Is Cybersecurity a Public Good
Full Title of Reference
Is Cybersecurity a Public Good? Evidence from the Financial Services Industry
- Threats and Actors: Financial Institutions and Networks
- Issues: Economics of Cybersecurity; Supply Chain Issues; Incentives; Information Sharing/Disclosure; Market Failure; Public-Private Cooperation
- Approaches: Regulation/Liability
After September 11th many government officials have become concerned with the possibility of terrorists launching attacks on the U.S. through the internet. Cybersecurity in industries that form our economy's “critical infrastructure” have been of particular concern. This paper examines the economics of cybersecurity. The economics of externalities, public goods, market failure, and government failure are all explored as they relate to cybersecurity. The financial services industry is clearly an area of critical infrastructure in our economy. This industry provides a case study to examine whether the market is providing the efficient level of cybersecurity or whether government intervention is required.
Some key points:
- If cybersecurity were a purely public good, we would not see the private sector devoting so many dollars, employees, and planning resources or employing so many technologies to provide cybersecurity. There must be enough of a private return to cybersecurity to cause firms to invest so much in it. If the publicness characteristics of cybersecurity were very troubling, we would not likely see the industry continue to devote more resources to security. In general, firms do not appear to be free riding or holding off for other companies to innovate.
- The market is often accused of underproviding security, but overprovision, in which security spending exceeds the expected value of losses from breaches, is likely to occur when government regulators determine the level of security.
- Former homeland security czar Tom Ridge stated the problem by saying, “Anywhere there is a computer…whether in a corporate building, a home office or a dorm room… if that computer isn’t secure, it represents a weak link. Because it only takes one vulnerable system to start a chain reaction that can lead to devastating results.” If his statement is true and literally any unsecured computer poses a threat, then U.S. policymakers cannot correct the public good problem of cybersecurity. For U.S. policy to be effective, the externality would have to be external to individual firms and users but internal to the United States.
- Cyberterrorism against private critical infrastructure is not a problem that requires special government attention. According to the evidence examined here, the government should not be concerned with any general market failure in the provision of cybersecurity. Cybersecurity is being provided in the private sector, and it is best left free of cumbersome government regulations that may prevent private voluntary orderings from continuing to innovate to secure cyberspace.
Additional Notes and Highlights
Expertise Required: Economics - Low/Moderate