The Economics of Information Security and Privacy

Economic aspects of information security are of growing interest to researchers and to decision-makers in IT-dependent companies. From a business-perspective, cost-benefit justifications for information security investments are in focus. While previous research has mostly focused on economic models for security investments, or on how to quantify the benefits of information security, this chapter aims to take a closer look at the costs of information security. After providing the reader with basic knowledge and motivation for the topic, we identify and describe the problems and difficulties in quantifying an enterprise’s cost for information security in a comprehensive and comparable way. Of these issues, the lack of a common model of costs of information security is the most prominent one. This chapter also discusses four approaches to categorize and determine the costs of information security in an enterprise. Starting with the classic approach frequently used in surveys, we continue by describing three alternative approaches. To support research on the costs of information security we propose two metrics. We conclude with input for future research, especially for an empirical analysis of the topic.

The threat of information security (IS) breaches is omnipresent. Large organizations such as Sony or Lockheed Martin were recently attacked and lost confidential customer information. Besides targeted attacks, virus and malware infections, lost or stolen laptops and mobile devices, or the abuse of the organizational IT through employees, to name but a few, also put the security of assets in jeopardy. To defend against IS threats, organizations invest in IS countermeasures preventing, or, at least, reducing the probability and the impact of IS breaches. As IS budgets are constrained and the number of assets to be protected is large, IS investments need to be deliberately evaluated. Several approaches for the evaluation of IS investments are presented in the literature. In this chapter, we identify, compare, and evaluate such approaches using the example of a policy and security configuration management tool. Such a tool is expected to reduce the costs of organizational policy and security configuration management and to increase the trustworthiness of organizations. It was found that none of the analyzed approaches can be used without reservation for the assessment of the economic viability of the policy and security configuration management tool used as an example. We see, however, considerable potential for new approaches combining different elements of existing approaches.

Much of the Internet economy relies on online advertising for monetizing digital content: Users are expected to accept the presence of online advertisements in exchange for content being free. However, online advertisements have become a serious problem for many Internet users: while some are merely annoyed by the incessant display of distracting ads cluttering Web pages, others are highly concerned about the privacy implications – as ad providers typically track users’ behavior for ad targeting purposes. Similarly, security problems related to technologies and practices employed for online advertisement have frustrated many users. Consequently, a number of software solutions have emerged that block online ads from being downloaded and displayed on users’ screens as they browse the Web. We focus on these advertisement avoidance technologies for online content and their economic ramifications for the monetization of websites. More specifically, our work addresses the interplay between users’ attempts to avoid commercial messages and content providers’ design of countermeasures. Our investigation is substantiated by the development of a game-theoretic model that serves as a framework usable by content providers to ponder their options to mitigate the consequences of ad avoidance techniques. We complement our analytical approach with simulation results, addressing different assumptions about user heterogeneity. Our findings show that publishers who treat each user individually, and strategically deploy fee-financed or ad-financed monetization strategy, obtain higher revenues, compared to deploying one monetization strategy across all users. In addition, our analysis shows that understanding the distribution of users’ aversion to ads and valuation of the content is essential for publishers to make a well-informed decision.

In economic models of cybersecurity, security investment yields positive, but diminishing, returns. If that were true for software vulnerabilities, fix rates should decrease, whereas the time between successive fixes should go up as vulnerabilities become fewer and harder to fix.In this work, we examine the empirical evidence for this hypothesis for Mozilla, Apache httpd and Apache Tomcat over the last several years. By looking at 292 vulnerability reports for Mozilla, 66 for Apache, and 21 for Tomcat, we find that the number of people committing vulnerability fixes changes proportionally to the number of vulnerability fixes for Mozilla and Tomcat, but not for Apache httpd.Our findings do not support the hypothesis that vulnerability fix rates decline. It seems as if the supply of easily fixable vulnerabilities is not running out and returns are not diminishing (yet).Additionally, software security has traditionally been viewed as an arms race between attackers and defenders. Recent work in an unrelated field has produced precise mathematical models for such arms races, but again the evidence we find is scant and does not support the hypothesis of an arms race (of this kind).

In this chapter, we investigate some key factors which have effects on employees’ behaviors in violating rules which are related to information leaks given the condition that the behaviors are totally prohibited by their organization. By using collected data from a survey that we conducted, and employing a stepwise logit model, we analyze the relationships above. The primary results are as follows: First of all, myopic cognition and hyperopic cognition measured by the CFC scale have effects on the behaviors of violating organizational rules in almost all cases. Next, in many cases, individuals whose information security awareness is higher tend not to violate the rules. Third, the behavior of violating the rules is independent of the size of the organization, and is not related to the degree of workplace satisfaction and the evaluation toward the managers in some cases. Fourth, in an organization in which permanent employment is implemented, individuals tend to violate the rules. It is not easy to control psychological factors such as an individual’s attitude toward risk. Conversely, the factors regarded as organizational attributes, such as the degree of workplace satisfaction or the employment system utilized, may be controlled by designing the appropriate organizational environment. Consequently, we consider that it may be effective to improve information security awareness by information security education and training.

