Difference between revisions of "Is Cybersecurity a Public Good"

From Cybersecurity Wiki
Jump to navigation Jump to search
Line 29: Line 29:
 
Some key points:
 
Some key points:
  
* If the costs of the security are high, the private benefits low, and the public benefits high, then firms will under-provide cybersecurity on the market.  If the costs are low and private benefits are high, then firms will generally provide close to efficient levels of cybersecurity despite  
+
* If the costs of the security are high, the private benefits low, and the public benefits high, then firms will under-provide cybersecurity on the market.  If the costs are low and private benefits are high, then firms will generally provide close to efficient levels of cybersecurity despite some positive externalities.   
some positive externalities.   
 
  
 
* If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity.  There must be enough of a private return to cybersecurity to cause firms to invest so much in it.  If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.  
 
* If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity.  There must be enough of a private return to cybersecurity to cause firms to invest so much in it.  If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.  
Line 36: Line 35:
 
* The key to potential market failures in information sharing is that the firm sharing the information does not benefit from sharing.  This problem can be solved or at least reduced with appropriate incentive devices.  Many information-sharing groups are private and can exclude non-members.  With the ability to kick out members suspected of holding back information, incentives for sharing would improve.  Other positive monetary incentives for sharing could also be offered. While the potential for free riding and underprovision of information sharing exists, there are benefits to be had by private groups if they can create the right incentive structure.  
 
* The key to potential market failures in information sharing is that the firm sharing the information does not benefit from sharing.  This problem can be solved or at least reduced with appropriate incentive devices.  Many information-sharing groups are private and can exclude non-members.  With the ability to kick out members suspected of holding back information, incentives for sharing would improve.  Other positive monetary incentives for sharing could also be offered. While the potential for free riding and underprovision of information sharing exists, there are benefits to be had by private groups if they can create the right incentive structure.  
  
* The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from  
+
* The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security.   
breaches, is likely to occur when government regulators determine the level of security.   
 
  
 
*Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room…  if that computer isn’t secure, it represents a weak link.  Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity.  For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
 
*Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room…  if that computer isn’t secure, it represents a weak link.  Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity.  For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.

Revision as of 16:21, 25 June 2010

Full Title of Reference

Is Cybersecurity a Public Good? Evidence from the Financial Services Industry

Full Citation

Benjamin Powell, Is Cybersecurity a Public Good? Evidence from the Financial Services Industry, 1 J. L. Econ. & Pol'y 497 (2005). Web

AltWeb

BibTeX

Categorization

Key Words

Cybersecurity as an Externality, Cybersecurity as a Public Good, Distributed Denial of Service, Information Asymetries, The Tragedy of Commons,

Synopsis

After September 11th many government officials have become concerned with the possibility of terrorists launching attacks on the U.S. through the internet. Cybersecurity in industries that form our economy's “critical infrastructure” have been of particular concern. This paper examines the economics of cybersecurity. The economics of externalities, public goods, market failure, and government failure are all explored as they relate to cybersecurity. The financial services industry is clearly an area of critical infrastructure in our economy. This industry provides a case study to examine whether the market is providing the efficient level of cybersecurity or whether government intervention is required.

Some key points:

  • If the costs of the security are high, the private benefits low, and the public benefits high, then firms will under-provide cybersecurity on the market. If the costs are low and private benefits are high, then firms will generally provide close to efficient levels of cybersecurity despite some positive externalities.
  • If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity. There must be enough of a private return to cybersecurity to cause firms to invest so much in it. If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.
  • The key to potential market failures in information sharing is that the firm sharing the information does not benefit from sharing. This problem can be solved or at least reduced with appropriate incentive devices. Many information-sharing groups are private and can exclude non-members. With the ability to kick out members suspected of holding back information, incentives for sharing would improve. Other positive monetary incentives for sharing could also be offered. While the potential for free riding and underprovision of information sharing exists, there are benefits to be had by private groups if they can create the right incentive structure.
  • The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security.
  • Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room… if that computer isn’t secure, it represents a weak link. Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity. For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.

Additional Notes and Highlights

* Outline key points of interest