MARKET - Economics - Cyber Security - Introduction and Basics
Economics of Cyber-Security as Research Field
The economics of cyber-security applies principles of economics to the analysis of cyber-security problems. The main focus is strategic decisions under incomplete information faced by rational market players (firms, consumers) in situations, where the goal is to protect an information system and its contents from harm. The field also covers the analysis of market mechanisms and market failures as well as the economic impact of regulation on the level of cyber-security.
Cyber-security models include as players firms and consumers, but sometimes also government and third-party players (hackers, etc.). A good share of the literature is devoted to the modelling cyber-crime and cyber-security investment decisions. Other works are devoted to the measurement of cybercrime costs, the modelling cyber-insurance and the welfare effects of critical incidence information sharing among firms.
Get an overview of the research field.
Economic Incentivization of Cyber-security
An economic incentive is an inducement that leads to an action or behavior, which is rendering a (positive) payoff for the actor. Payoffs are outcomes of cost-benefit trade-offs. A rational actor seeks the optimal choice by maximizing payoff. In economics, utility functions model cost-benefit trade-offs and therefore represent the preferences of actors. Where the outcomes of choices are uncertain, risk or ambiguity are introduced into the decision model.
If a payoff is positive, it is a reward that provides an incentive for a specific action. If a payoff is negative, it is a penalty that acts as disincentive.
Payoffs can be solely monetary, but can also involve non-monetary psychological costs and benefits. For example, if a computer system is compromised and the stolen data are used to commit a financial crime, the damaged party suffers a monetary loss. However, if the security incident is made public through the media, the targeted firm also suffers a reputational damage. Such reputational effects may severely impair (or not) trust that customers place in the firm’s security procedures. Table 1 provides a generic overview of the costs and benefits associated with the adoption of privacy and cyber-security technologies.
Tab. 1 Potential Costs versus Benefits of Privacy and Cyber-security Investments
|Personnel costs (set up of new in-house teams, external tiger teams, etc.)||
Decrease in security incidents and
|Acquisition costs (security hardware, software, consultancy services)||Reduction in costs of liability for breaches|
|Administrative costs||Increase in trust of customers|
|In-house R&D||Increase in company reputation|
|Opportunity costs*||Reduction in switching of disgruntled customers to competitors|
|Protection from unfair competition (industrial espionage)|
|Increase in compliance (if a security duty of care is mandatory)|
Read more on cyber-security decision-modelling.
Cyber-Security Markets and Market Players
The cyber-security market is a physical or virtual place, where demand and supply for cyber-security products and services meet. A company is a player in the cyber-security market, if it actively offers at least one product (or a portfolio of cyber-security products or services) in the cyber-security market. Ideally, the main share of revenue of a firm would be associated with the sale of cyber-security products and/or services. If a company's main share of revenues is attributable to cyber-security (or privacy), it can be considered to be part of the cyber-security industry.
Players that are active in the ICT market are not automatically firms with a separately identifiable portfolio of cyber-security products and services. So while all cyber-security firms are active in the ICT, the reverse does not hold. This means that not all firms that are active in ICT are also active in cyber-security.
Moreover, there are large and very large companies that are primarily active in completely different areas, such as defense, air and space systems (examples are Boing, Raytheon and Lockheed Martin). These companies are neither ICT companies nor purely cyber-security companies, but they are important players in the cyber-security industry.
Fig. 1 The Cyber-security Industry as Embedded Industry
Source: Jentzsch (2015).
There is an increasing number of cyber-security industry studies published. They vary in terms of industry or market definitions, range of countries covered, time frames of survey, and survey methodologies, among other key aspects. An overview for the interested reader is provided here.
Some of the players in the cyber-security markets are end-to-end providers of cyber-security solutions. End-to-end providers offer solutions that combine software, hardware and services. There are also many specialized firms that are only active in one specific segment, such as IT security consultancy services or encryption providers (see also Figure 2).
Fig. 2 Providers of Cyber-security Solutions
Source: Jentzsch (2015).
For a full-scale dependency analysis, one would need to do a horizontal analysis (see also market analysis), as well as a vertical analysis.
Economic and Technological Dependencies
Many security solutions used by industries in Europe are sold by companies that have their head quarter located outside of the European Union. A full-scale analysis of economic and technological dependencies needs to identify these players, and analyze the main customers (especially critical infrastructure organizations) as well as the security solutions sold. It needs to then also identify European alternatives. If there are none, the technological dependency can be rated as fairly high.
Economics of Cybercrime and Data Black Markets
In the past, a number of grey markets (where legality is unclear) or black markets (outright illegal) have developed. On these markets, different products and services are offered and peddled. There are markets for hacking tools and exploits, stolen personal data (e.g. credit card information), as well as for botnet capacities.
The economics of cybercrime and data black markets typically looks at the laws of demand and supply in these markets as well as the trade-offs made by market participants. Although the economics of cybercrime was not part of the IPACSO research spectrum, the author of these websites has put together an information sheet on different studies from Norton, McAfee, Verizon and PayPal, see this Table.
Jentzsch, N. (2015) State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.
Jentzsch, N. (2015) Horizontal and Vertical Analysis of Privacy and Cyber-security Markets, IPACSO - Innovation Framework for ICT Security Deliverable 4.2A.