Is Cybersecurity a Public Good: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
 
(8 intermediate revisions by 2 users not shown)
Line 5: Line 5:


Benjamin Powell, ''Is Cybersecurity a Public Good? Evidence from the Financial Services Industry'', 1 J. L. Econ. & Pol'y 497 (2005). [http://www.independent.org/pdf/working_papers/57_cyber.pdf  ''Web'']  
Benjamin Powell, ''Is Cybersecurity a Public Good? Evidence from the Financial Services Industry'', 1 J. L. Econ. & Pol'y 497 (2005). [http://www.independent.org/pdf/working_papers/57_cyber.pdf  ''Web'']  
[http://www.ciaonet.org/wps/pob03/pob03.pdf ''AltWeb'']
[http://www.ciaonet.org/wps/pob03/pob03.pdf ''AltWeb'']


Line 12: Line 11:
==Categorization==
==Categorization==


* Issues: [[Economics of Cybersecurity]]; [[Supply Chain Issues]]; [[Incentives]]; [[Information Sharing/Disclosure]]; [[Public-Private Cooperation]]
* Threats and Actors: [[Financial Institutions and Networks]]
* Issues: [[Economics of Cybersecurity]]; [[Supply Chain Issues]]; [[Incentives]]; [[Information Sharing/Disclosure]]; [[Market Failure]]; [[Public-Private Cooperation]]
* Approaches: [[Regulation/Liability]]


==Key Words==  
==Key Words==  


[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_an_Externality Cybersecurity as an Externality],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_an_Externality | Cyber Security as an Externality]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_a_Public_Good Cybersecurity as a Public Good],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_a_Public_Good | Cyber Security as a Public]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Distributed_Denial_of_Service_.28DDoS.29 Distributed Denial of Service],
[[Keyword_Index_and_Glossary_of_Core_Ideas#DDoS_Attack | Distributed Denial of Service]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Information_Asymetries Information Asymetries],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Information_ Asymmetries | Information Asymmetries]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Tragedy_of_Commons The Tragedy of Commons],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Tragedy_of_Commons | Tragedy of Commons]]


==Synopsis==
==Synopsis==


After September 11th many government officials have become concerned with the possibility of terrorists launching attacks on the U.S. through the internet. Cybersecurity in industries that form our economy's “critical infrastructure” have been of particular concern. This paper examines the economics of cybersecurity. The economics of externalities, public goods, market failure, and government failure are all explored as they relate to cybersecurity. The financial services industry is clearly an area of critical infrastructure in our economy. This industry provides a case study to examine whether the market is providing the efficient level of cybersecurity or whether government intervention is required.
After September 11th many government officials have become concerned with the possibility of terrorists launching attacks on the U.S. through the internet. Cybersecurity in industries that form our economy's “critical infrastructure” have been of particular concern. This paper examines the economics of cybersecurity. The economics of externalities, public goods, market failure, and government failure are all explored as they relate to cybersecurity. The financial services industry is clearly an area of critical infrastructure in our economy. This industry provides a case study to examine whether the market is providing the efficient level of cybersecurity or whether government intervention is required.
Some key points:
* If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity.  There must be enough of a private return to cybersecurity to cause firms to invest so much in it.  If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.
* The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security. 
*Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room…  if that computer isn’t secure, it represents a weak link.  Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity.  For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
*Cyberterrorism against private critical infrastructure is not a problem that requires special government attention.  According to the evidence examined here, the government should not be concerned with any general market failure in the provision of cybersecurity. Cybersecurity is being provided in the private sector, and it is best left free of cumbersome government regulations that may prevent private voluntary orderings from continuing to innovate to secure cyberspace.


==Additional Notes and Highlights==
==Additional Notes and Highlights==
 
Expertise Required: Economics - Low/Moderate
'' * Outline key points of interest

Latest revision as of 15:30, 19 August 2010

Full Title of Reference

Is Cybersecurity a Public Good? Evidence from the Financial Services Industry

Full Citation

Benjamin Powell, Is Cybersecurity a Public Good? Evidence from the Financial Services Industry, 1 J. L. Econ. & Pol'y 497 (2005). Web AltWeb

BibTeX

Categorization

Key Words

Cyber Security as an Externality, Cyber Security as a Public, Distributed Denial of Service, Information Asymmetries, Tragedy of Commons

Synopsis

After September 11th many government officials have become concerned with the possibility of terrorists launching attacks on the U.S. through the internet. Cybersecurity in industries that form our economy's “critical infrastructure” have been of particular concern. This paper examines the economics of cybersecurity. The economics of externalities, public goods, market failure, and government failure are all explored as they relate to cybersecurity. The financial services industry is clearly an area of critical infrastructure in our economy. This industry provides a case study to examine whether the market is providing the efficient level of cybersecurity or whether government intervention is required.

Some key points:

  • If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity. There must be enough of a private return to cybersecurity to cause firms to invest so much in it. If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.
  • The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security.
  • Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room… if that computer isn’t secure, it represents a weak link. Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity. For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
  • Cyberterrorism against private critical infrastructure is not a problem that requires special government attention. According to the evidence examined here, the government should not be concerned with any general market failure in the provision of cybersecurity. Cybersecurity is being provided in the private sector, and it is best left free of cumbersome government regulations that may prevent private voluntary orderings from continuing to innovate to secure cyberspace.

Additional Notes and Highlights

Expertise Required: Economics - Low/Moderate