No. 81 - The Economics of Cybersecurity
Communications & Strategies - 16/03/2011
1st quarter 2011
Cybercrime, cyberterrorism, and cyberwar are apocalyptic horsemen of the information age. Business leaders regularly name information security as the biggest challenge facing them in the future. Information security breaches entail direct and indirect costs to businesses and individuals that are affected and to society at large. [...]
This special issue aims to contribute to a blossoming field that has changed our understanding of security issues. The papers in this special issue reflect state-of-the art thinking on the economics of cybersecurity and responses by public policy and non-governmental action.
| Reference |
Language |
Support |
Nbr of page |
Price |
|
| CS81 |  | PDF | 207 |
|  |
| CS81 | | paper | 207 |
240 Euros
100 euros excl. VAT |  |
Dossier
The economics of cybersecurity
Edited by Loretta ANANIA, Johannes M. BAUER & Michel VAN EETEN
Introduction to the Economics of Cybersecurity
Johannes M. BAUER & Michel VAN EETEN
Papers
Between Awareness and Ability:
Consumers and Financial Identity Theft
Nicole S. van der MEULEN
The Impact of Public Information on Phishing Attack and Defense
Tyler MOORE & Richard CLAYTON
Is Security Lost in the Clouds?
Marjory S. BLUMENTHAL
Might Governments Clean-up Malware?
Richard CLAYTON
Cybersecurity at European level: The Role of Information Availability
Fabio BISOGNI, Simona CAVALLINI & Sara DI TROCCHIO
Negotiating a New Governance Hierarchy:
An Analysis of the Conflicting Incentives to Secure Internet Routing
Brenden KUERBIS & Milton L. MUELLER
Interviews
Keith BESGROVE, Chairman of the OECD Working Party on Internet Security and Privacy
Evert Jan HUMMELEN, Head of the division Internet Security at OPTA
Other paper
Volunteer Computing Model Prospects in Performance Data Gathering for Broadband Policy Formulation
Chanuka WATTEGAMA & Nilusha KAPUGAMA
Features
Use Logics
Digital Confidence: Users Point of View
Sophie LUBRANO
Book Review
Philip M. NAPOLI, Audience Evolution
New Technologies and the Transformation of Media Audiences
By Richard HAWKINS
Daniel LE METAYER (Ed.), Les technologies de l'information au service des droits : opportunités, défis, limites (Putting Information Technology at the Service of Rights: Opportunities, Challenges, Limitations)
By Isabelle POTTIER
Author biographies
Events
- 2nd ITS PhD Seminar (Budapest)
- TPRC - 39th Research Conference (Arlington, Virginia)
- Conference in Honor of Professor Emeritus Lester D. Taylor (Jackson Hole, Wyoming)
- DigiWorld Summit 2011 (Montpellier) - Will the device be king?
- Creation of CEPS-based Digital Forum
|
Dossier: The economics of cybersecurity
Between Awareness and Ability:
Consumers and Financial Identity Theft
Nicole S. van der MEULEN
Key words: Financial identity theft, consumers, information security, public awareness campaigns.
The role consumers play in the facilitation of financial identity theft is an important topic of discussion. Academics often side with consumers and recognize them as victims rather than facilitators. Others, both in the public and the private sector, believe consumers play a more prominent role in the facilitation of financial identity theft. This is particularly apparent through the popularity of public awareness campaigns. Neither of these accounts manages to reflect the complexity of the overall picture. The following article demonstrates how the role consumers play is continuously changing as a result of the evolution of methods used by perpetrators of identity theft. This evolution requires a different response from both the public and the private sector as consumers lose more control over their potential indirect facilitation of financial identity theft.
The Impact of Public Information
on Phishing Attack and Defense
Tyler MOORE & Richard CLAYTON
Key words: security economics, online crime, phishing, transparency.
Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal. In this paper, we study the use of search engines to locate potentially vulnerable hosts. We present empirical evidence from the logs of websites used for phishing to demonstrate attackers' widespread use of search terms which seek out susceptible web servers. We establish that at least 18% of website compromises are triggered by these searches. Many websites are repeatedly compromised however the root cause of the vulnerability is not addressed. We find that 17% of phishing websites are recompromised within a year, and the rate of recompromise is much higher if they have been identified through web search. By contrast, other public sources of information about phishing websites actually lower recompromise rates. We find that phishing websites placed onto a public blacklist are recompromised less often than websites only known within closed communities. Consequently, we conclude that strategic disclosure of incident information can actually aid defenders if designed properly.
Is Security Lost in the Clouds?
Marjory S. BLUMENTHAL
Key words: Cloud, privacy, security, cybersecurity, data.
"The cloud" can apply to different kinds of services (typically differentiated as platform-as-a-service, infrastructure-as-a-service, and software-as-a-service), and it is the subject of rampant hype about its benefits. This paper draws on extensive readings from the literature (technical, business, and policy) and consultations with a wide range of experts over the past two years. Intended to provide a counter to the cheerleading and a framework for more balanced consideration of public cloud services, in particular, it begins with an exercise in accentuating the negative. In particular, it lays out various ways in which the cloud might be seen as a new platform for malice. The paper enumerates key issues, including kinds and sources of risk (vulnerabilities and threats) associated with providers and/or users and implications for trustworthiness in cloud contexts, as well as the prospects for new technology to counteract apparent sources of risk. It addresses different cloud contexts, and it argues for leveraging cloud concerns to rethink fundamental issues about the nature, handling, and protection of data (which may be stored or processed in the cloud - or not).
Might Governments Clean-up Malware?
Richard CLAYTON
Key words: malware, cybersecurity, security economics.
End-user computers that have become infected with malware are a danger to their owners and to the Internet as a whole. Effective action to clean-up these computers would be extremely desirable, yet the incentives conspire to dissuade ISPs (and others) from acting. This paper proposes a role for government in subsidising the cost of clean-up. The organisations that tender for the government contract will factor in not only the costs of the clean-up, but also the profits they can make from their new consumer relationships. A model is proposed for what the tender price should be – and, by plugging in plausible values, it is shown that the cost to the tax payer of a government scheme could be less than a dollar per person per year; well in line with other public health initiatives.
Cybersecurity at European Level:
The Role of Information Availability
Fabio BISOGNI, Simona CAVALLINI, Sara DI TROCCHIO
Key words: cybersecurity, information lacking, risk assessment, investment behaviour, European cybersecurity policy.
This paper aims to analyse the cybersecurity issue, taking into account the investment behaviour of operators managing ICT infrastructures and providing ICT services and trying to investigate which kind of actions must be implemented to increase their security level. The main finding is that information availability plays a key role in the cyber-risk assessment for ICT operators and is also critical for improving the cybersecurity behaviour of other ICT stakeholders. From the ICT operator perspective, lack of information affects the real perception of cyber-threat occurrence, the vulnerability of his system and the potential loss in case of cyber-attack. As ICT systems have to be regarded as a network of different actor categories, regulation efforts at the European level should focus on spreading information among all ICT stakeholders in order to reduce failures of the cybersecurity market. Virtuous behaviour of other ICT stakeholders may increase the level of cybersecurity also by reducing the current lack of information on cyber-attacks of ICT operators and pushing their investments.
Negotiating a New Governance Hierarchy:
An Analysis of the Conflicting Incentives to Secure Internet Routing
Brenden KUERBIS & Milton L. MUELLER
Key words: routing, internet addresses, security, RPKI, ICANN, Regional Internet Registries, ISPs.
New security technologies are never neutral in their impact; it is known that they can alter power relations and economic dependencies among stakeholders. This article examines the attempt to introduce the Resource Public Key Infrastructure (RPKI) to the Internet to help improve routing security, and identifies incentives various actors have towards RPKI implementation. We argue that RPKI requires ISPs to achieve security at the expense of autonomy, requires all actors to tradeoff simplified global compatability and centralization of power, and affects the policies and business models of the Regional Internet Registries and their relationship to the Internet Corporation for Assigned Names and Numbers. While the Internet remains a space where authority is highly distributed, elements of hierarchy do exist, especially around critical resource allocation, and it is likely that security and other concerns will lead to continuing efforts to leverage those hierarchies into more powerful governance Arrangements.
