efficient decisions from a private perspective -- what’s in their best interest -- or a social perspective -- what’s in the best interest of society. They collect what information they can with given resources, and then make decisions based on their budget constraints.
In some cases, they may underestimate the costs imposed by security breaches, however, there is no research to support the assertion that they are not acting in their best interest given the information they have available.
What is the Government’s role in cyber security?
As for government’s role, our research suggests that there are at least two barriers that prevent organisations from investing in the socially desirable level of cyber security; government’s role should be to help remove these barriers.
These barriers are also referred to as market failures and include: limited reliable, cost-effective information upon which an organisation can make informed cyber security investment decisions; and the cost externalities that spill over to other organisations and to consumers as a result of a security breach.
As a result, any cyber security investment that an organisation makes, particularly of a proactive nature, will likely generate social benefits in excess of private benefits. Thus, government would like to encourage such investments by removing or lessening such barriers.
In the past, government has attempted to develop and motivate the use of new technologies or standards that would improve security. Moving forward, new strategies are needed; for example, as suggested in our book, external public information is likely to motivate the adoption and implementation of proactive cyber security investment strategies.
How much investment should be made in cyber security?
According to our estimates, on average, a little less than 6 percent of their IT budgets on cyber security. However, as I offered in my previous answer, organisations are investing what they perceive to be an optimal investment given the information they have and their resource constraints.
There is no perfect level or type of cyber security investments that all organisations should make; this again points to the information problem that exists. The world of cyber security threats and solutions is constantly changing.
What were the most surprising results of your analysis of the economics of cyber security?
We identified several very interesting relationships that we believe should motivate the government and the public policy arena more broadly to act.
First, we were surprised by how much small businesses relied on outside contractors, and how unaware they were of the implications of their actions on their business and others.
Small businesses shared a focus on the bottom line as the main driver for any internal investment decisions, resulting in a lack of spending on proactive spending.
Overall, despite significant spending on security as a portion of their IT budgets (approximately 10 percent), our research suggests that small businesses are making the most strikingly socially efficient security investments of any industry group with which we spoke.
Second, of particular importance from the perspective of informing public policy, we found a relationship between organisations that rely on external public resources (e.g., surveys, ISO and NIST recommendations, etc.) when making cyber security investment decisions and the proactive nature of their cyber security strategy.
Since pursuing a proactive, preventative strategy is likely to reduce computer system breaches and hence the flow of attacks through an organisation to other organisations, it follows that one important role for government is the provision of information on state-of-the-art technologies and procedures that promote proactive cyber security approaches.
