Industry's Role in Securing Cyber Space - 2011
brentrrowe1
8 views
22 slides
Jul 23, 2024
Slide 1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Presentation
Slides presented at the 2011 Workshop on Cybersecurity Incentives (@George Mason University)
Slide Content
Industry’s Role in Securing Cyber Space Brent Rowe Senior Economist RTI International
Overview Concepts and background Industry users of security Industry producers of security Government’s supporting role Future research needs
Identifying Market Failures & Inefficiencies Externalities – what you do affects me Ex: cyber security is like air pollution Information Asymmetries – I know more than you Ex: cyber security products/services are similar to cars (dealers know more about quality than customers) Framing Effect – your past affects your future Ex: many individuals think of cyber security like burglars, many companies think of cyber security like
Who Should Bear the Cost of Cyber Security? Regulations (to force a baseline) Industry and/or product or service vendors Liability for losses Software and hardware products Services (e.g., ISPs) Standards & best practices Research & development Government as a buyer “Industry is Responsible” “Government is Responsible”
Who are the Industry Stakeholders? Cyber Security Users : Large businesses Small businesses Cyber Security Producers : ISPs Software makers Insurance companies * Common belief that cyber security is inadequate * Common belief that THEY are not responsible
Who are Security Users ? Large businesses Regulations are still the main driver Cyber security becoming more important in board rooms Small businesses “Joe the Plumber” effect Weak link in social level of security Level of security = Large businesses’ in late 1990’s
7 Security Users’ Spending: A Decision Flow Diagram Drivers Resources (Internal and External) Investment Strategy Budget vs. Cost Minimization Involves Management and/or Cyber Security Staff Dimensions of a Cyber Security Infrastructure · Internal approval structure for hardware, software, policies, and procedures · Effectiveness tests Budget Allocation Process Implementation Strategy Proactive vs. Reactive Involves Cyber Security Staff Nature and Frequency of Cyber Security Breaches (Internal and External)
8 Security Users’ Spending: Conceptual Discussion Cost Minimizing to Achieve a Certain Level of Security Maximize Security Subject to a Budget Constraint Investment Strategy Proactive Implementation Strategy Reactive versus versus
9 Security Users’ Spending: Budget-Constrained Model
10 Mean Proactive Index by Industry User Group 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 Financial Health Care Manufacturing Small Business University Other Source: RTI (2006)
Who are Security Producers ? ISPs – no demand, too much cost Software makers – aiming for first to market Insurance companies – not enough data, no customers
Security Producers’ Spending: ISPs Are in prime position to observe internet traffic and quarantine infected users (van Eeten, 2010) but Few ISPs respond to signs of infection or misbehavior (Arbor Networks, 2009). This is because ISPs are currently immune from any liability for the damages caused by their subscribers ( Lightman & Posner, 2008) and ISPs don’t perceive sufficient demand (Rowe et al, 2011).
Security Producers’ Spending: ISPs Home internet users are willing to pay over $7 per month for security that Reduces their risk of identify theft Reduces their risk of their computer slowing down or crashing Does not limit their internet access Reduces the risk that other individuals and businesses will be affected by insecurity This suggests a large social benefit from additional security. Source: Rowe et al (2011)
Security Producers’ Spending: Software Makers Software developers will supply the level of trustworthiness (quality) that maximizes profits
Security Producers’ Software Testing Costs
Security Producers’ Software Testing Costs Banking and credit unions could save over $300 million per year if testing were shifted to earlier dev phases Source: Gallaher et al ( 2002 )
How can Government Agencies Help? Reduce the cost of public information Help facilitate collection and analysis of attach/breach statistics Support development of new standards for measuring security Support effectiveness and efficiency testing of security products Increase cost externalities borne by private organizations Regulations Legal implications
18 Internalizing Externalities Increases Price of Reactive Options (P R < P R ′)
19 Information Sharing Decreases Cost of Proactive Options (P A > P A ′)
What are Government Agencies doing currently ? FUNDING… Research and development Standards development Creation of public-private partnerships / consortia MONITORING regulatory compliance E.g., HIPPA, SoX , GLBA, etc. E.g., Breach notification laws
The Future: Government is Acting Government action is happening (Congress, FCC) Senate: Lieberman Bill heading in the right direction House: Speaker Boehner asked Cong. Thornberry to lead FCC: Considering new rulemaking related to ISPs More regulation is possible Uncertainly about implementation and unintended consequences Need more data to compare policy options Need more rigorous cost-benefit analyses to compare solutions
More Information Brent Rowe Senior Economist 415-848-1317 [email protected]
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 22
- Age 495 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views