Other paper
Volunteer Computing Model Prospects in Performance Data Gathering for Broadband Policy Formulation
Chanuka WATTEGAMA & Nilusha KAPUGAMA
Key words: Broadband, quality of service, volunteer computing.
The recent unprecedented growth of telecom facilities has offered the Internet users in most Asian countries a flavour of broadband. Yet, despite rosy promises by telcos, the user experience has often been less than ideal. These challenges can only be overcome by right policy decisions based on evidences. Thus, monitoring the broadband Quality of Service Experience (QoSE) becomes more than an attempt to ensure quality delivery and create a basis for policy formulation.
The first approach to monitoring QoSE, is the regulator reaching deep into the innards of the telecom network to install monitoring equipment and taking remedial actions, specified under the licenses or the governing statute, when the data indicate below-standard performance. Dearth of financial and human resources can be the key challenge in such a direct approach. The second approach is based largely on user activism, where educated users voluntarily contribute their time and computing resources towards building a performance database which in turn will be used in creating the bigger picture. A comprehensive methodology to benchmark Broadband Quality of Service Experience (QoSE), based on the latter approach has been developed jointly by LIRNEasia and TeNet group of Indian Institute of Technology (IIT) Madras. This methodology uses AT-Tester, an a open source based software tool to monitor all crucial QoSE broadband metrics over a longer period, on both week days and week days covering peak as well as off peak traffic. The traffic is also monitored within segments, ISP, local and international. The methodology adapts the concept of Volunteer Computing (or Public Service Computing). The paper analyses how this approach could be used in broadband policy formulation.
|
The Editors
Loretta ANANIA: After receiving her Ph.D. from the Massachussetts Institute of Technology in 1990 with a thesis on Network Planning in the Information Society, Loretta Anania joined the European Commission. She was active in the RACE programme, in the Future & Emergent Technologies unit, and is currently responsible for search engine R&D in the Networked Media unit. She was twice elected as Chair of the International Telecommunications Society Board.
Johannes M. BAUER is a Professor in the Department of Telecommunication, Information Studies and Media at Michigan State University where he is also the Director of Special Programs of the Quello Center for Telecommunication Management and Law at Michigan State University. Dr. Bauer joined Michigan State University in 1990 after receiving his doctorate in economics from the Vienna University of Economics and Business Administration, Vienna, Austria. He taught and researched as a visiting professor at the Delft University of Technology, the Netherlands (academic year 2000-2001), the University of International Business and Economics in Beijing, China (May 2002), and the University of Konstanz, Germany (summer 2010).
bauerj@msu.edu
Michel J.G. VAN EETEN is Professor of Public Administration at the Faculty of Technology, Policy and Management, Delft University of Technology, the Netherlands. He also teaches in several programs for executive education at the Netherlands School of Public Administration in The Hague. His recent research has been focused on the governance of infrastructures, most notably on the issue of internet security. He has also published on the reliability of electricity, telecommunication and transportation networks. In addition to his work on infrastructures, he has an enduring interest in the role of symbolic language in politics and policy. Recent work as a policy analyst includes advice on the economics of cybersecurity for the Dutch Ministry of Economic Affairs, the United Nations International Telecommunications Union and the OECD.
The interviewees
Keith BESGROVE works at OECD. He is the First Assistant Secretary, Consumer Policy and Post division of the Australian Department of Broadband, Communications and the Digital Economy. Keith is responsible for programs which provide access to broadband communications in rural and remote regions, consumer policy, and cyber security issues relating to small business and home users. He is also the current chair of the OECD's Working Party on Information Security and Privacy, a position which he has held for the past three years. Keith has an extensive background in communications and cybersecurity policy issues and played a leading role in the establishment of the OECD Anti-Spam Taskforce.
