Action, Inaction, Trust, and Cybersecurity's Common Property Problem

Karen Elliott, Fabio Massacci, Julian Williams

Research output: Contribution to journalArticlepeer-review

Abstract

Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing 'nothing' is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors' anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.

Original languageEnglish
Article number7397709
Pages (from-to)82-86
Number of pages5
JournalIEEE Security and Privacy
Volume14
Issue number1
DOIs
Publication statusPublished - 1 Jan 2016

Bibliographical note

Funding Information:
Acknowledgments: The authors gratefully acknowledge the support of the UK Technology Strategy Board grants Cloud Stewardship Economics and Trust Economics as well as the European Commission Seventh Framework Programme for Research and Technological Development project "SECONOMICS" grant agreement 285223.

Publisher Copyright:
© 2016 IEEE.

Keywords

  • cybersecurity
  • economics
  • fixed adjustment costs
  • real option value of delay
  • return on security investment
  • security
  • the public good aspect of security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering
  • Law

Fingerprint

Dive into the research topics of 'Action, Inaction, Trust, and Cybersecurity's Common Property Problem'. Together they form a unique fingerprint.

Cite this