IDEAS home Printed from https://ideas.repec.org/a/eee/ijocip/v3y2010i3p103-117.html

The economics of cybersecurity: Principles and policy options

Author

Listed:
  • Moore, Tyler

Abstract

Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failures, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we examine the economic challenges that plague cybersecurity: misaligned incentives, information asymmetries, and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and providing them to the World Trade Organization (WTO).

Suggested Citation

  • Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    • Handle: RePEc:eee:ijocip:v:3:y:2010:i:3:p:103-117
    DOI: 10.1016/j.ijcip.2010.10.002
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1874548210000429
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijcip.2010.10.002?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to

    for a different version of it.

    References listed on IDEAS

    as
    1. Konar, Shameek & Cohen, Mark A., 1997. "Information As Regulation: The Effect of Community Right to Know Laws on Toxic Emissions," Journal of Environmental Economics and Management, Elsevier, vol. 32(1), pages 109-124, January.
    2. Michel J. G. van Eeten & Johannes M. Bauer, 2008. "Economics of Malware: Security Decisions, Incentives and Externalities," OECD Science, Technology and Industry Working Papers 2008/1, OECD Publishing.
    3. Steven Shavell, 1984. "A Model of the Optimal Use of Liability and Safety Regulation," RAND Journal of Economics, The RAND Corporation, vol. 15(2), pages 271-280, Summer.
    4. Richard J. Sullivan, 2009. "The Benefits of Collecting and Reporting Payment Fraud Statistics for the United States," Payments System Research Briefing, Federal Reserve Bank of Kansas City, issue October, pages 1-5.
    5. George A. Akerlof, 1970. "The Market for "Lemons": Quality Uncertainty and the Market Mechanism," The Quarterly Journal of Economics, President and Fellows of Harvard College, vol. 84(3), pages 488-500.
    6. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    7. Sari Pekkala Kerr & Tuomas Pekkarinen & Roope Uusitalo, 2013. "School Tracking and Development of Cognitive Skills," Journal of Labor Economics, University of Chicago Press, vol. 31(3), pages 577-602.
    8. Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Higgs, James & Flowerday, Stephen, 2024. "Towards Definitive Categories for Online Video Game Money Laundering," SocArXiv ckxa8, Center for Open Science.
    2. repec:bcp:journl:v:9:y:2025:i:11:p:3056-3069 is not listed on IDEAS
    3. Tyler MOORE & Richard CLAYTON, 2011. "The Impact of Public Information on Phishing Attack and Defense," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 45-68, 1st quart.
    4. Andjelka Kelic & Zachary A. Collier & Christopher Brown & Walter E. Beyeler & Alexander V. Outkin & Vanessa N. Vargas & Mark A. Ehlen & Christopher Judson & Ali Zaidi & Billy Leung & Igor Linkov, 2013. "Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks," Environment Systems and Decisions, Springer, vol. 33(4), pages 544-560, December.
    5. Rajan, Rishabh & Rana, Nripendra P. & Parameswar, Nakul & Dhir, Sanjay & Sushil, & Dwivedi, Yogesh K., 2021. "Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management," Technological Forecasting and Social Change, Elsevier, vol. 170(C).
    6. Mezei, Péter & Verteș-Olteanu, Andreea, 2020. "Editorial: From trust in the system to trust in the content," Internet Policy Review: Journal on Internet Regulation, Alexander von Humboldt Institute for Internet and Society (HIIG), Berlin, vol. 9(4), pages 1-28.
    7. Yugang He, 2024. "China’s digital shadows: unveiling the economic toll of cybercrime," Humanities and Social Sciences Communications, Palgrave Macmillan, vol. 11(1), pages 1-10, December.
    8. Richard J. Sullivan, 2014. "Controlling security risk and fraud in payment systems," Economic Review, Federal Reserve Bank of Kansas City, issue Q III, pages 5-36.
    9. repec:osf:socarx:ckxa8_v1 is not listed on IDEAS
    10. Alexander A. Ganin & Phuoc Quach & Mahesh Panwar & Zachary A. Collier & Jeffrey M. Keisler & Dayton Marchese & Igor Linkov, 2020. "Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management," Risk Analysis, John Wiley & Sons, vol. 40(1), pages 183-199, January.
    11. Godsway Korku Tetteh & Chuks Otioma, 2025. "Cyberattack, cyber risk mitigation capabilities, and firm productivity in Kenya," Small Business Economics, Springer, vol. 64(3), pages 1493-1514, March.
    12. Olaf Jonkeren & Piet Rietveld, 2016. "Protection of Critical Waterborne Transport Infrastructures: An Economic Review," Transport Reviews, Taylor & Francis Journals, vol. 36(4), pages 437-453, July.
    13. Moritz-C. Schlegel & Claudia Koch & Mona Mirtsch & Andrea Harrer, 2021. "Smart Products Enable Smart Regulations—Optimal Durability Requirements Facilitated by the IoT," Sustainability, MDPI, vol. 13(8), pages 1-14, April.
