The Web Science Trust

Securing Cyberspace: Realigning Economic Incentives in the ICT Value Net

van Eeten, Michel and Bauer, Johannes (2009) Securing Cyberspace: Realigning Economic Incentives in the ICT Value Net. In: Proceedings of the WebSci'09: Society On-Line, 18-20 March 2009, Athens, Greece.

PDF (Final Version) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
PDF (Presentation) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader


Malicious software (“malware”) has become a serious security threat for users of the Internet, whether they are large or small organizations or home users. Viruses, worms and the many other variants of malware have developed from a nuisance to sophisticated tools for criminals. Computers all across the world, some estimate as many as one in five to one in ten, are infected with malware, typically without knowledge of the owner of the machine. Many of these infected machines are connected through botnets: flexible remote-controlled networks of computers that operate collectively to provide a platform for criminal and fraudulent purposes. These activities include, but are not limited to, the distribution of spam (the bulk of spam now originates from botnets), various forms of socially engineered fraud such as phishing and whaling, attacks of websites and entire nations, as well as many other forms of abuses such as “click fraud” and “malvertising”. The analytical perspectives of scholars and practitioners on malware have changed significantly in recent years. Rather than explaining security threats as predominantly technological problems, they are now increasingly understood as the outcomes of economic incentive structures and behavioral aspects. Our paper adopts an economic approach and analyzed in detail the relevant incentives of stakeholders in the information and communication technology (ICT) value net to provide for security and the behavioral consequences of these incentives. Moreover, we explicitly recognize the interdependence between the underground market for cybercrime and Internet security issues. Whereas the paper recognizes that the problem originates in criminal behavior it also acknowledges that the magnitude and impact of the malware threat is influenced by the decisions and behavior of legitimate market players, such as Internet Service Providers (ISPs), software vendors, e-commerce companies, hardware manufacturers, registrars and, last but not least, end users. All of these market players are confronted with malware, but in very different ways. Consequently, they also face different costs and benefits when deciding how to respond to malware. In other words, they operate under different incentives. As information security comes at a cost, tolerating some level of insecurity is economically rational. From a societal perspective, a key question is whether the costs and benefits perceived by market players are aligned with the social costs and benefits and therefore individual decisions also ascertain an overall desirable outcome. This is not necessarily the case as in certain situations the security decisions of a market player regarding how to deal with malware may be rational for that player, given the costs and benefits it perceives, but the resulting course of action may impose costs (or benefits) on other market players or on society at large. Such costs (or benefits) are typically not taken into account by the market player making the initial decision. They constitute, in economic terms, an “externality”, an interdependence that is not reflected in the costs and benefits of a decision-maker. Externalities are forms of market failure that lead to sub-optimal outcomes, In the case of information security, externalities may result in internet-based services that are less secure than is socially desirable, which may require the development of new policies to address these shortfalls. We set out to identify externalities by analyzing the incentives under which a variety of market players operate when dealing with malware. The core of the paper is a detailed discussion of the outcomes of a qualitative empirical field study. In the course of 2007, we conducted 41 in-depth interviews with 57 professionals of organizations participating in networked computer environments that are confronted with malware. Interviewees represented a stratified sample of professionals from different industry segments and located in five countries (Australia, Germany, the Netherlands, United Kingdom, France, and the United States). Moreover, we interviewed experts involved in the governance of information security issues such as Computer Emergency Response Teams and regulatory agencies. Based on this unique data, we identified the key incentives of ISPs, e-commerce companies, with a focus on financial service providers, software vendors, registrars and end users. The results indicate a number of market-based incentive mechanisms that contribute to enhanced security but also other instances in which decentralized actions may lead to sub-optimal outcomes – i.e., where significant externalities emerge. A pressing question is whether the response to malware of actors in information and communication markets is adequate or whether improvements are possible. Pointing to a variety of reports that show increases in malicious attack trends, one might conclude that markets are not responding adequately. Our analysis revealed a more nuanced picture. With regard to the interrelationships within the information and communications-related activities, it seems that the incentives of many of the market players are reasonably aligned with minimizing the effects of externalities on the sector as a whole. The incentives typically have the correct directionality, but in a variety of cases they are too weak to prevent significant externalities from emerging. It is important to note, however, that all market players we studied experience at least some consequences of their security tradeoffs on others. In other words, there was a feedback loop that brought some of the costs imposed on others back to the agent that caused them – even if in some cases, the