IDEAS home Printed from https://ideas.repec.org/a/gam/jsusta/v13y2021i24p13677-d699824.html
   My bibliography  Save this article

Systematically Understanding Cybersecurity Economics: A Survey

Author

Listed:
  • Mazaher Kianpour

    (Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, NTNU Norwegian University of Science and Technology, 2815 Gjøvik, Norway)

  • Stewart J. Kowalski

    (Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, NTNU Norwegian University of Science and Technology, 2815 Gjøvik, Norway)

  • Harald Øverby

    (Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, NTNU Norwegian University of Science and Technology, 2815 Gjøvik, Norway)

Abstract

Insights in the field of cybersecurity economics empower decision makers to make informed decisions that improve their evaluation and management of situations that may lead to catastrophic consequences and threaten the sustainability of digital ecosystems. By drawing on these insights, cybersecurity practitioners have been able to respond to many complex problems that have emerged within the context of cybersecurity over the last two decades. The academic field of cybersecurity economics is highly interdisciplinary since it combines core findings and tools from disciplines such as sociology, psychology, law, political science, and computer science. This study aims to develop an extensive and consistent survey based on a literature review and publicly available reports. This review contributes by aggregating the available knowledge from 28 studies, out of a collection of 628 scholarly articles, to answer five specific research questions. The focus is how identified topics have been conceptualized and studied variously. This review shows that most of the cybersecurity economics models are transitioning from unrealistic, unverifiable, or highly simplified fundamental premises toward dynamic, stochastic, and generalizable models.

Suggested Citation

  • Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
  • Handle: RePEc:gam:jsusta:v:13:y:2021:i:24:p:13677-:d:699824
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2071-1050/13/24/13677/pdf
    Download Restriction: no

