Cybersecurity, Stakeholders Incentives, Externalities and Policy Options
An Analysis by Abiodun Giwa
Introduction
“Information and communication technologies form a vast open ecosystem. The openness supports the innovative dynamics of the internet., but it also renders infrastructure and services vulnerable to attack,” Baeur, J., and Van Eeten M, submit in their research paper “Cybersecurity, Stakeholders Incentives, Externalities and Policy Options.”
The paper infers that Information security breaches are increasingly motivated by fraudulent and criminal motives and that reducing the cost of breaches has become a pressing issue. The report, based on a meta study of a broad range of research, recommends solution options to avoid a potentially catastrophic security failure in the world information and communication system, and one that is capable of damaging impact on the global economy.
The paper’s highlights include efforts that have been devised toward effective solutions against
cybercrime, but which are described as complicated and offering no assurance of solution given the
global nature of the cyberspace, the interdependence of stakeholders, the diversity and the heterogeneity of players.
FINDINGS
Initially, security threats were viewed as mostly technological problems. However, as the years develop, manifestation has broadened that threats also include economic issues and aspects of users’ behavior. The findings further show that viruses, worms and many other variants of malware have developed from a costly nuisance to sophisticated tools for criminals. Therefore, computers worldwide, as many as one in five to one in ten, are infected with malware, and owners of such machines are often ignorant of the facts.
The pervasive presence of security threats has created concern among scholars and policy makers alike. The OECD Ministerial Summit in Seoul in 2008 addressed the issue, and the International Telecommunication Union (ITU) has developed an active cybersecurity agenda. The awareness is global. But the problem still seems to remain intractable.
The research finds that because information security comes at a cost, tolerating some level of insecurity is economically rational. It is noted that cybersecurity is mostly by private players, but that the costs and benefits desires attention. The researchers were more interested in how the incentives that shaped the decentralized decisions on cybersecurity and the incentives influencing security decisions by individual stakeholders such as ISPs, software vendors and users, have impacted cybersecurity. Therefore, the recommendation that cybersecurity policy needs to begin from a clear and empirically grounded understanding of the nature of the problems before possible solutions can be devised.
Openness and Vulnerability
Information and communication technologies form a vast open ecosystem. The openness supports the innovative dynamics of the internet, but it also renders infrastructure and services vulnerable to attack due primarily to the human elements. Therefore, Information security breaches are driven by financial motives. There is a realm of cybercrime and a realm of information security. Cybercrime is a market in which players respond to price signals and other economic incentives, and where others such as ‘white hat” hackers and cyberterrorists do not primarily follow financial gain, but decisions modelled as an optimization over non-financial goals. The fact that the truth, logic and forms about the underground economy around cybercrime are hardly known has made proffering solutions difficult. But more information is available in the market for information security.
The Players
To understand cybercrime, one must understand the players, the roles the players play, interdependence and other factors that inform their roles, to grasp the complexity of the situation the world faces in the effort to address the growth of the cankerworm. The players are adjudged specialists and they act rationally. They are connected one way or another and the reduction in the cost of cybercrime has accentuated their activities. Denials, dodging responsibilities and protecting their interests against common goals have advanced the illicit business.
The ISPs
For example, the ISPs believes that the emails are the personal property of recipients and inspection of the content of the mails was a violation of privacy, attributing the protection of its own machines to end users. But faced with a reversed situation of the dent to reputation with exorbitant growth of spam constituting 80 percent of all emails, the ISPs began to filter emails and handle customers’ security more seriously. There are rogue ISPs with business model based on shady deals, and there are commercial ISPs with legitimate business. There are laws that favors the ISPs and that make end users vulnerable.
Software
Software Vendors work in a complex set of potentially conflicting incentives with vulnerability of patching – and the cost of patch development, testing and deployment. As software is typically installed in many versions, configurations and contexts make the cost of patching significant. The question thus arises about whether investing in security upfront should not be preferable than patching? Many software vendors prefer security upfront. However, they are losing out because the operations do not follow provision of upfront security. There are other several incentive mechanisms that weaken efforts to provide security. Like the time to market is lengthened by software testing and the cost of software development is increased. In industries with network effects and first mover advantage, such delays may result in significantly reduced revenues over the product life cycle. Thus, the more competitive the software market segment the less the incentive to improve security beyond a minimum threshold. Security is often in conflict with functionality, compatibility and users’ discretion over the software configurations. And hold harmless provisions in software licenses and shrink wrap license agreements largely relive software vendors from liability for financial damages stemming from software flaws.
E-Commerce
E-Commerce comprises financial service providers and these are high priority target for attackers. They are faced with a choice between balancing enhanced security and the growth of their electronic business. They often compensate for losses incurred by their customers from phishing or other fraudulent actions as part of overall security decision.