    14. Dirk Wrede & Tino Stegen & Johann-Matthias Schulenburg, 2020. "Affirmative and silent cyber coverage in traditional insurance policies: Qualitative content analysis of selected insurance products from the German insurance market," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 657-689, October.
    15. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    16. Abraham Yosipof & Netanel Drori & Or Elroy & Yannis Pierraki, 2024. "Textual sentiment analysis and description characteristics in crowdfunding success: The case of cybersecurity and IoT industries," Electronic Markets, Springer;IIM University of St. Gallen, vol. 34(1), pages 1-14, December.
    17. Yuquan Li & Yuexin Xiang & Qin Wang & Tsz Hon Yuen & Andreas Deppeler & Jiangshan Yu, 2025. "SoK: Stablecoins in Retail Payments," Papers 2601.00196, arXiv.org.
    18. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    19. Galbraith, John W. & Iuliani, Luca, 2019. "Measures of robustness for networked critical infrastructure: An empirical comparison on four electrical grids," International Journal of Critical Infrastructure Protection, Elsevier, vol. 27(C).
    20. Ahnert, Toni & Brolley, Michael & Cimon, David & Riordan, Ryan, 2022. "Cyber Risk and Security Investment," CEPR Discussion Papers 17403, C.E.P.R. Discussion Papers.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    2. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    3. Kenneth S. Corts, 2013. "Prohibitions on False and Unsubstantiated Claims: Inducing the Acquisition and Revelation of Information through Competition Policy," Journal of Law and Economics, University of Chicago Press, vol. 56(2), pages 453-486.
    4. Tomas J. Philipson & George Zanjani, 2013. "Economic Analysis of Risk and Uncertainty induced by Health Shocks: A Review and Extension," NBER Working Papers 19005, National Bureau of Economic Research, Inc.
    5. Michael Faure, 2009. "Environmental Liability," Chapters, in: Michael Faure (ed.), Tort Law and Economics, chapter 10, Edward Elgar Publishing.
    6. Pat Akey & Ian Appel, 2021. "The Limits of Limited Liability: Evidence from Industrial Pollution," Journal of Finance, American Finance Association, vol. 76(1), pages 5-55, February.
    7. Bartsch, Elga, 1996. "Enforcement of environmental liability in the case of uncertain causality and asymmetric information," Kiel Working Papers 755, Kiel Institute for the World Economy.
    8. Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," LIDAM Discussion Papers CORE 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    9. Suurmond, Guido, 2007. "The effects of the enforcement strategy," MPRA Paper 21142, University Library of Munich, Germany.
    10. Salvatore Piccolo & Piero Tedeschi & Giovanni Ursino, 2018. "Deceptive Advertising with Rational Buyers," Management Science, INFORMS, vol. 64(3), pages 1291-1310, March.
    11. Anna Nagurney & Ladimer Nagurney, 2015. "A game theory model of cybersecurity investments with information asymmetry," Netnomics, Springer, vol. 16(1), pages 127-148, August.
    12. Marion Desquilbet & Sylvaine Poret, 2014. "How do GM/non GM coexistence regulations affect markets and welfare?," European Journal of Law and Economics, Springer, vol. 37(1), pages 51-82, February.
    13. Gérard Mondello, 2013. "Ambiguous Beliefs on Damages and Civil Liability Theories"," Post-Print halshs-00929948, HAL.
    14. Andrzej Baniak & Peter Grajzl, 2014. "Controlling Product Risks when Consumers are Heterogeneously Overconfident: Producer Liability vs. Minimum Quality Standard Regulation," CESifo Working Paper Series 5003, CESifo.
    15. Gérard Mondello, 2022. "Strict liability, scarce generic input and duopoly competition," European Journal of Law and Economics, Springer, vol. 54(3), pages 369-404, December.
    16. Sébastien Pouliot & Daniel A. Sumner, 2008. "Traceability, Liability, and Incentives for Food Safety and Quality," American Journal of Agricultural Economics, Agricultural and Applied Economics Association, vol. 90(1), pages 15-27.
    17. Marcel Boyer & Donatella Porrini, 2010. "Optimal liability sharing and court errors: an exploratory analysis," Working Papers hal-00463913, HAL.
    18. Venus, Thomas & Punt, Maarten & Wesseler, Justus, 2015. "Influence of voluntary GMO-free production standards on the reputation and flexibility of agricultural value chains," 2015 Conference, August 9-14, 2015, Milan, Italy 211920, International Association of Agricultural Economists.
    19. Charreire, Maxime & Langlais, Eric, 2021. "Should environment be a concern for competition policy when firms face environmental liability?," International Review of Law and Economics, Elsevier, vol. 67(C).
    20. Arbatskaya, Maria & Aslam, Maria Vyshnya, 2018. "Liability or labeling? Regulating product risks with costly consumer attention," Journal of Economic Behavior & Organization, Elsevier, vol. 154(C), pages 238-252.

    More about this item

    Keywords

    ;
    ;
    ;
    ;
    ;
    ;
    ;
    ;

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijocip:v:3:y:2010:i:3:p:103-117. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-critical-infrastructure-protection .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.