MARKET - Economics - Cyber Security - Overview of the Research Field
State-of-the-art: Overview of the Research Field
The economics of cyber-security is an active research field, where academics apply principles and tools of economics to the analysis of cyber-security problems. At the center of focus are strategic decisions under incomplete information faced by rational market players in situations, where the goal is to protect an information system and its contents from harm. The field also covers the analysis of market mechanisms and market failures as well as the economic impact of regulation on the level of cyber-security.
The following Table gives the interested reader a short-cut overview of the research field and the different security problems in the focus of the authors. It separates the field into five areas:
- Game-theoretic approaches to cyber-security (incl. discussions of market failures)
- Experimental and psychological research
- Victim Studies (incl. psychological research)
- Methodological advances
- Other research
Game-theoretic approaches to cyber-security : Game-theoretical models in the economics of cyber-security are preoccupied with situations of attacker-defender or with modelling markets for supply and demand for Botnet services. Other works are devoted to the analysis of risk sharing or information sharing among market participants, as well as the modelling of their security decisions.
Experimental and psychological research: This research uses methods of experimental economics of experimental computer science in order to study the behavioral elements of cyber-security or privacy decisions. Especially interesting are new approaches such as the infiltration of Botnets. Other authors study the behavioral aspects of security-decision making in individual users.
Victim Studies: This line of research was separated, as it especially focuses on the impact of data breaches and cyber-crime on the victims of it. Methods used for this research are often interviews as well as surveys, in which persons explain how they became a victim and the financial and psychological damages they suffered.
Methodological advances and other research: In this field, the focus is on finding new methods and further developing existing ones in order to better measure cyber-crime, for example. Other research that cannot be summarized into one of the aforementioned fields is devoted to testing the effect of data breaches on stock prices, for example.
Table 1 Overview of the Research Field of Cyber-security Economics
| Line of Research | Explanation | Authors |
| Game-theoretic Approaches to Cyber-security (incl. Discussions of Market Failures) | ||
| Attacker-defender models |
Weakest link game – security depends on the weakest link in the system (i.e. minimum effort)1 Best shot game – System security depends on the maximum effort exerted Total effort game – System security depends on total effort of all participants Network games – Network economics of cyber crime |
Böhme and Moore (2010); Grossklags et al. (2008a, 2008b); Johnson et al. (2011); Nagurney et al. (2013) |
| Economics of Botnets | This research formalizes economic models of Botnets, i.e. the underground market for Botnets, where there is a demand and supply of Botnet services |
Bensoussan et al. (2010); Li et al. (2009) |
| Cyber-insurance models | These works assess how cyber-insurance affects IT security and welfare of players, including conditions for taking on insurance. Other risk-sharing mechanisms among players are analysed as well | Shetty et al. (2010); Gordon et al. (2003a) |
| Security investment models | These papers analyse problems of interdependent security and characterize equilibria of rational players | Gordon and Loeb (2002); Kunreuther and Heal (2003) |
| Information sharing models | These works focus on how to improve cyber-security through sharing of critical incidence information among competitors | Gal-Or and Ghose (2005); Gordon et al. (2003b) |
| Experimental and Psychological Research | ||
| Privacy breaches | This experimental research is related to breaches of consumer privacy simulated in the laboratory | Feri et al. (2013) |
| Behavioural cybercrime analytics | One article conducts the infiltration of an existing Botnet to analyse spam conversions. Other works focus on psychological characteristics of computer fraudsters or apply SN analysis of cybercrime (interviews of card fraudsters in forum) |
Kanich et al. (2008); Rogers et al. (2006); Yip (2012) |
| Security decision-making | This research uses experiments in order to explore user behaviour with respect to security decisions or the response of users’ security behaviour to framing |
Caputo (2011); Grossklags et al. (2008b); Hess and Holt (2007); Rossof et al. (2013) |
| Victim Studies (incl. Psychological Research) | ||
| Psychological impact of identity theft | This research uses interviews/surveys to study the patterns of identity theft as well as the financial and psychological impact on victims |
Anderson et al. (2008); Pontell et al. (2008); Van Vliet and Dicks (2010) |
| Measurement of consumer reactions / vulnerability | These works are focused on the consumers perceptions and reactions to cyber-crime and surveys of who is vulnerable to fall for phishing | Böhme and Moore (2012); Sheng et al. (2010) |
| Methodological Advances | ||
| Measurement of cybercrime* | These works are focused on the methodological question of how to measure cyber-crime | Anderson et al. (2012) |
| Other research | ||
| Data breach notifications and share prices | These works concentrate on the impact of data breaches announced on the stock prices of companies |
Campbell et al. (2003); Muntermann and Roßnagel (2009) |
Notes: This literature overview notes works identified by the author, it is not a complete list of research works in the field. * The measurement of cybercrime is a topic of almost every industry report, these are not specifically listed here. 1 The original papers are Hirshleifer (1983) and Van Huyck et al. (1990). Here, recent articles with a specific focus on information security are quoted
Back to MARKET
IPACSO Publications:
Jentzsch, N. (2015) State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.
Jentzsch, N. (2015) Horizontal and Vertical Analysis of Privacy and Cyber-security Markets, IPACSO - Innovation Framework for ICT Security Deliverable 4.2A.