force of the feedback loop has so far been too weak or too localized to move their behavior towards more efficient social outcomes. Across the value net of the different market players, three relevant situations emerge: (1) No externalities. This concerns instances in which a market player, be it an individual user or an organization, correctly assesses security risks, bears all the costs of protecting against security threats (including those associated with these risks) and adopts appropriate counter measures. Private and social costs and benefits of security decisions are aligned. There may still be significant damage caused by malware, but this damage is borne by the market player itself. This situation would be economically efficient but, due to the high degree of interdependency in the Internet, it is relatively rare. (2) Externalities that are borne by agents in the value net that can manage them. This concerns instances in which a market player assesses the security risks based on the available information but, due to the existence of (positive or negative) externalities, the resulting decision deviates from the social optimum. Such deviations may be based on lack of incentives to take costs imposed on others into account, but it can also result from a lack of skills to cope with security risks, or financial constraints faced by an individual or organization. As long as somebody in the value net internalizes these costs and this agent is in a position to influence these costs – i.e., it can influence the security tradeoffs of the agents generating the externality – then the security level achieved by the whole value net will deviate less from a social optimum than without such internalization. This scenario depicts a relatively frequent case and numerous examples were found that confirm externalities were being internalized by other market players. (3) Externalities that are borne by agents who cannot manage them or by society at large. An individual unit may correctly assess the security risks given its perceived incentives but, due to the existence of externalities, this decision deviates from the social optimum. Alternatively, an individual unit may not fully understand the externalities it generates for other actors. Unlike in scenario two, no other agents in the information and communication value net absorb the cost or, if they do, they are not in a position to influence these costs – i.e., influence the security tradeoffs of the agents generating the externality. Hence, costs are generated for the whole sector and society at large. These are the costs of illegal activity or crime associated with malware, the costs of restitution of crime victims, the costs of e-commerce companies buying security services to fight off botnet attacks, the cost of law enforcement associated with these activities, and so forth. Furthermore, they may take on the more indirect form of slower growth of e-commerce and other activities. Slower growth may entail a significant opportunity cost for society at large if the delayed activities would have contributed to economic efficiency gains and accelerated growth. The most poignant cases in this category are the externalities caused by lax security practices of end users. Some of these externalities are internalized by other market players that can mitigate them, most notably ISPs that can quarantine infected end users, but only to a limited extent. ISPs have incentives to deal with these problems only in so far they themselves suffer consequences from the end user behavior, e.g., by facing the threat that a significant part of their network gets blacklisted. Estimates mentioned in the interviews suggest that the abuse notifications that ISPs receive concern only a fraction of the overall number of infected machines in their network. Consequently, a large share of these costs of poor security practices of end users is borne by the sector as a whole and society at large. These externalities are typically explained by the absence of incentives for end users to secure their machines. It would be more precise, however, to argue that the end users do not perceive any incentives to secure their machines, in part due to insufficient information. While malware writer have purposefully chosen to minimize their impact on the infected host and to direct their attacks at other targets, there is also a plethora of malware which does in fact attack the infected host – most notably to scour personal information that can be used for financial gain. In that sense, end users do have a strong incentive to secure their machines. Unsecured machines cannot differentiate between malware that does or does not affect the owner of the machine. If the machine is not sufficiently secured, then one has to assume that all forms of malware can be present. The fact that this incentive is not perceived by the end user is an issue of incomplete information rather than a lack of incentives. We conclude the paper with an exploration of policy recommendations. We found many feedback loops which mitigate the externalities arising from security-reducing behavior. All market players we studied experience such feedback, which potentially brings their tradeoffs closer in alignment with the social optimum. We also noted, however, that in many cases these feedback loops are too weak or localized to effectively change the security tradeoffs from which the externalities emerge. In terms of policy development, a key strategy would be to strengthen the existing feedback loops and create new ones where possible. That would also keep public policy out of the realm of having to decide how secure is secure enough when it comes to defending against malware.

Item Type:Conference or Workshop Item (Paper)
Uncontrolled Keywords:cybersecurity, cybercrime, malware, security incentives, cybersecurity policy
Subjects:Web Science Events > Web Science 2009
ID Code:171
Deposited By: W S T Administrator
Deposited On:24 Jan 2009 08:45
Last Modified:25 Oct 2011 16:51

Repository Staff Only: item control page

EPrints Logo
Web Science Repository is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.