Is Cybersecurity a Public Good: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
 
(6 intermediate revisions by 2 users not shown)
Line 5: Line 5:


Benjamin Powell, ''Is Cybersecurity a Public Good? Evidence from the Financial Services Industry'', 1 J. L. Econ. & Pol'y 497 (2005). [http://www.independent.org/pdf/working_papers/57_cyber.pdf  ''Web'']  
Benjamin Powell, ''Is Cybersecurity a Public Good? Evidence from the Financial Services Industry'', 1 J. L. Econ. & Pol'y 497 (2005). [http://www.independent.org/pdf/working_papers/57_cyber.pdf  ''Web'']  
[http://www.ciaonet.org/wps/pob03/pob03.pdf ''AltWeb'']
[http://www.ciaonet.org/wps/pob03/pob03.pdf ''AltWeb'']


Line 13: Line 12:


* Threats and Actors: [[Financial Institutions and Networks]]
* Threats and Actors: [[Financial Institutions and Networks]]
* Issues: [[Economics of Cybersecurity]]; [[Supply Chain Issues]]; [[Incentives]]; [[Information Sharing/Disclosure]]; [[Public-Private Cooperation]]
* Issues: [[Economics of Cybersecurity]]; [[Supply Chain Issues]]; [[Incentives]]; [[Information Sharing/Disclosure]]; [[Market Failure]]; [[Public-Private Cooperation]]
* Approaches: [[Regulation/Liability]]


==Key Words==  
==Key Words==  


[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_an_Externality Cybersecurity as an Externality],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_an_Externality | Cyber Security as an Externality]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_a_Public_Good Cybersecurity as a Public Good],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Security_as_a_Public_Good | Cyber Security as a Public]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Distributed_Denial_of_Service_.28DDoS.29 Distributed Denial of Service],
[[Keyword_Index_and_Glossary_of_Core_Ideas#DDoS_Attack | Distributed Denial of Service]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Information_Asymetries Information Asymetries],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Information_ Asymmetries | Information Asymmetries]],
[http://cyber.law.harvard.edu/cybersecurity/Keyword_Index_and_Glossary_of_Core_Ideas#Tragedy_of_Commons The Tragedy of Commons],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Tragedy_of_Commons | Tragedy of Commons]]


==Synopsis==
==Synopsis==
Line 28: Line 28:


Some key points:
Some key points:
* If the costs of the security are high, the private benefits low, and the public benefits high, then firms will under-provide cybersecurity on the market.  If the costs are low and private benefits are high, then firms will generally provide close to efficient levels of cybersecurity despite
some positive externalities. 


* If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity.  There must be enough of a private return to cybersecurity to cause firms to invest so much in it.  If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.  
* If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity.  There must be enough of a private return to cybersecurity to cause firms to invest so much in it.  If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.  


* The key to potential market failures in information sharing is that the firm sharing the information does not benefit from sharing.  This problem can be solved or at least reduced with appropriate incentive devices.  Many information-sharing groups are private and can exclude non-members.  With the ability to kick out members suspected of holding back information, incentives for sharing would improve.  Other positive monetary incentives for sharing could also be offered. While the potential for free riding and underprovision of information sharing exists, there are benefits to be had by private groups if they can create the right incentive structure.  
* The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security.


* The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from
*Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room…  if that computer isn’t secure, it represents a weak link.  Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity.  For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
breaches, is likely to occur when government regulators determine the level of security.


*Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room…  if that computer isn’t secure, it represents a weak linkBecause it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity. For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
*Cyberterrorism against private critical infrastructure is not a problem that requires special government attentionAccording to the evidence examined here, the government should not be concerned with any general market failure in the provision of cybersecurity. Cybersecurity is being provided in the private sector, and it is best left free of cumbersome government regulations that may prevent private voluntary orderings from continuing to innovate to secure cyberspace.


==Additional Notes and Highlights==
==Additional Notes and Highlights==
 
Expertise Required: Economics - Low/Moderate
'' * Outline key points of interest

Latest revision as of 15:30, 19 August 2010

Full Title of Reference

Is Cybersecurity a Public Good? Evidence from the Financial Services Industry

Full Citation

Benjamin Powell, Is Cybersecurity a Public Good? Evidence from the Financial Services Industry, 1 J. L. Econ. & Pol'y 497 (2005). Web AltWeb

BibTeX

Categorization

Key Words

Cyber Security as an Externality, Cyber Security as a Public, Distributed Denial of Service, Information Asymmetries, Tragedy of Commons

Synopsis

After September 11th many government officials have become concerned with the possibility of terrorists launching attacks on the U.S. through the internet. Cybersecurity in industries that form our economy's “critical infrastructure” have been of particular concern. This paper examines the economics of cybersecurity. The economics of externalities, public goods, market failure, and government failure are all explored as they relate to cybersecurity. The financial services industry is clearly an area of critical infrastructure in our economy. This industry provides a case study to examine whether the market is providing the efficient level of cybersecurity or whether government intervention is required.

Some key points:

  • If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity. There must be enough of a private return to cybersecurity to cause firms to invest so much in it. If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.
  • The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security.
  • Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room… if that computer isn’t secure, it represents a weak link. Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity. For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
  • Cyberterrorism against private critical infrastructure is not a problem that requires special government attention. According to the evidence examined here, the government should not be concerned with any general market failure in the provision of cybersecurity. Cybersecurity is being provided in the private sector, and it is best left free of cumbersome government regulations that may prevent private voluntary orderings from continuing to innovate to secure cyberspace.

Additional Notes and Highlights

Expertise Required: Economics - Low/Moderate