Evert Jan HUMMELEN is deputy head of the department Consumers, Numbers and Chair's Office at OPTA (Independent Post and Telecommunications Authority). He has been working for OPTA since 2003. He is currently responsible for the Internet Security Team at OPTA after being a member of that team since 2009. Before that he has been enforcing market parties' compliance with obligations OPTA poses in case they hold a significant market power.
The authors
Fabio BISOGNI is Member of the Board at FORMIT Foundation and Head of Research and Innovation area. Responsible for the management of international projects on different topics: Critical Infrastructures and Crisis Management, Policy support, Innovation and International academic cooperation. He is a certified Tax accountant and auditor and an Economist with an Executive Master in ICT Engineering. In the past he worked for the Fraunhofer Institute IPK in Berlin, for Ernst & Young management consultants in Rome, and for CNH in Italy and UK in the field of Business development and Management Systems.
Marjory S. BLUMENTHAL joined Georgetown University in August 2003 as Associate Provost, Academic. Her responsibilities are broad, notably including leadership in strengthening the sciences and science and technology policy at Georgetown. She teaches, advises students, and consults on Internet and cybersecurity policy, areas where she continues to pursue personal research. Between July 1987 and August 2003, Marjory built and served as Executive Director of the National Academies' Computer Science and Telecommunications Board (CSTB; http://cstb.org). She designed, directed, and oversaw collaborative study projects and symposia on technical and policy issues in computing and telecommunications. Marjory is the principal author and/or substantive editor of numerous books and articles. She is a member of the Advisory Board of the Pew Internet & American Life Project and the Center for Strategic and International Studies Commission on Cybersecurity; she chairs the External Advisory Board of the Center for Embedded Networked Sensing at UCLA; and she is a RAND adjunct and an Office of Naval Research grantee. She did her undergraduate work at Brown University and her graduate work at Harvard University.
Simona CAVALLINI is researcher in economics and Project Coordinator in the Research and Innovation Area at FORMIT Foundation. She obtained a degree in economics on financial markets and institutions in 2002, a Master degree in Economics in 2003 and she attended the first two years course of a Ph.D. in Economics working on topics related to innovation. During the past years, she has coordinated research activities in different EU projects on socio-economic impacts related to disruption of critical infrastructures. She is interested in economics of security including optimal investment analysis, market failures in a security context and policy definition.
Richard CLAYTON worked in the UK ISP industry until 2000 when he returned to the University of Cambridge to study for a Ph.D. He has remained as an academic, doing security economics research in the Computer Laboratory. He is currently engaged in a three year collaboration with the National Physical Laboratory (NPL) to develop robust measures of Internet security mechanisms.
Sara DI TROCCHIO is Ph.D. Candidate of the Law and Economics doctoral Programme of the University of Siena. After her undergraduate studies in Economics at University La Sapienza in Rome, she collaborated on national and international research projects mainly focused on the analysis of economic incentives aimed at encouraging information sharing in competitive environments. Among the others, she contributed as FORMIT Foundation consultant to the research activities on economics of security and resilience in critical communications and information infrastructures. Her research interests are mainly focused on law and economics, antitrust and industrial organization, economics of Information security and energy market.
Richard HAWKINS is a political economist specializing in innovation and research policy issues. Currently he is Professor and Tier 1 Canada Research Chair in the Social Context of Technology in the Faculty of Communication & Culture at the University of Calgary, and Senior Fellow at The Centre for Innovation Studies (THECIS). He holds BA and MA degrees from Simon Fraser University (Canada), and a DPhil from the University of Sussex (UK).
Nilusha KAPUGAMA is Research Manager at LIRNEasia. Nilusha is currently working on the LIRNEasia project Knowledge Based Economies (KBE), conducting research on two identified agriculture value chains in Sri Lanka on the potential to increase its efficiency, inclusiveness and the use of ICTs. She is also involved in assisting with the evaluation of LIRNEasia projects through the use of outcome mapping and Utilisation Focused Evaluation (UFE). She has worked on the LIRNEasia project, Broadband Quality of Service Experience (QoSE) while managing LIRNEasia's capacity building programme, CPRsouth. Prior to joining LIRNEasia, She worked as project intern at the Institute of Policy Studies, Sri Lanka, on projects relating to the telecom industry. She has also worked as an intern at the Standard Chartered Bank, Sri Lanka. Nilusha obtained her Masters in Development Economics and Policy from the University of Manchester in September 2007.
nilusha@lirneasia.net
Brenden KUERBIS is a doctoral candidate at Syracuse University's School of Information Studies, where he researches Internet governance, particularly with regard to the standardization and policy concerning Internet infrastructure security. He is a regular contributor to the Internet Governance Project Blog, a widely read source for coverage and analysis of the management of critical Internet resources and political economy of global Internet policy.
