Transcript Improving Information Security: Policy Options Eduardo Rodriguez-Montemayor INSEAD eLab Digital Agenda Assembly 2012 Improving internet through June 21, securityeconomic incentives.

Improving Information Security: Policy Options
Eduardo Rodriguez-Montemayor
INSEAD eLab
Digital Agenda Assembly 2012
Improving internet
through
June 21, security
2012
economic incentives
1
What is Internet Security?
We focus on information security:
Browser, network and mobile
security
What are the consequences of lack of information
security?
For people: online identity theft is the primary way cyber criminals steal
money from consumers…
For corporations: corporate espionage, intellectual property theft, denial
of services, etc.
For countries: critical infrastructure protection: e.g. power grid or
chemical refineries
2
Why is internet security good for societies?
Avoids direct costs of information security breaches:
Companies
Monetary
Society at large
Non-monetary
Direct loss for firms due to
fraud
Brand damage / loss of
reputation
Direct loss for individuals due to fraud
Prevention and repair costs
Loss of intellectual property
Prevention and repair costs
Legal Liabilities
Internet security has also indirect implications for the
economy
e.g. reduced trust in electronic transactions damages economic
growth
3
Why is internet security good for economic growth?
Information
security
Online Payments
Security
Use of e-commerce
and online
transactions
Economic growth
Demand Side: New Markets/wider product mix
Supply Side: Supply-chain efficiency/higher productivity
Information
security
Intellectual
property
protection
More Innovation
Economic growth
4
Information Security Ecosystem
Attackers
Internet Service Providers
(ISPs)
Software Vendors
Ecosystem
E-commerce stakeholders
End-users
• Payments firms
• banks
• People
• Companies
Invest in
Security
vs.
Share
information
5
Why is internet security difficult to achieve?
Technology barriers
Economic barriers
Measurement of security:
Information Asymmetries and lack of relevant data to drive security investment:
Impossible to define quantitative
standards..
Some sectors underreport incidents: e.g. banks do not reveal fraud losses…
Other sectors exaggerate risks: e.g. security vendors…
Adaptation:
Mis-aligned incentives:
Cyber attackers identify weaknesses in
existing security…
The person or firm responsible for protecting the system is not the one who
suffers when it fails so risks are poorly allocated.
High costs of standardization:
Externalities and social optimal security investment:
Systems vary a lot from company to
company..
Inaction of users to invest in security imposes costs on others, so the costs/
benefits for individual users do not reflect the social costs and benefits….
Uneven readiness:
Externalities in inter-dependent security decisions:
Differences in technical/financial
readiness to support security
A user taking protective measures creates positive externalities for others, who
in turn may “free-ride” and reduce their own investments
6
Individual actions derived from externalities and
misaligned incentives yield sub-optimal security levels
Policy Options: which one is more cost effective?
Focus on improving security of users and providers
Re-aligning incentives for investing
in information security
Legal /
regulatory
•Subsidies or penalties for violation s of
regulations
•Legislation that clarifies the liability for cyber
incidents:
Indirect intermediary liability (e.g. credit
card companies)
Liability for software vendors
Economic
Information Sharing
•Mandatory disclosure of fraud
losses and security incidents (of
users and providers)
Focus on
combating
“attackers”
•Law enforcement /
severity of
punishments
•CERTs
•Diffusion of Best Practices
•Disclosure of the source code
for critical software components
•Cyber-Insurance markets
•Market for vulnerabilities
•Measures that
increase the costs of
fraud and crime
7
There are many research questions before determining
the best policy options for improving cyber-security:
Policy Options
To take into account:
Mandatory disclosure of
fraud losses and security
incidents
There is a need for a central clearinghouse for breach reports…
Negative impacts on companies (stock market implications) vs. Society benefits
This policy could be counter-productive in the financial sector
Information sharing alliances yield more benefits in more competitive industries
Liability for software
vendors / developers
Potential negative effects on innovation
Cyber-insurance
Insurance companies could reward security investments by lowering the
premiums for less risky actors, which encourages security investment ….
Patching may be cheaper
Entities in the Internet face information security risks that are correlated, which
damages the feasibility of the insurance industry…
Market for software
vulnerability detection
It may lead to a “race” for vulnerability discover between identifiers and hackers
Non-participants may be more exposed to attacks
Regulatory guidelines are needed for proper disclosure of information
8
Research Agenda
Enforcement vs. improving security of users: Which is more cost effective?
Identify how users’ valuation of security vary by industry.
Identify motivations of attackers and trends of types of mass and targeted attacks
More investment on security vs. information sharing
Identify how benefits of sharing information vary across industries and levels of competition
and inter-dependence
Identify the optimal level of security by industry: in banking is it best to compensate affected
people than improving security.
Identify the impact of online payment risks on usage of payment systems and ecommerce
Beyond information security…
Consumer protection
Intellectual property rights in online open communities, etc.
9
At INSEAD eLab we are measuring the cross-country
maturity of online and mobile payments systems……
Pillars of a Mature Online Payments Ecosystem:
Infrastructure
• Security technologies
• Internet Penetration
• Mobile proliferation
Business
Sophistication
• Security awareness/compliance of standards
• Security investments
• Information sharing
Governance
• Data protection policy and enforcement
• Customer protection policy
Information
Security
+
Consumer
Protection
10