introduction and basics

  • MARKET - Economics - CYBER SECURITY - Introduction and Basics

    MARKET - Economics - Cyber Security - Introduction and Basics

     

    Economics of Cyber-Security as Research Field

    The economics of cyber-security applies principles of economics to the analysis of cyber-security problems. The main focus is strategic decisions under incomplete information faced by rational market players (firms, consumers) in situations, where the goal is to protect an information system and its contents from harm. The field also covers the analysis of market mechanisms and market failures as well as the economic impact of regulation on the level of cyber-security.

    supplymarketdemand

    Cyber-security models include as players firms and consumers, but sometimes also government and third-party players (hackers, etc.). A good share of the literature is devoted to the modelling cyber-crime and cyber-security investment decisions. Other works are devoted to the measurement of cybercrime costs, the modelling cyber-insurance and the welfare effects of critical incidence information sharing among firms.

    Get an overview of the research field.

     

     

    Economic Incentivization of Cyber-security

    An economic incentive is an inducement that leads to an action or behavior, which is rendering a (positive) payoff for the actor. Payoffs are outcomes of cost-benefit trade-offs. A rational actor seeks the optimal choice by maximizing payoff. In economics, utility functions model cost-benefit trade-offs and therefore represent the preferences of actors. Where the outcomes of choices are uncertain, risk or ambiguity are introduced into the decision model.

    Payoff=Benefits-Costs 

    If a payoff is positive, it is a reward that provides an incentive for a specific action. If a payoff is negative, it is a penalty that acts as disincentive.

    Payoffs can be solely monetary, but can also involve non-monetary psychological costs and benefits. For example, if a computer system is compromised and the stolen data are used to commit a financial crime, the damaged party suffers a monetary loss. However, if the security incident is made public through the media, the targeted firm also suffers a reputational damage. Such reputational effects may severely impair (or not) trust that customers place in the firm’s security procedures.Table 1 provides a generic overview of the costs and benefits associated with the adoption of privacy and cyber-security technologies.

     

    Tab. 1 Potential Costs versus Benefits of Privacy and Cyber-security Investments

    Costs Benefits
    Personnel costs (set up of new in-house teams, external tiger teams, etc.)

    Decrease in security incidents and

    cybercrime losses

    Acquisition costs (security hardware, software, consultancy services) Reduction in costs of liability for breaches
    Administrative costs Increase in trust of customers
    In-house R&D Increase in company reputation
    Opportunity costs* Reduction in switching of disgruntled customers to competitors
      Protection from unfair competition (industrial espionage)
      Increase in compliance (if a security duty of care is mandatory)

     

    Read more on cyber-security decision-modelling.

     

     

    Cyber-Security Markets and Market Players

    The cyber-security market is a physical or virtual place, where demand and supply for cyber-security products and services meet. A company is a player in the cyber-security market, if it actively offers at least one product (or a portfolio of cyber-security products or services) in the cyber-security market. Ideally, the main share of revenue of a firm would be associated with the sale of cyber-security products and/or services. If a company's main share of revenues is attributable to cyber-security (or privacy), it can be considered to be part of the cyber-security industry.

    Players that are active in the ICT market are not automatically firms with a separately identifiable portfolio of cyber-security products and services. So while all cyber-security firms are active in the ICT, the reverse does not hold. This means that not all firms that are active in ICT are also active in cyber-security.

    Moreover, there are large and very large companies that are primarily active in completely different areas, such as defense, air and space systems (examples are Boing, Raytheon and Lockheed Martin). These companies are neither ICT companies nor purely cyber-security companies, but they are important players in the cyber-security industry.

     

     

    Fig. 1 The Cyber-security Industry as Embedded Industry

    downstreamindustry2

                                                                                      Source: Jentzsch (2015).

     

    There is an increasing number of cyber-security industry studies published. They vary in terms of industry or market definitions, range of countries covered, time frames of survey, and survey methodologies, among other key aspects. An overview for the interested reader is provided here.

    Some of the players in the cyber-security markets are end-to-end providers of cyber-security solutions. End-to-end providers offer solutions that combine software, hardware and services. There are also many specialized firms that are only active in one specific segment, such as IT security consultancy services or encryption providers (see also Figure 2).


    Fig. 2 Providers of Cyber-security Solutions

    providersofcybersecuritysolutions

     Source: Jentzsch (2015).