Although there are some studies on inter-sectoral information security interdependency, the lack of regional interdependency analysis is one of their limitations. In this empirical study, we used an inter-regional input–output table in order to analyze both sectoral and regional interdependencies under the influence of information technology and the information security of Japanese firms. Our analysis showed that the economic scale of a region has a great influence on the characteristics of the interdependency. Furthermore, we found that the demand-side sectors can be classified into five classes based on the characteristics. Among them, the groups with high self-dependency get more benefits from simultaneous understanding of regional characteristics; for the sectors in these classes, investment advice obtained from sectoral characteristics only is very limited, whereas they can obtain much more from regional characteristics. Since these classes include a majority of the sectors, we can recognize the importance of regional interdependency analysis. In the above basic study, what we see is the situation before the Great East Japan Earthquake on March 11, 2011.As an extended study, we estimated the impact of the earthquake on the interdependency. Our main finding from the regional perspective is that the interdependency characteristics of the most damaged region (Tohoku) and of the economically largest region (Kanto) are impacted most significantly. This feature is not changed by the limitation of damage through prior security investment.Both in the basic study and in the extended study, we can see that considering not only sectoral but also regional characteristics is an effective approach to the task of empirically deriving implications related to the interdependency. There are many possibilities of more extended studies based on our methodology.

Proof-of-Work (PoW), a well-known principle to ration resource access in client-server relations, is about to experience a renaissance as a mechanism to protect the integrity of a global state in distributed transaction systems under decentralized control. Most prominently, the Bitcoin cryptographic currency protocol leverages PoW to (1) prevent double spending and (2) establish scarcity, two essential properties of any electronic currency. This chapter asks the important question whether this approach is generally viable. Citing actual data, it provides a first cut of an answer by estimating the resource requirements, in terms of operating cost and ecological footprint, of a suitably dimensioned PoW infrastructure and comparing them to three attack scenarios. The analysis is inspired by Bitcoin, but generalizes to potential successors, which fix Bitcoin’s technical and economic teething troubles discussed in the literature.

There is a long history of studying the epidemiology of computer malware. Much of this work has focused on the behaviors of specific viruses, worms, or botnets. In contrast, we seek to utilize an extension of the simple SIS model to examine the efficacy of various aggregate patching and recovery behaviors. We use the SIS model because we are interested in the global prevalence of malware, rather than the dynamics, such as recovery, covered in previous work. We consider four populations: vigilant and non-vigilant with infected or not for both sets. Using our model we show that small increases in patch rates and recovery speed are the most effective approaches to reduce system-wide vulnerabilities due to unprotected computers. Our results illustrate that a public health approach may be feasible, requiring a subpopulation adopt prophylactic actions rather than near-universal immunization.

The Web form is the primary method of collecting personal data from individuals on the Web. Privacy concerns, time spent, and typing effort act as a major deterrent to completing Web forms. Yet consumers regularly provide more data than required. In a field experiment, we recruited 1,500 Web users to complete a form asking for ten items of identity and profile information of varying levels of sensitivity. We manipulated the number of mandatory fields (none vs. two) and the compensation for participation ($0.25 vs. $0.50) to quantify the extent of over-disclosure, the motives behind it, and the resulting costs and privacy invasion. We benchmarked the efficiency of compulsion and incentives in soliciting data against voluntary disclosure alone.We observed a high prevalence of deliberate and unpaid over-disclosure of data. Participants regularly completed more form fields than required, or provided more details than requested. Through careful experimental design, we verified that participants understood that additional data disclosure was voluntary, and the information provided was considered sensitive. In our experiment, we found that making some fields mandatory jeopardised voluntary disclosure for the remaining optional fields. Conversely, monetary incentives for disclosing those same fields yielded positive spillover by increasing revelation ratios for other optional fields. We discuss the implications for commercial website operators, regulators, privacy-enhancing browser standards, and further experimental research in privacy economics.

Under certain circumstances, consumers are willing to pay a premium for privacy. We explore how choice architecture affects smartphone users’ stated willingness to install applications that request varying permissions. We performed two experiments to gauge smartphone users’ stated willingness to pay premiums to limit their personal information exposure when installing applications. When participants were comparison shopping between multiple applications that performed similar functionality, a quarter of our sample indicated a willingness to pay a $1.50 premium for the application that requested the fewest permissions—though only when viewing the requested permissions of each application side-by-side. In a second experiment, we more closely simulated the user experience by asking them to valuate a single application that featured multiple sets of permissions based on five between-subjects conditions. In this scenario, the requested permissions had a much smaller impact. Our results suggest that many smartphone users are concerned with their privacy and are willing to pay premiums for applications that are less likely to request access to personal information, but that the current choice architectures do not support this. We propose improvements for smartphone application markets that could result in decreased satisficing and increased rational behavior.

This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.

Research in the economics of security has contributed more than a decade of empirical findings to the understanding of the microeconomics of (in)security, privacy, and ecrime. Here we build on insights from previous macro-level research on crime, and microeconomic analyses of ecrime to develop a set of hypotheses to predict which variables are correlated with national participation levels in crowd-sourced ecrime. Some hypotheses appear to hold, e.g. Internet penetration, English literacy, size of the labor market, and government policy all are significant indicators of crowd-sourced ecrime market participation. Greater governmental transparency, less corruption, and more consistent rule of law lower the participation rate in ecrime. Other results are counter-intuitive. GDP per person is not significant, and, unusually for crime, a greater percentage of women does not correlate to decreased crime. One finding relevant to policymaking is that deterring bidders in crowd-sourced labor markets is an ineffective approach to decreasing demand and in turn market size.