Literature list:
Anderson, R., C. Barton, R. Böhme, R. Clayton, M. van Eeten, M. Levi, T. Moore, and S. Savage (2012). Measuring the cost of cybercrime. WEIS 2012 presentation.
Anderson, K.B., E. Durbin, and M.A. Salinger (2008). Identity Theft. Journal of Economic Perspectives 22 (2), 171–192.
Bensoussan, A., M. Kantarcioglu, C. H. SingRu (2010). A Game-Theoretical Approach for Finding Optimal Strategies in a Botnet Defense Model. Decision and Game Theory for Security, Lecture Notes in Computer Science Volume 6442, 2010, pp. 135-148.
Böhme, R. and T. Moore (2012). How do consumers react to cybercrime? In APWG eCrime Researchers Summit (eCrime), October 2012.
Böhme, R. and T. Moore (2010). The iterated weakest link. IEEE Security & Privacy, 8(1): 53-55.
Caputo, D.D. (2011). Leveraging Human Behavior to reduce Cyber-security Risk: Spear-fishing Study Design, Results and Discussion, Presentation, http://www.thei3p.org/docs/events/humanbehaviourworkshop1011/deannaspearphishing.pdf
Campbell, K., L. Gordon, M. Loeb, and L. Zhou (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3):431–448, 2003.
Feri F., C. Giannetti, and N. Jentzsch (2013). Disclosure of Personal Information under Risk of Privacy Shocks, Working Papers wp875, Dipartimento Scienze Economiche, Universita di Bologna.
Gal-Or, E. and A. Ghose (2005). The Economic Incentives for Sharing Security Information, Information Systems Research 16(2): 186–208.
Gordon, L.A., Loeb, M., Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM 46(3), 81–85.
Gordon, L.A., M.P. Loeb (2002). The economics of information security investment. ACM Transactions on Information Systems Security 5(4), 438–457.
Grossklags, J., N. Christin, J. Chuang (2008a). Predicted and Observed User Behavior in the Weakest-Link Security Game. Proceedings of the 2008 USENIX Workshop on Usability, Psychology, and Security (UPSEC'08), April 2008.
Grossklags, J., N. Christin, J. Chuang (2008b). Secure or Insure? A Game-Theoretic Analysis of Information Security Games. Proceedings of the 17th International World Wide Web Conference (WWW'08), April 2008.
Hess, R., C. Holt, and A. Smith (2007). Coordination of strategic responses to security threats: Laboratory evidence. Experimental Economics, 10(3):235-250.
Johnson, B., J. Grossklags, N. Christin, J. Chuang (2011). Nash Equilibria for Weakest Target Security Games with Heterogeneous Agents. Proceedings of the 2nd International Conference on Game Theory for Networks (GameNets 2011), April 2011.
Kanich, C., C. Kreibich, K. Levchenko, B. Enright, G.M. Voelker, V. Paxson, S. Savage (2008). Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Proceedings of ACM Conference on Computer and Communications Security (CCS), 3–14. ACM Press.
Kunreuther, H. and G. Heal (2003). Interdependent Security, Journal of Risk and Uncertainty 26 (2-3): 231-249.
Li, Z., Q. Liao, A. Siegel (2008). Botnet Economics: Uncertainty Matters, Workshop on the Economics of Information Security, http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.139.7141
Muntermann, J. and H. Roßnagel (2009). On the Effectiveness of Privacy Breach Disclosure Legislation in Europe: Empirical Evidence from the US Stock Market, in: Lecture Notes in Computer Science , A. Jøsang, T. Maseng and S. Knapskog (eds.), Springer Berlin / Heidelberg, 1-14.
Nagurney, A., Wayne Burleson, Mila Sherman, Senay Solak, and Chris Misra (2013). Network Economics of Cyber Crime with Applications to Financial Service Organizations, University of Massachusetts Amherst, Massachusetts 01003, INFORMS Annual Meeting, Minneapolis, Minnesota, October 6-9, 2013, http://supernet.isenberg.umass.edu/visuals/INFORMS_Cybercrime_Nagurney.pdf
Pontell, H.N, G.C. Brown, A. Tosouni (2008). Stolen Identities: A Victim Survey. Crime Prevention Studies, 23, pp. 57-85.
Rogers, M.K., K. Seigfried, K. Tidke (2006). Self-reported computer criminal behavior: A psychological analysis, Digital Investigation 3: 116-120.
Rosoff, H., Cui, J., Richard J.S. (2013). Heuristics and biases in cyber-security dilemmas. Environment Systems and Decisions 33 (4): 517–529.
Shetty, N., G. A. Schwartz, M. Felegyhazi, and J. Walrand (2010). Competitive cyber-insurance and internet security, in T. Moore, D. Pym, and C. Ioannidis, editors, Economics of Information Security and Privacy, pp. 229-247, Springer-Verlag.
Van Vliet, K., and J. Dicks (2010). The psychological impact of identity theft: Preliminary findings of a qualitative study. Mimeo, University of Alberta.
Yip, M., N. Shadbolt, T. Tiropanis and C. Webber (2012). The digital underground economy: a social network approach to understanding cybercrime. In: Digital Futures 2012 - The Third Annual Digital Economy All Hands Conference, Aberdeen, GB, 23 - 25 Oct 2012.
