MARKET - Market Analysis - Policy Framework and Legislation – Legislation – Incentives

 

Economic Incentive Schemes

An economic incentive is an inducement (motivation) that leads the actor to a specific action or behavior. The implementation of such an inducement is called “incentivization:” the creation of a positive payoff for the actor be it a firm or a consumer. Incentivization – a term borrowed from economics – has recently become a buzz word. It is often used in political discussions around cyber-security without a clear understanding of what exactly constitutes an incentive. In the following, some light is shed on economic incentivization and economic incentive schemes.

An incentive is a positive outcome (payoff) of a rational cost-benefit trade-off an actor is facing. The rational actor seeks the optimal choice by maximizing his/her payoff. In economics, utility functions model cost-benefit trade-offs and represent the preferences of actors, which are not directly observable.

 

See more one decision models on the cybersecurity decision model section.

If you want to know more on formalizing an idea, you can go here. 

 

Outcomes of choices are by no means always certain. If they are not, risk or ambiguity becomes part of calculation. In general it is observable that payoffs come in different forms: Pecuniary payoffs increase the economic wealth of the player; non-pecuniary payoffs render psychological or knowledge effects, which might indirectly contribute to present well-being and future economic welfare.

 

 

Fig. 1 Overview of Different Types of Incentives 

 

Incentive schemes can work with one type of incentive or with a combination of them. For instance, whereas tax reductions primarily affect the earnings of an actor, a whistleblower platform impacts on reputation and with some likelihood also the business of a firm (if customers are lost due to a data scandal).

In the context of the IPACSO project, two approaches can be identified:

 

• Economic incentivization schemes for improvement of cyber-security and privacy

 

• Economic Incentivization for the increase of innovation in cyber-security and privacy

 

 

 

Economic Incentive Schemes for the Cyber-security and Privacy Industry

Implementation of economic incentives to improve cybersecurity and privacy is a hot topic. In essence, the rationale is that a well-designed incentive scheme will change the cost-benefit trade-offs of firms and consumers in a way that they are inclined to more effectively protect their information systems and data assets. Moreover, another strand of the discussion revolves around greater incentivization of innovation in the cyber-security and privacy domain.

Table 1 lists the incentive schemes discussed with industry stakeholders within the IPACSO project.

 

Tab. 1 Economics Incentive Schemes for Cyber-Security and Privacy

Public procurement and security	The public sector typically chooses the cheapest provider of service, where cyber-security does not play a major role. Legislation should change to more actively demand secure products and services.
Public procurement and privacy requirements	The EU should have as funding requirement the explicit consideration of data protection in any Big Data, Internet of Things, Open Data or other project. Proposals ignoring data protection should not obtain funding.
Tax reductions	In order to incentivize investments in cyber-security products and services, adequate tax reductions for such investments could be implemented.
Whistleblowing platform / Whistleblower protection	A secure whistleblowing platform could facilitate the discovery of security breaches and data leaks. Moreover, it would increase the risk of firms that security-relevant information is leaked and could therefore incentivize investments in security.
Liability design	For companies that can demonstrate that they have been diligent in their risk management, there could to be a reduction in the liability for security breaches.
Access to advanced training	If a company invested in cyber-security technologies and procedures, it could obtain priority access to advanced training.
Funding of innovation and development activities	The EU could shift focus of innovation funds from privacy and privacy- enhancing technologies to personal data empowerment in order to improve incentives of consumer to more actively manage personal data.
Reward and strengthen activities such as cyber-exercises	In order to obtain a change in behavior of firms, (international) cyber-exercises should be expanded and should also be accessed by SMEs firms.

  Source: Jentzsch (2015: 21) with modifications by the same author.

 

The stakeholder interviews conducted within the IPACSO project showed that the above incentive schemes are judged differently in terms of their effectiveness. Whereas the industry finds public procurement an effective tool, opinions are divided over the subject matter of liability and the effectiveness of a whistleblower platform.