    File URL: https://www.mdpi.com/2071-1050/13/24/13677/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Corbet, Shaen & Gurdgiev, Constantin, 2019. "What the hack: Systematic risk contagion from cyber events," International Review of Financial Analysis, Elsevier, vol. 65(C).
    2. Ahmadi, Esmaeil & McLellan, Benjamin & Tezuka, Tetsuo, 2020. "The economic synergies of modelling the renewable energy-water nexus towards sustainability," Renewable Energy, Elsevier, vol. 162(C), pages 1347-1366.
    3. Huang, C. Derrick & Behara, Ravi S., 2013. "Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints," International Journal of Production Economics, Elsevier, vol. 141(1), pages 255-268.
    4. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    5. Shackelford, Scott J., 2012. "Should your firm invest in cyber risk insurance?," Business Horizons, Elsevier, vol. 55(4), pages 349-356.
    6. David Colander & Richard Holt & Barkley Rosser, 2004. "The changing face of mainstream economics," Review of Political Economy, Taylor & Francis Journals, vol. 16(4), pages 485-499.
    7. Anthony Ween & Peter Dortmans & Nitin Thakur & Cayt Rowe, 2019. "Framing cyber warfare: an analyst’s perspective," The Journal of Defense Modeling and Simulation, , vol. 16(3), pages 335-345, July.
    8. TaeYoung Kim & NamIl An & JongBeom Lim, 2018. "Scientific Information System for Silk Road Education Study," Sustainability, MDPI, vol. 10(9), pages 1-12, September.
    9. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    10. Peter B. Dixon & Dale Jorgenson (ed.), 2012. "Handbook of Computable General Equilibrium Modeling," Handbook of Computable General Equilibrium Modeling, Elsevier, edition 1, volume 1, number 1.
    11. Wang, Shaun S., 2019. "Integrated framework for information security investment and cyber insurance," Pacific-Basin Finance Journal, Elsevier, vol. 57(C).
    12. Derrick Huang, C. & Hu, Qing & Behara, Ravi S., 2008. "An economic analysis of the optimal information security investment in the case of a risk-averse firm," International Journal of Production Economics, Elsevier, vol. 114(2), pages 793-804, August.
    13. Bauer, Johannes M. & van Eeten, Michel J.G., 0. "Cybersecurity: Stakeholder incentives, externalities, and policy options," Telecommunications Policy, Elsevier, vol. 33(10-11), pages 706-719, November.
    14. S. Dellavigna., 2011. "Psychology and Economics: Evidence from the Field," VOPROSY ECONOMIKI, N.P. Redaktsiya zhurnala "Voprosy Economiki", vol. 4.
    15. Anna Nagurney & Ladimer Nagurney, 2015. "A game theory model of cybersecurity investments with information asymmetry," Netnomics, Springer, vol. 16(1), pages 127-148, August.
    16. Maochao Xu & Lei Hua, 2019. "Cybersecurity Insurance: Modeling and Pricing," North American Actuarial Journal, Taylor & Francis Journals, vol. 23(2), pages 220-249, April.
    17. Elsner, Wolfram & Heinrich, Torsten & Schwardt, Henning, 2014. "The Microeconomics of Complex Economies," Elsevier Monographs, Elsevier, edition 1, number 9780124115859.
    18. Alessandro Mazzoccoli & Maurizio Naldi, 2020. "Robustness of Optimal Investment Decisions in Mixed Insurance/Investment Cyber Risk Management," Risk Analysis, John Wiley & Sons, vol. 40(3), pages 550-564, March.
    19. Mayadunne, Sanjaya & Park, Sungjune, 2016. "An economic model to evaluate information security investment of risk-taking small and medium enterprises," International Journal of Production Economics, Elsevier, vol. 182(C), pages 519-530.
    20. Hausken, Kjell, 2007. "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, Elsevier, vol. 26(6), pages 639-688.
    21. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    22. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.
    23. Kjell Hausken, 2014. "Returns to information security investment: Endogenizing the expected loss," Information Systems Frontiers, Springer, vol. 16(2), pages 329-336, April.
    24. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    25. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    26. Gordon, Lawrence A. & Loeb, Martin P. & Lucyshyn, William, 2003. "Sharing information on computer systems security: An economic analysis," Journal of Accounting and Public Policy, Elsevier, vol. 22(6), pages 461-485.
    27. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    28. Stefan Thurner & Sebastian Poledna, 2013. "DebtRank-transparency: Controlling systemic risk in financial networks," Papers 1301.6115, arXiv.org.
    29. Mustafa Abdallah & Parinaz Naghizadeh & Ashish R. Hota & Timothy Cason & Saurabh Bagchi & Shreyas Sundaram, 2020. "Behavioral and Game-Theoretic Security Investments in Interdependent Systems Modeled by Attack Graphs," Papers 2001.03213, arXiv.org, revised May 2020.
    30. Elvis Pontes & Adilson Guelfi & Anderson Silva & Sergio Kofuji, 2011. "A Comprehensive Risk Management Framework for Approaching the Return on Security Investment (ROSI)," Chapters, in: Matteo Savino (ed.), Risk Management in Environment, Production and Economy, IntechOpen.
    31. Peter J. Dortmans & Nitin Thakur & Anthony Ween, 2015. "Conjectures for framing cyberwarfare," Defense & Security Analysis, Taylor & Francis Journals, vol. 31(3), pages 172-184, September.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Yosra Miaoui & Noureddine Boudriga, 2019. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 21(2), pages 261-300, April.
    2. Yosra Miaoui & Noureddine Boudriga, 0. "Enterprise security investment through time when facing different types of vulnerabilities," Information Systems Frontiers, Springer, vol. 0, pages 1-40.
    3. Yong Wu & Gengzhong Feng & Richard Y. K. Fung, 2018. "Comparison of information security decisions under different security and business environments," Journal of the Operational Research Society, Taylor & Francis Journals, vol. 69(5), pages 747-761, May.
    4. Xinbao Liu & Xiaofei Qian & Jun Pei & Panos M. Pardalos, 2018. "Security investment and information sharing in the market of complementary firms: impact of complementarity degree and industry size," Journal of Global Optimization, Springer, vol. 70(2), pages 413-436, February.
    5. Kjell Hausken & Jonathan W. Welburn, 2021. "Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits," Information Systems Frontiers, Springer, vol. 23(6), pages 1609-1620, December.
    6. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 0. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 0, pages 1-18.
    7. Chenglong Zhang & Nan Feng & Jianjian Chen & Dahui Li & Minqiang Li, 2021. "Outsourcing Strategies for Information Security: Correlated Losses and Security Externalities," Information Systems Frontiers, Springer, vol. 23(3), pages 773-790, June.
    8. Petar Radanliev & David Roure & Max Kleek & Uchenna Ani & Pete Burnap & Eirini Anthi & Jason R. C. Nurse & Omar Santos & Rafael Mantilla Montalvo & La’Treall Maddox, 2021. "Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems: cyber risk at the edge," Environment Systems and Decisions, Springer, vol. 41(2), pages 236-247, June.
    9. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    10. Xing Gao & Weijun Zhong, 2016. "Economic incentives in security information sharing: the effects of market structures," Information Technology and Management, Springer, vol. 17(4), pages 361-377, December.
    11. Xing Gao & Weijun Zhong, 2015. "Information security investment for competitive firms with hacker behavior and security requirements," Annals of Operations Research, Springer, vol. 235(1), pages 277-300, December.
    12. Xiaofei Qian & Jun Pei & Xinbao Liu & Mi Zhou & Panos M. Pardalos, 2019. "Information security decisions for two firms in a market with different types of customers," Journal of Combinatorial Optimization, Springer, vol. 38(4), pages 1263-1285, November.
    13. Xiaotong Li & Qianyao Xue, 2021. "An economic analysis of information security investment decision making for substitutable enterprises," Managerial and Decision Economics, John Wiley & Sons, Ltd., vol. 42(5), pages 1306-1316, July.
    14. Daniel Schatz & Rabih Bashroush, 0. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 0, pages 1-24.
    15. Xing Gao & Weijun Zhong & Shue Mei, 2014. "A game-theoretic analysis of information sharing and security investment for complementary firms," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 65(11), pages 1682-1691, November.
    16. Alessandro Fedele & Cristian Roner, 2022. "Dangerous games: A literature review on cybersecurity investments," Journal of Economic Surveys, Wiley Blackwell, vol. 36(1), pages 157-187, February.
    17. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    18. Daniel Schatz & Rabih Bashroush, 2017. "Economic valuation for information security investment: a systematic literature review," Information Systems Frontiers, Springer, vol. 19(5), pages 1205-1228, October.
    19. Alain Mermoud & Marcus Keupp & Kévin Huguenin & Maximilian Palmié & Dimitri Percia David, 2019. "To share or not to share: A behavioral perspective on human participation in security information sharing," Post-Print hal-02147702, HAL.
    20. Lu Xu & Yanhui Li & Jing Fu, 2019. "Cybersecurity Investment Allocation for a Multi-Branch Firm: Modeling and Optimization," Mathematics, MDPI, vol. 7(7), pages 1-20, July.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jsusta:v:13:y:2021:i:24:p:13677-:d:699824. See general information about how to correct material in RePEc.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: . General contact details of provider: https://www.mdpi.com .

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service hosted by the Research Division of the Federal Reserve Bank of St. Louis . RePEc uses bibliographic data supplied by the respective publishers.