Current Research and Future Directions
Just as security concerns
confidentiality, integrity, and availability, current research in cybersecurity
economics focuses on the economic value and implications of these
characteristics. The economics of cybersecurity is an emerging discipline. Its
novelty and multidisciplinarity mean that, as with any new area of
investigation, there is a scattering of information and much we do not yet
know.
Current research in
cybersecurity economics focuses on the interaction between information
technology and the marketplace. When we buy or use software, we are involved in
the market in several ways. First, the price we pay for software may depend on
how much we trust it; some consumers trust freeware far less than they trust a
branded, proprietary product for which they pay a substantial price. Second,
some companies use the "softness" of software to charge more or less,
depending on tradeoffs involving personal information. Third, the marketplace
can be manipulated to encourage vendors to reduce the number of flaws in their
products. In this section, we summarize the kinds of problems being addressed
by today's research and describe several open questions yet to be answered.
Economics and Privacy
Andrew Odlyzko is taking a
careful look at how economics and privacy interact, particularly with the
increased use of differential pricing. As the cost of storing and analyzing
data continues to decrease, businesses can easily capture data about customer
behavior. Practices such as differential pricing encourage customers to part
with personal information in exchange for lower prices. Many of us have
"affinity cards" at supermarkets, office supply stores, bookstores,
and more that give us special offers or discounts when we give the vendors
permission to capture our buying behavior. Businesses can also monitor where
and how we navigate on the web and with whom we interact. The differential
pricing also constrains and modifies our behavior, as when we purchase airline
or rail tickets online in exchange for lower fares than we would have paid by
telephone or in person. We consider the privacy impacts of data collection and
analysis in Chapter 10.
Economists
Alessandro Acquisti and Hal Varian have analyzed the market conditions under
which it can be profitable for an enterprise to use the privacy/pricing
tradeoff. Many researchers are interested in the balance among personal,
business, and societal costs and benefits.
On his web site, Acquisti
asks, "Is there a sweet spot that satisfies the interests of all
parties?"
Economics and Integrity
In Chapter 11 we discuss the pros and cons of sharing information
about known vulnerabilities. Many researchers are investigating the economic
tradeoffs.
Eric Resorla explains that
because there are so many flaws in large software products, the removal of a
single flaw makes no real difference; a malicious actor will simply find
another flaw to exploit. He suggests that disclosure of a flaw's presence
before it is patched encourages the malicious behavior in the first place. However,
Ashish Arora, Rahul Telang, and Hao Xu argue in favor of disclosure. Their
models suggest that without disclosure, there is no incentive for software
vendors to find and patch the problems. Although disclosure increases the
number of attacks, the vendors respond rapidly to each disclosure, and the
number of reported flaws decreases over time. Interestingly, their analysis of
real data reveals that open source projects fix problems more quickly than
proprietary vendors, and large companies fix them more quickly than small ones.
Stuart Schechter examines how
market forces can be used to prevent or decrease vulnerabilities. He suggests
that economies establish markets where vulnerabilities can be traded. In such a
market, the price for exploiting a product's vulnerability would indicate to
consumers its level of security. Andy Ozment takes a similar, market-based
approach, applying auction theory to analyze how vulnerability markets could be
better run. He also discusses how such markets could be exploited by those with
malicious intent.
Economics and Regulation
There is always heated
argument between those who think the marketplace will eventually address and
solve its own problems, and those who want a government entity to step in and
regulate in some way. In security, these arguments arise over issues like spam,
digital rights management, and securing the critical information
infrastructure. Many researchers are investigating aspects of the cyber
marketplace to see whether regulation is needed.
Consider spam: If most people
had a highly effective spam filter, almost all spam would be filtered out
before it appeared in the inbox, so the usefulness of spam would be greatly
reduced to the sender and the volume of spam would drop. In a marketplace, when
some (but not all) members take an action that benefits everyone, the ones who
do not take the action are said to get a free
ride. For example, if most people are vaccinated for an illness, then those
who choose not to be vaccinated still benefit from the slowed progress of the
disease because the disease does not spread rapidly through the vaccinated
majority. In the same way, market regulationrequiring all users to employ a
spam filtercould rid the world of spam. But lack of regulation, or some degree
of free riding, might be good enough. Hal Varian has been investigating the
effects of free riding on overall system reliability.
Many researchers
investigating spam invoke economic models to suggest marketbased solutions to
reducing unwanted electronic mail. For example, paying a small price for each e
-mail messagecalled a micropaymentwould generate negligible charges for each
consumer but could stop cold the spammer who sends out millions of messages a
day.
A similar economic concept is
that of an externality. Here, two
people or organizations make a decision or enact a transaction, and a third
party benefitseven though the third party played no role. Geoffrey Heal and
Howard Kunreuther are examining security externalities, particularly where
security problems have optimal solutions (from a computing point of view) that
are not socially optimal. They are investigating the case in which there is a
threat of an event that can happen only once, the threat's risk depends on
actions taken by others, and any agent's incentive to invest in reducing the
threat depends on the actions of others.
Copyright and digital rights
management are frequent topics for regulatory discussion. Marc Fetscherin and
C. Vlietstra are examining the business models of online music providers,
particularly in how the price is determined for a given piece of music. They
show that the price is affected by buyer's rights (to copy and move to portable
players) as well as by geographic location and music label. Felix Oberholzer
and Koleman Strumpf have examined records of downloads and music sales, showing
that the downloads do no harm to the music industry.
This result is controversial,
and several papers present dissenting views. Hal Varian discusses the broader
problem of the effect of strict controls on innovation. He suggests that as
control increases, those who are uncomfortable with risk will stop innovating.
In general, cybersecurity economics researchers are investigating how to use market forces to encourage socially acceptable security behavior.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.