Can Economics be applied in Cyber Security? | Lucideus Research
Introduction:
Economics is the science that analyses the quantitative and qualitative impacts of human interaction with market mechanism, on the economy using renowned economic techniques. Economics is currently being used in many areas such as environment, law, economics of discrimination, policies and regulations, health etc. But in cybersecurity it is still left unexplored and only a little work has been done in this direction. There is a lot of scope of using economics in the subject of cybersecurity and making it stronger. Ample amount of research is left to be done which could yield useful results in future. We provide a brief overview about few of the concepts/theories of economics and their possible connections to cybersecurity.
Description:
First and foremost concept which could be borrowed from economics to cybersecurity is that of the economic indices. Indices are being used in economics to quantify the quality of different features or the changes in certain phenomenon such as CPI (Consumer Price Index), IPI (Industrial Production Index) or credit scores. Similar indices could be used to quantify various situations in cyber security as well. SAFE, our flagship product is using the very same principle of indices to quantify the maturity of preparedness against cybersecurity attacks associated with different information technology assets at different points of time. It also provides an index that reflects the overall security posture of a given organisation. Such indices could also be used to quantify the information risk faced by an organisation or the possible losses that can be caused by the various threat events.
Game Theory is the tool which could be used to figure out the optimal choices for the organisations and the attackers if we are able to model the incentive structure and the security framework. With the different sets of policies and security controls implemented in the assets, the incentives of attackers would be different and their optimal strategies would also be different. Game theory could help us in identifying their optimal strategies based on which, organisations could decide upon a relevant set of policies and allocation of security resources so that the probability of attack or the loss due to attacks could be minimized. Some game theoretic systems like ARMOR are already deployed for security at the Los Angeles international airport. Similarly, the concept of game theory can be used in cybersecurity to create various defence mechanisms by making use of the variety of available information.
Externality refers to the phenomenon where the activities of party A result in good or bad consequences for party B. It is one of the most discussed and important topics in economics. Externalities occur in an economy when the production or consumption of a good has an impact on unrelated parties etc. For e.g. a manufacturing firm in a city causing pollution negatively affects citizens of that city and this is referred to as negative externality created by the firm.
This concept of externality can also be applied in cybersecurity as there exists situations when the actions taken by one person do affect an unrelated party that didn’t agree to the given actions. Externalities could be both positive or negative as explained in following examples:
- Positive externality occurs when, say, a researcher, by investing efforts and resources, has found a very famous mobile application to be malicious. This information will then be useful for other people who use it to get rid of that application and protect their data from getting leaked. So, such a thing would create a positive externality.
- The example for negative externality could be say if an employee does not protect his office laptop using a strong password. This could result in his PC getting hacked and may even lead to some other employee’s pc getting hacked and ultimately critical information getting leaked. Such a thing would be referred to as negative externality for other employees.
Various corrective measures can be taken to mitigate these externalities depending upon their types to ensure that the overall welfare attached to cyber space could increase.
Pareto optimality & optimization: This is referred to as a situation under which the allocation of resources is done in such a manner that it is turns out to be efficient. Pareto optimality can be achieved when any other allocation is not able to make someone better off without making someone else worse off. This concept further dwells into the problem of optimisation. Let us consider the situation of investment in implementation of controls. There is always a cost associated with the control that you are required to implement in the system, and a fixed budget that needs to be allocated for those controls. Optimisation will be used in this situation where you maximise the security level given the prespecified budget. The result of this optimisation should be such that any other allocation will make the entire security level to go down or would increase the budget required for the same level of security.
Econometric modelling: Econometric modelling deals with the techniques that are employed to establish the relation of a dependent variable with the theoretically backed indicators empirically. For e.g. consumption depends upon the income of an individual, price of the good she consumes, type of the good she consumes and several other factors. This relationship can be further be proved empirically using the regression models and testing the significance of the indicators. Same kind of approach can be used in cyber security domain. Frequency of security breaches depends upon various factors like number of potential adversaries, their different incentives for attack, attack risk, required skills and resources, etc. A model can be built based on these factors and relation can be established depending upon the significance level of the independent variables given certain parameters.
Next in the line is Market failure. It can be defined as a scenario in which the free market mechanisms are not capable enough to allocate resources in an efficient way. Some regulatory intervention is required in order to resolve the problem. Consider a market where a private firm provides street lights. As the use of Street lights can not be restricted to specified number of users who have paid for the same, there will be free riding in this case, that is to say that people who have not paid for the street lights will still be using them. In this scenario the provision of the street light will not be there because people will not be willing to pay for it since everyone has an incentive to get a free ride. In this scenario, government intervention is required. The solution is that the government handles the provisioning of the street lights. In the domain of cybersecurity similar kind of the situation arises in the reporting of data breaches by the companies. Those companies are reluctant to report every data breach that occurs in that organisation primarily because of two reasons: one is that it will damage the reputation of that organisation and other is that similar type of organisations can benefit out of it by getting immune to that attack in several possible ways. In this case the market fails as there is no incentive or compulsion on the organisation for reporting the data breaches. There comes the role of government intervention by making it a law to report the data breaches that happen.
Incentive based theories: It is assumed that the individuals are more or less rational and they take decisions in order to maximize their benefits. Contract theory, which is one of the most buzzing topics in economics nowadays, is also more or less based on incentives and asymmetric information across different parties involved in the contract with the main aim of aligning their incentives.
Even in cybersecurity this theory could be applied assuming that the criminals involved in cybercrime are also rational and they also try to maximize their benefits while attacking. If it could be possible to find out the kinds of incentives the attacker has to attack, organization could easily figure out the most probable points of attacks for different categories of threat agents. Moreover organization could also form the policies such that the incentives of the attackers especially insiders get aligned to that of organisation and the probability of attack gets minimized.
Conclusion:
This was a brief excursion into the intersection of economics and cybersecurity. We believe that there is huge possibility of applying economic ideas and principles in the domain of information security which so far has been largely unexplored. This kind of interdisciplinary approach has a potential to generate significant benefits for both the fields. For information security, this can lead to the creation of new innovative frameworks and products to enhance the security posture of an entity.