Users
Many individual users do no purchase security services or do not use them when offered for free by an ISP or a software vendor. They also turn off their firewalls and virus scanners regularly if they slow down certain uses such as gaming.
Emerging Patterns
Markets are reportedly not responding adequately. Many of the cyber criminals are organized in countries where the costs of engaging in cybercrime are low, law enforcement is weak or non-existent, due to dire economic conditions, and the opportunity costs of engaging in cybercrime rather than engage in other gainful employment and the technological means enable criminals to operate swiftly across many national boundaries. Several countries have adopted laws against spam, but which effectiveness are sometimes questioned, because spams are still all over the places, and constitutes increasing nuisance in the mail system.
Solution versus Impediments
Everyone is worse with decisions taken in a non-cooperative fashion, and individual measures counteract and neutralizes each other. Cybercrime can practically be reduced by increasing its cost and reducing its benefits, strengthening law enforcement via national legislation and multi-national and international treaties like the European convention on cybercrime ratified by 23 countries and signed by 23 others.
Regulatory agencies like the Federal Communication Commission (FCC) in the United States are believed to be well positioned for a very positive role to stem the tide of cybercrime based on the Australian collaborative experience, where the Australian Communication and Media Authority shared information with 59 ISPs to reduce the threat from botnets.
But aside from the criticism that the Australian collaboration lacked transparency, there is also a wide criticism that though the regulatory agencies have power to compel information from providers to enable better policies against cybercrime, the problem remains that the agencies would have to develop innovative, adaptive approaches, because existing administrative inertia and the potential rigidity of ex-ante regulation may render the efforts by the agencies ineffective in addressing cybercrime.
Externalities
The benefit from information and Communication Technologies far outweigh the cost of cybercrime to the society. However, it would have been better that there is no crime involved in the cyberspace, but that can only happen in a society not inhabited by humans. We live in a society that is not free from crimes. The crime of wars against one another, the crime of thefts and a society that cannot survive from crimes without adequate policing and all forms of surveillance. How do we expect the cyberspace to be different?
Conclusion
The problem is not the technology, just like it has been empirically established that technology is not the cause of cybercrime, but the human society itself and the downsides inherent in the society. Just like all other crimes are being managed to reduce their impact on the society, cybercrime is also being managed. However, the fight against cyber criminals must continue as presented in Cybersecurity, Stakeholders Incentives, Externalities and Policy Options, to discourage further increase in the damage from cyber criminals and to avoid the worst that can possible.
Introduction
“Information and communication technologies form a vast open ecosystem. The openness supports the innovative dynamics of the internet., but it also renders infrastructure and services vulnerable to attack,” Baeur, J., and Van Eeten M, submit in their research paper “Cybersecurity, Stakeholders Incentives, Externalities and Policy Options.”
The paper infers that Information security breaches are increasingly motivated by fraudulent and criminal motives and that reducing the cost of breaches has become a pressing issue. The report, based on a meta study of a broad range of research, recommends solution options to avoid a potentially catastrophic security failure in the world information and communication system, and one that is capable of damaging impact on the global economy.
The paper’s highlights include efforts that have been devised toward effective solutions against
cybercrime, but which are described as complicated and offering no assurance of solution given the
global nature of the cyberspace, the interdependence of stakeholders, the diversity and the heterogeneity of players.
FINDINGS
Initially, security threats were viewed as mostly technological problems. However, as the years develop, manifestation has broadened that threats also include economic issues and aspects of users’ behavior. The findings further show that viruses, worms and many other variants of malware have developed from a costly nuisance to sophisticated tools for criminals. Therefore, computers worldwide, as many as one in five to one in ten, are infected with malware, and owners of such machines are often ignorant of the facts.
The pervasive presence of security threats has created concern among scholars and policy makers alike. The OECD Ministerial Summit in Seoul in 2008 addressed the issue, and the International Telecommunication Union (ITU) has developed an active cybersecurity agenda. The awareness is global. But the problem still seems to remain intractable.
The research finds that because information security comes at a cost, tolerating some level of insecurity is economically rational. It is noted that cybersecurity is mostly by private players, but that the costs and benefits desires attention. The researchers were more interested in how the incentives that shaped the decentralized decisions on cybersecurity and the incentives influencing security decisions by individual stakeholders such as ISPs, software vendors and users, have impacted cybersecurity. Therefore, the recommendation that cybersecurity policy needs to begin from a clear and empirically grounded understanding of the nature of the problems before possible solutions can be devised.
Openness and Vulnerability
Information and communication technologies form a vast open ecosystem. The openness supports the innovative dynamics of the internet, but it also renders infrastructure and services vulnerable to attack due primarily to the human elements. Therefore, Information security breaches are driven by financial motives. There is a realm of cybercrime and a realm of information security. Cybercrime is a market in which players respond to price signals and other economic incentives, and where others such as ‘white hat” hackers and cyberterrorists do not primarily follow financial gain, but decisions modelled as an optimization over non-financial goals. The fact that the truth, logic and forms about the underground economy around cybercrime are hardly known has made proffering solutions difficult. But more information is available in the market for information security.
