6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Mecealus Cronkrite et al.<br />
The “industry knows best” approach for cyber-security is inefficient and a market failure. (Assante,<br />
2010) The public’s level demand for cyber-security is higher than most firms’ individual demand. This<br />
is because the private costs resulting from a cyber-incident are often less than the public’s cost. As an<br />
example, when electronically stored customer credit card information is stolen from a store the financial<br />
institutions are often responsible for the loss not the store that had badly configured security.<br />
4.1 Vulnerability: Cyber incident data is inconsistent<br />
Most industries have no mandatory cyber incident reporting which makes estimating the true impact<br />
of cyber crime difficult to measure. Regular studies performed by the FBI (CSI, 2009), Secret Service,<br />
Verizon (Baker et. al, 2010) and Microsoft (Microsoft SIR, 2010) all use voluntary surveys and data<br />
gathering. However, there are differences in the change in malware rates. The FBI, Microsoft and<br />
Verizon security reports agree that malware attacks are on the risk. However, according to Microsoft’s<br />
SIR report, “Software vulnerabilities…have been on the decline since the second half of 2006,” The<br />
report ascribed this progress to better development quality practices (Microsoft, SIR, 2010) This disparity<br />
is the result of two vastly different data sets that Microsoft and Verizon have used the voluntary<br />
nature of cyber incident responses contributes to these differences. However, all three reports agree<br />
that data is inconsistent due to the lack of a mandatory reporting system.<br />
4.2 Mitigation: Mandate cyber incident reporting<br />
According to a Computer Security Institute survey only a small fraction of organizations that experience<br />
a cyber attack, report it to law enforcement. (CSI, 2009) Firms generally do not favour expanded<br />
mandatory reporting because they do not want bad press, or the public to have a negative perception.<br />
The reluctance is even greater when the firm does not suffer any immediate financial loss. Reporting<br />
these intrusions (crimes) is in the greater interest of society because authorities stand a better chance<br />
of stopping them if they have more information about the threat in general and can learn from emerging<br />
patterns.<br />
To address privacy concerns a reporting system that is similar to U.S. Treasury FINCEN Suspicious<br />
Activity Report (SAR) could be used. Currently, most financial institutions are mandated to report certain<br />
types of suspicious activity using SARs. SARs are kept secret and have tight dissemination standards<br />
and an effective tool in fighting financial crime. A similar reporting system for cyber-attacks<br />
would be equally beneficial. “Disclosure laws” could force software publishers and their customers<br />
that support critical infrastructure to report cyber-attacks and data breaches to DHS. (DHS NIAC,<br />
2009). By mandating reporting, there will be a more accurate picture regarding cyber threats. (Goertzel<br />
et. al.2007) This will help researchers identify weakness, and aid in the apprehension of attackers.<br />
The data collected will help inform actuary tables for insurance firms, and to develop risk analyses.<br />
Cyber crime incident reporting should be required by all CI industries first to gain better knowledge<br />
about the threat malware poses and educate business owners and managers about the financial<br />
and legal implications of improper software assurance processes.<br />
4.3 Vulnerability: Demand for cyber security<br />
Rational firms should use IT risk management to manage cyber security, but, firms often lack the<br />
knowledge and expertise to implement and it is difficult for firms to measure the effectiveness of investments<br />
into cyber security. (Mead, et. al, 2009) This makes it hard to justify expenditures and results<br />
in the general lack of secure programming investment. The public is left with the costs of a cyber-security<br />
incident such as firms that were the target of the cyber incident as well as its clients,<br />
banks or others who feel its negative effects, and include taxpayers if the government responds.<br />
Since the overall damage of a cyber-incident is generally higher for the public, they would rationally<br />
choose to have a higher investment in cyber-security. Unfortunately, the public has little say in what<br />
investment an individual firm decides to make in cyber-security leading to underinvestment in the<br />
eyes of the public. In economic terms, the aggregate private firm’s demand for cyber security is less<br />
than the public’s demand. This is a market failure, which invites regulation or some form of market<br />
correction to rectify this externality.<br />
Figure 2 illustrates a private firm’s efficient level of investment at q1 where there firms demand for<br />
security “D” equals the marginal cost “MC” for each additional investment. . The marginal social benefit<br />
is the public’s demand which equals q* when it crosses the marginal cost line. “q*” represents the<br />
72