Skip to main content

Currently Skimming:

Introducing the Economics of Cybersecurity: Principles and Policy Options--Tyler Moore
Pages 3-24

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 3...
... We then discuss the regulatory options that are available to overcome these economic barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory dis closure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and reporting to the WTO.
From page 4...
... We now describe four of the most prescient threats to cybersecurity: online identity theft, industrial cyber espionage, critical infrastructure protection, and botnets. 2.1 Online Identity Theft One key way in which malicious parties capitalize on Internet insecurity is by committing online identity theft.
From page 5...
... 2.3 Critical Infrastructure Protection It is widely known that the process control systems that control critical infrastructures such as chemical refineries and the power grid are insecure.
From page 6...
... It is also used to place infected computers into a "botnet": a network of thousands or even mil lions of computers under the control of an attacker that is used to carry out a wide range of services. The services include sending spam, committing online-advertising fraud, launching denial-of-service attacks, hosting phishing attacks, and anonymizing attack traffic.
From page 7...
... 3 ECONOMIC bARRIERS TO IMPROvINg CybERSECuRITy Each of the cybersecurity threats discussed in Section 2 possesses distinct technical characteristics, stakeholders and legal constraints. However, some commonalities remain, notably in the economic barriers inhibiting optimal levels of security investment.
From page 8...
... He estimates that $120 million was col lectively lost by U.S. banks due to malware infections targeting online banking services.
From page 9...
... 4 PROSPECTIvE SOLuTIONS The economic barriers just discussed -- misaligned incentives, information asymmetries and externalities -- suggest that regulatory intervention may be necessary to strengthen cybersecurity. We next review several different approaches, assessing their suitability to the cybersecurity problem, followed by a series of concrete proposals for regulating cybersecurity.
From page 10...
... A better approach, then, is to encourage responsible software development by vendors. Software companies might be required to demonstrate that its software development lifecycle includes adequate testing.
From page 11...
... Facing such a grim reality, we next turn to an alternative approach: information disclosure. .1.2 information disclosure Given that information asymmetries are a fundamental barrier to improving cybersecurity, adopting policies that improve information disclosure may be attractive.
From page 12...
... . To wrap up, information disclosure can be a powerful tool in reducing information asymmetries and correcting for misaligned incentives.
From page 13...
... .1. indirect intermediary liability Perhaps surprising to non-lawyers, liability does not have to be placed on the party directly respon sible for harm. Under indirect liability regimes, third parties are held responsible for the wrongs of others.
From page 14...
... Payment card fraud is one area of cybersecurity where indirect liability is already used. The bad actors who commit account fraud victimize cardholders.
From page 15...
... Malware is frequently used to steal passwords and compromise online banking, cloud and corporate services. It is also used to place infected computers into a "botnet": a network of thousands or even millions of computers under the control of an attacker that is used to carry out a wide range of services.
From page 16...
... 26 Another ISP-based option is to place infected computers into "quarantine." Once in quarantine, users are required to download and install anti-virus software and malware removal tools. They are then only permitted to rejoin the wider Internet once the security software is installed and the computer passes a network-based scan for malware.
From page 17...
... For instance, Visa negotiated a payment of $40.9 million from TJX to reimburse banks following its breach affecting 46 million cardholders,28 while in January 2010 Heartland agreed to pay MasterCard $41 million following its breach of 100 million credit card numbers. 29 Rather than negotiating one-off settlements between intermediaries, we recommend establishing a fund to receive regular payment from software companies, given the persistent nature of malware infections.
From page 18...
... Mandatory disclosure of infections will help fix the information asymmetry plaguing information security investment (described in Section 3.2)
From page 19...
... Recommendation 2: Establish a program to regularly publish the following aggregated loss figures related to online banking and payment cards on data.go: – Incident figures: # of incidents, total $ stolen, total $ recovered for specified # of incidents – Victim bank demographics: # banks affected, # customer accounts impacted per bank, $ lost per customer, bank type, precautions taken by bank (2-factor authentication, back-end controls used) – Victim customer demographics: business v.
From page 20...
... He estimates that $120 million was collectively lost by U.S. banks due to malware infections targeting online banking ser vices.32 The FBI runs the Internet Crime Complaint Center (IC3)
From page 21...
... It must be mentioned that mandatory disclosure is no panacea. Disclosure will help address the lack of information on incidents, but the long-tail nature of cyber attacks on process control systems means that the effort could yield few reports.
From page 22...
... In this paper, we have described several key economic challenges: misaligned incentives, information asymmetries and externalities. We have also reviewed the policy options available for overcoming these barriers, notably information disclosure and intermediary liabil ity.
From page 23...
... 2008. Do Data Breach Disclosure Laws Reduce Identity Theft?


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.