Sophie LUBRANO is Senior Consultant at IDATE. She is specialised in demand analysis, particularly in the area of consumer applications. Sophie also contributes her expertise in supply analysis, notably companies' Internet service strategies. Her assignments focus on various aspects of the telecom industry: Internet, media, landline and mobile telephony. Prior to joining IDATE, Sophie was an economic consultant for B.I.P.E., where she was in charge of telecom market monitoring. She is an economist, with a post-graduate degree from ESLSCA (Ecole Supérieure Libre des Sciences Commerciales Appliquées).
s.pernet@idate.org
Nicole van der MEULEN completed her studies in Political Science in 2006 before embarking on a Ph.D. in law at Tilburg University. She recently finished her dissertation to obtain her doctoral degree, and is currently working as a consultant for the Centre of Expertise in The Hague, an independent foundation concerned with issues relating to ICT and management in the public sector. Her research interests remain in the area of cybercrime and cybersecurity, which is illustrated through her current assignment as member of the knowledge centre of GOVCERT.NL, the Dutch Government Computer Emergency Response Team.
n.van.der.meulen@hec.nl
Tyler MOORE is a postdoctoral fellow at Harvard University's Center for Research on Computation and Society. His research interests include the economics of information security, the study of electronic crime, and the development of policy for strengthening security. Moore completed his Ph.D. in Computer Science at the University of Cambridge, supervised by Professor Ross Anderson. His Ph.D. thesis investigated cooperative attack and defense in the design of decentralized wireless networks and through empirical analysis of phishing attacks on the Internet. Moore has also written reports for ENISA and the US National Academy of Sciences detailing policy recommendations for improving cyber security. He is a 2004 Marshall Scholar.
Milton L. MUELLER teaches and does research on the political economy of communication and information at Syracuse University's School of Information Studies. He has a longstanding interest in the history of communication technologies and global governance institutions. His new book Networks and States: The global politics of Internet governance (MIT Press, 2010) provides a comprehensive overview of the political and economic drivers of a new global politics. Mueller received the Ph.D. from the University of Pennsylvania in 1989.
Isabelle POTTIER is attorney-at-law and head of the research and publications department of the law firm Alain Bensoussan; she has particular expertise in drafting studies on the assessment and legal protection of new technologies as well as on electronic evidence and archival.
Chanuka WATTEGAMA is an Independent Policy Reseacher and Consultant. His expertise is in telecom policy and regulations, ICT for Development, Development Economics, Disaster Risk Reduction and Development Evaluation. Chanuka previously worked as the Senior Research Manager at LIRNEasia (http://www.lirneasia.net), an Asian think tank on policy and regulation. An Electronics Engineer by profession, he has completed his Master of Business Administration (MBA) degree from University of Colombo. At LIRNEasia, Chanuka led two projects. The first one was an attempt to test a new user centric broadband Quality of Services Experience (QoSE) in South Asia. Mobile 2.0 explored the emergence of more than voice mobile applications in Asia and conditions that facilitate. His work also involved studying cell broadcasting for disaster management and Telecom Regulatory Environment analysis of Indonesia. Chanuka has also worked as Program Specialist ICT4D at United Nations Development Program (UNDP) Asia-Pacific Development Information Program (APDIP) out-posted to Colombo Regional Center's Millennium Development Goals (MDG) Initiative. His focus was to use Information and Communication Technology (ICTs) for poverty reduction and achievement of the MDGs.
chanuka@lirneasia.net
|
|
|