The Players
To understand cybercrime, one must understand the players, the roles the players play, interdependence and other factors that inform their roles, to grasp the complexity of the situation the world faces in the effort to address the growth of the cankerworm. The players are adjudged specialists and they act rationally. They are connected one way or another and the reduction in the cost of cybercrime has accentuated their activities. Denials, dodging responsibilities and protecting their interests against common goals have advanced the illicit business.
The ISPs
For example, the ISPs believes that the emails are the personal property of recipients and inspection of the content of the mails was a violation of privacy, attributing the protection of its own machines to end users. But faced with a reversed situation of the dent to reputation with exorbitant growth of spam constituting 80 percent of all emails, the ISPs began to filter emails and handle customers’ security more seriously. There are rogue ISPs with business model based on shady deals, and there are commercial ISPs with legitimate business. There are laws that favors the ISPs and that make end users vulnerable.
Software
Software Vendors work in a complex set of potentially conflicting incentives with vulnerability of patching – and the cost of patch development, testing and deployment. As software is typically installed in many versions, configurations and contexts make the cost of patching significant. The question thus arises about whether investing in security upfront should not be preferable than patching? Many software vendors prefer security upfront. However, they are losing out because the operations do not follow provision of upfront security. There are other several incentive mechanisms that weaken efforts to provide security. Like the time to market is lengthened by software testing and the cost of software development is increased. In industries with network effects and first mover advantage, such delays may result in significantly reduced revenues over the product life cycle. Thus, the more competitive the software market segment the less the incentive to improve security beyond a minimum threshold. Security is often in conflict with functionality, compatibility and users’ discretion over the software configurations. And hold harmless provisions in software licenses and shrink wrap license agreements largely relive software vendors from liability for financial damages stemming from software flaws.
E-Commerce
E-Commerce comprises financial service providers and these are high priority target for attackers. They are faced with a choice between balancing enhanced security and the growth of their electronic business. They often compensate for losses incurred by their customers from phishing or other fraudulent actions as part of overall security decision.
Users
Many individual users do no purchase security services or do not use them when offered for free by an ISP or a software vendor. They also turn off their firewalls and virus scanners regularly if they slow down certain uses such as gaming.
Emerging Patterns
Markets are reportedly not responding adequately. Many of the cyber criminals are organized in countries where the costs of engaging in cybercrime are low, law enforcement is weak or non-existent, due to dire economic conditions, and the opportunity costs of engaging in cybercrime rather than engage in other gainful employment and the technological means enable criminals to operate swiftly across many national boundaries. Several countries have adopted laws against spam, but which effectiveness are sometimes questioned, because spams are still all over the places, and constitutes increasing nuisance in the mail system.
Solution versus Impediments
Everyone is worse with decisions taken in a non-cooperative fashion, and individual measures counteract and neutralizes each other. Cybercrime can practically be reduced by increasing its cost and reducing its benefits, strengthening law enforcement via national legislation and multi-national and international treaties like the European convention on cybercrime ratified by 23 countries and signed by 23 others.
Regulatory agencies like the Federal Communication Commission (FCC) in the United States are believed to be well positioned for a very positive role to stem the tide of cybercrime based on the Australian collaborative experience, where the Australian Communication and Media Authority shared information with 59 ISPs to reduce the threat from botnets.
But aside from the criticism that the Australian collaboration lacked transparency, there is also a wide criticism that though the regulatory agencies have power to compel information from providers to enable better policies against cybercrime, the problem remains that the agencies would have to develop innovative, adaptive approaches, because existing administrative inertia and the potential rigidity of ex-ante regulation may render the efforts by the agencies ineffective in addressing cybercrime.
Externalities
The benefit from information and Communication Technologies far outweigh the cost of cybercrime to the society. However, it would have been better that there is no crime involved in the cyberspace, but that can only happen in a society not inhabited by humans. We live in a society that is not free from crimes. The crime of wars against one another, the crime of thefts and a society that cannot survive from crimes without adequate policing and all forms of surveillance. How do we expect the cyberspace to be different?
Conclusion
The problem is not the technology, just like it has been empirically established that technology is not the cause of cybercrime, but the human society itself and the downsides inherent in the society. Just like all other crimes are being managed to reduce their impact on the society, cybercrime is also being managed. However, the fight against cyber criminals must continue as presented in Cybersecurity, Stakeholders Incentives, Externalities and Policy Options, to discourage further increase in the damage from cyber criminals and to avoid the worst that can possible.
Comment Box is loading comments...