     

    For a full-scale dependency analysis, one would need to do a horizontal analysis (see also market analysis), as well as a vertical analysis.

     

    Economic and Technological Dependencies

    Many security solutions used by industries in Europe are sold by companies that have their head quarter located outside of the European Union. A full-scale analysis of economic and technological dependencies needs to identify these players, and analyze the main customers (especially critical infrastructure organizations) as well as the security solutions sold. It needs to then also identify European alternatives. If there are none, the technological dependency can be rated as fairly high. 

     

    Economics of Cybercrime and Data Black Markets

    In the past, a number of grey markets (where legality is unclear) or black markets (outright illegal) have developed. On these markets, different products and services are offered and peddled. There are markets for hacking tools and exploits, stolen personal data (e.g. credit card information), as well as for botnet capacities.

    The economics of cybercrime and data black markets typically looks at the laws of demand and supply in these markets as well as the trade-offs made by market participants. Although the economics of cybercrime was not part of the IPACSO research spectrum, the author of these websites has put together an information sheet on different studies from Norton, McAfee, Verizon and PayPal, see this Table.

     

     

    IPACSO Publications:

    Jentzsch, N. (2015) State-of-the-Art of the Economics of Cyber-Security and Privacy, IPACSO - Innovation Framework for ICT Security Deliverable 4.1.

    Jentzsch, N. (2015) Horizontal and Vertical Analysis of Privacy and Cyber-security Markets, IPACSO - Innovation Framework for ICT Security Deliverable 4.2A.

  • MARKET - Economics - PRIVACY - Introduction and Basics

    MARKET - Economics - PRIVACY - Introduction and Basics

     

    Introduction to the Economics of Privacy

    The economics of privacy applies tools of economics to the analysis of privacy problems. These problems can either be related to a generic form of privacy or to personal privacy. Privacy is generic if it is related to an imbalance in the information distribution or publicity of the data, i.e. one market participant holds information in private that the other does not have. Privacy is personal if it is linked to one specific individual who is identified or identifiable.


    Personal privacy relates to discrimination power of information, i.e. to the power of singling an identifiable of identified individual out of an anonymous mass. For personal privacy it is important that individuals hold private information that is connected to their identity (Jentzsch et al. 2012).


    And conversely anonymity is the state of not being identifiable within a set of subjects, the so-called anonymity set (Pfitzmann and Köhntopp 2000).


    The economics of privacy focuses on incentives and actions of firms and consumers with respect to personal data. At the core are the positive or negative welfare effects arising from the disclosure of personal data. Privacy economics focuses on the trade-offs of actors, their strategies, as well as market outcomes and market failures.


    The research field also includes questions in competition if firms start to personalize products or services and/or prices, while facing consumers that are heterogeneous in privacy preferences. The economic impact of government regulation is analysed as well.

     


    Personal Data: A Peculiar Good?

    Personal data could be a peculiar good, because the combination of certain characteristics lead to complex economic problems. Compared to traditional goods personal data has been described as 'intangible asset' (OECD 2013: 10). It consists of the following properties:

     

    • Intangibility: personal information is not bound to a specific medium, but can be stored in different media;

     

    • Divisibility: personal information can be shared (i.e. two or more persons may hold the same piece on information);

     

    • Non-rivalry: If one person consumes the information, the informational content is not reduced and another person can consume it as well. Information is not a scarce resource in the traditional sense, but the material it is bound to is scarce;

     

    • Non-excludability: Once information is produced (collected), it is difficult to perfectly exclude others from using it;

     

    • Identity-relation: Personal information reveals either completely or partially the (psychological) identity. It then introduces psychological effects that alter the utility function of individuals compared to the standard utility under anonymity; and

     

    • Information externalities: The combination of different pieces of information can give rise to inferences (about income, intelligence, etc.). Moreover, externalities exist, where the revelation of others impact on an individual’s welfare.

     

    These properties give rise to a number of problems once information is traded in a market environment.

     


    The Legal Concept of Personal Data

    The current legal definition of personal information is stated in Article 2 of the EU Data Protection Directive:


    (...) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
    This definition clearly states that personal data must be related to an identified or identifiable natural person.

     

     

    The Economic Concept of Personal Data


    The state of personal privacy arises with an asymmetric distribution of personal data between market participants, where one side privately holds personal information. Privacy is therefore a relationship of asymmetric distribution of personal data between market players.

     

Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework

leeg

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries