Economics and Internet Security: A Survey of Recent Analytical, Empirical, and Behavioral Research
CitationMoore, Tyler and Ross Anderson. 2011. Economics and Internet Security: A Survey of Recent Analytical, Empirical, and Behavioral Research. Harvard Computer Science Group Technical Report TR-03-11.
AbstractAn economic perspective has yielded invaluable insights into the analysis and design of information security mechanisms. Systems often fail because the organizations that defend them do not bear the full costs of failure. This simple insight has profound consequences for a growing number of industries, and it extends to dependability as well as security. For instance, utilities reduce direct, measurable costs by routing control messaging over the Internet; this can raise the risk of service failure, whose costs are mainly borne by its customers. Another example comes from anti-virus software; since infected machines often cause trouble for other machines rather than their owners, expenditures on protection tend to be suboptimal. Online crime is growing rapidly; for example, the most recent British Crime Survey shows that more than twice as many citizens now fall victim to fraud each year as to traditional acquisitive crime such as house burglary and vehicle theft. There is no purely technical solution to growing vulnerability and increasing crime: law must allocate liability so that those parties in a position to fix problems have an incentive to do so. But at present it frequently does not; and this policy gap is widening as systems become global and acquire a myriad of competing stakeholders. In this survey, we discuss the economic challenges facing information security in greater detail: misaligned incentives, information asymmetries and externalities. We then describe several key areas of active research: modeling attack and defense, breaches of personal information, the burgeoning underground markets for online criminal services, and the security of the payment system. We also describe the state of the art using three broad approaches: theoretical, empirical and behavioral analysis. Finally, because economic analysis has revealed significant barriers to the provision of information security, policy must play a role in any fundamental improvements. So we discuss proposed policy interventions. Researchers can make a significant impact by informing the policy debate in critical areas – which we try to identify.
Citable link to this pagehttp://nrs.harvard.edu/urn-3:HUL.InstRepos:23574266
- FAS Scholarly Articles