Cyber Security: Are Economic Incentives Adequate?
Protecting national critical infrastructure assets from cyber incidents is an important challenge. One facet of this challenge is that the vast majority of the owners and operators of critical infrastructure components are public or private companies. This paper examines the threats faced by for-profit critical infrastructure entities, the incentives and drivers that influence investment in cyber security measures, and how policy initiatives might influence cyber preparedness in critical infrastructure entities.
Keywords: Information security, economic incentives, government policy
KeywordsBusiness Process Information Security Systemic Risk Critical Infrastructure Security Investment
- G. Bush, Executive Order on Critical Infrastructure Protection, The White House, Washington, DC (www. whitehouse. gov/news/releases/2001/ 10/20011016-12. html), October 16, 2001.
- R. Dacey, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, Report GAO-04-628T, U. S. General Accounting Office, Washington, DC, 2004.Google Scholar
- S. Dynes, Information security and health care -A field study of a hospital after a worm event (mba. tuck. dartmouth. edu/digital/Research/Research Projects/InfoSecHealthCare. pdf ), 2006.Google Scholar
- S. Dynes, E. Andrijcic and M. Johnson, Costs to the U. S. economy of infor- mation infrastructure failures: Estimates from field studies and economic data, presented at the Fifth Workshop on the Economics of Information Security, 2006.Google Scholar
- S. Dynes, H. Brechbühl and M. Johnson, Information security in the ex- tended enterprise: Some initial results from a field study of an industrial firm, presented at the Fourth Workshop on the Economics of Information Security, 2005.Google Scholar
- B. Gellman, Cyber-attacks by al Qaeda feared, The Washington Post, June 27, 2002.Google Scholar
- J. Lewis (Ed. ), Cyber Security: Turning National Solutions into Interna- tional Cooperation, CSIS Press, Washington, DC, 2003.Google Scholar
- L. Loeb, CardSystems solution becomes a cautionary tale, eWeek, July 21, 2005.Google Scholar
- National Infrastructure Advisory Council (www. dhs. gov/xprevprot/committees/editorial 0353. shtm).
- National Infrastructure Advisory Council, The National Strategy to Secure Cyberspace, The White House, Washington, DC (www. whitehouse. gov/pcipb/cyberspace strategy. pdf ), 2003.Google Scholar
- Public Broadcasting Service, PBS Frontline: Hackers (www.pbs. org/wgbh/pages/frontline/shows/hackers), 2001.
- J. Watters, Analyzing corporate risks with RiskMAP, presented at the Second I3P Process Control Systems Workshop, 2006.Google Scholar
- Wikipedia, Sutton’s Law (en. wikipedia. org/w/index. php?title=Sutton%27s law&oldid=119669553).Google Scholar