 

Research Group on the Economics of Security

Note that an internationally well-known research group (Prof. Ross Anderson, Prof. Rainer Böhme, Richard Clayton and Tyler Moor) has published a very comprehensive report on economic cyber-security incentive schemes entitled "Security Economics and the Internal Market". IPACSO did not intend to replicate their work. The main recommendations are listed below:

 

• Recommendation #1: Enact an EU-wide comprehensive security-breach notification law
• Recommendation #2: The Commission (or ECB)  should regulate to ensure the publication of robust loss statistics for electronic crime
• Recommendation #3: ENISA should collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs
• Recommendation #4: The EU should introduce a statutory scale against ISPs that do not respond promptly to requests for removal of infected machines, coupled with a right for users to have disconnected machines reconnected by assuming full responsibility
• Recommendation #5: EU should develop and enforce standards for network-connected equipment to be secure by default
• Recommendation #6: The EU should adopt a combination of early response vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle up
• Recommendation #7: Security patches should be offered for free and kept separate from feature updates
• Recommendation #8: The EU should harmonize procedures for the resolution of disputes between customers and payment service providers over electronic transactions
• Recommendation #9: The European Commission should prepare a proposal for a Directive establishing a coherent regime of proportionate and effectuve sanctions against abusive online markets
• Recommendation #10: ENISA should conduct research (...) to study what changes are needed to consumer protection law as commerce moves online
• Recommendation #11: ENISA should advise the competition authorities whenever diversity has security implications
• Recommendation #12: ENISA should sponsor research to better understand the effect of IXP failures
• Recommendation #13: The European Commission should put immediate pressure on the 15 member States that have yet to ratify the Cybercrime Convention
• Recommendation #14: Establishment of a EU-wide body charged with facilitating international cooperation on cyber-crime using NATO as model
• Recommendation #15: ENISA should champion the interests of the information security sector within the Commission to ensure that regulations introduced do not inadvertently harm researchers and firms 

 

This report can be downloaded here.

A presentation covering the report can be downloaded here. 

 

 

 

Economic Incentive Schemes for Innovation in the ICT Industry

The OECD reports that the share of innovative enterprises in the ICT industry is by far higher compared to any other industry (OECD 2014: 108). This holds for both ICT manufacturers and IT service providers. Moreover, the organization reports that ICT companies are most likely to combine different modes of innovation, such as product and/or process innovation with marketing innovation.

The OECD reports that information sector businesses are leading across all types of innovation activities, and that the ICT sector is among the most R&D intensive, see Figure 2 (showing R&D expenditure as a percentage of value added and of total BERD).

Still, there is a lively debate in Europe on how to best stimulate creativity and innovation activity in companies in the cyber-security and privacy domain.

 

Fig. 2 R&D intensity and contribution to total BERD by industry in the OECD (2011)

 Source: OECD estimates based on OECD, ANBERD Database, www.oecd.org/sti/anberd, June 2014.

 

 

Methods to Stimulate Innovation

There are different methods to stimulate creativity and innovation at the firm-level. Innovation is in general defined as “the implementation of a new and significantly improved product (good or service) or process, a new marketing method, or a new organizational method in business practices, workplace organization or external relations.” (OECD 2005: 46).

Innovation is the successful implementation of a creative idea within an organization, as the authors Charness and Grieco (2014: 5) write. They quote others stating that creativity, by contrast, is the generation of a novel and useful idea in any domain.

Innovation surveys in Europe typically ask questions about the adoption of practices that are intended to stimulate creative processes that lead to product or process innovation. Figure 3 shows the share of ICT manufacturing and ICT service firms adopting such techniques is far higher compared to the share of adopting firms in other industries.

 

Fig. 3 Methods to stimulate creativity across 22 European countries
in the information industries vs. other industries (2010)
Percentage of innovators by method and industry

 Source: OECD estimates based on OECD, June 2014.

 

With the IPACSO framework, companies can formalize their innovation practices and apply the latest tools for innovation facilitation. Innovation policies, however, should not only use and document the right techniques, but also incentivize creativity better. Neither in brainstorm sessions, nor in multi-team tasks the original source of the idea is documented. Moreover, financial incentives are not applied by a large share of companies.

If you want to know more about incentivization of innovation, go to the documents section and look for D4.3.