Cyber Security: Are Economic Incentives Adequate?

  • Scott Dynes
  • Eric Goetz
  • Michael Freeman
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 253)

Protecting national critical infrastructure assets from cyber incidents is an important challenge. One facet of this challenge is that the vast majority of the owners and operators of critical infrastructure components are public or private companies. This paper examines the threats faced by for-profit critical infrastructure entities, the incentives and drivers that influence investment in cyber security measures, and how policy initiatives might influence cyber preparedness in critical infrastructure entities.

Keywords: Information security, economic incentives, government policy


Business Process Information Security Systemic Risk Critical Infrastructure Security Investment 


  1. [1]
    G. Bush, Executive Order on Critical Infrastructure Protection, The White House, Washington, DC (www. whitehouse. gov/news/releases/2001/ 10/20011016-12. html), October 16, 2001.
  2. [2]
    R. Dacey, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, Report GAO-04-628T, U. S. General Accounting Office, Washington, DC, 2004.Google Scholar
  3. S. Dynes, Information security and health care -A field study of a hospital after a worm event (mba. tuck. dartmouth. edu/digital/Research/Research Projects/InfoSecHealthCare. pdf ), 2006.Google Scholar
  4. [4]
    S. Dynes, E. Andrijcic and M. Johnson, Costs to the U. S. economy of infor- mation infrastructure failures: Estimates from field studies and economic data, presented at the Fifth Workshop on the Economics of Information Security, 2006.Google Scholar
  5. [5]
    S. Dynes, H. Brechbühl and M. Johnson, Information security in the ex- tended enterprise: Some initial results from a field study of an industrial firm, presented at the Fourth Workshop on the Economics of Information Security, 2005.Google Scholar
  6. [6]
    B. Gellman, Cyber-attacks by al Qaeda feared, The Washington Post, June 27, 2002.Google Scholar
  7. [7]
    L. Gordon and M. Loeb, The economics of information security investment, ACM Transactions on Information and System Security, vol. 5(4), pp. 438- 457, 2002.CrossRefGoogle Scholar
  8. [8]
    J. Lewis (Ed. ), Cyber Security: Turning National Solutions into Interna- tional Cooperation, CSIS Press, Washington, DC, 2003.Google Scholar
  9. L. Loeb, CardSystems solution becomes a cautionary tale, eWeek, July 21, 2005.Google Scholar
  10. National Infrastructure Advisory Council (www. dhs. gov/xprevprot/committees/editorial 0353. shtm).
  11. [11]
    National Infrastructure Advisory Council, The National Strategy to Secure Cyberspace, The White House, Washington, DC (www. whitehouse. gov/pcipb/cyberspace strategy. pdf ), 2003.Google Scholar
  12. Public Broadcasting Service, PBS Frontline: Hackers (www.pbs. org/wgbh/pages/frontline/shows/hackers), 2001.
  13. [13]
    J. Watters, Analyzing corporate risks with RiskMAP, presented at the Second I3P Process Control Systems Workshop, 2006.Google Scholar
  14. Wikipedia, Sutton’s Law (en. wikipedia. org/w/index. php?title=Sutton%27s law&oldid=119669553).Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Scott Dynes
    • 1
  • Eric Goetz
    • 1
  • Michael Freeman
    • 2
  1. 1.Dartmouth CollegeHanoverUSA
  2. 2.Department of Defense AnalysisNaval Postgraduate SchoolMontereyUSA

Personalised recommendations