Neha Ramesh,  Research co-ordinator

Economics of Cybersecurity

National security is often regarded as a conical public good. Are all members of society equally covered under this especially in the cyber realm? Security and defence experts claim that the Cyberworld could be the ‘5th Dimension’ of warfare. With the growing number of technological advances, some profit from misusing the technology for personal gain. Why do breaches happen when there are technological solutions to prevent them? Is the cost of providing said security more than a possible loss from breach of information?


You would think that tech companies and banking and financial institutions would not take risks while handling your personal information and other confidential information you divulge to them, however, the numbers may differ. Companies often compare the possible loss from a breach and the possibility of breach against the cost of having adequate security infrastructure. The risks associated with cyber-attacks are real and the reality has not reached all the sectors of society.


Any expert in the field of information security would argue that there is clear price discrimination in the availability of good security measures. Price discrimination is economically efficient but socially controversial. In the USA, banks are generally liable for the costs of card fraud; when a customer disputes a transaction, the bank must either show that she is trying to cheat or refund her money. In the UK, the banks had a much easier ride: they generally got away with claiming that the ATM system was ‘secure’, so a customer who complained must be mistaken or lying. “Lucky bankers,” you might think; yet UK banks spent more on security and suffered more fraud. How could this be? It appears to have been what economists call a moral-hazard effect: UK bank staff knew that customer complaint would not be taken seriously, so they became lazy and careless. This situation led to an avalanche of fraud.


The software industry tends toward dominant firms thanks to the benefits of interoperability. Economists call this a network externality or the law of large numbers: a network, or a community of software users, is more valuable to its members the larger it is. This not only helps explain the rise and dominance of operating systems, from System/360 through Windows to Symbian, and of music platforms such as iTunes; it also helps explain the typical pattern of security flaws. Put simply, while a platform vendor is building market dominance, he has to appeal to vendors of complementary products as well as to his direct customers; not only does this divert energy that might be spent on securing the platform, but security could get in the way by making life harder for the competitors. So platform vendors commonly ignore security in the beginning, as they are building their market position; later, once they have captured a lucrative market, they add excessive security to lock their customers in tightly.


Exposing and debating vulnerabilities can have damaging effects of its own but in a world of deep fakes and cyber phishing attacking even the most esteemed members of society, a debate is necessary. The erosion of personal data and a lack of privacy increases substantially with the rise in technology. Despite the existence of privacy-enhancing technology, it has surprisingly not hit the market place; economic thought suggests that it is because of wanting to charge different prices for similar services. Privacy reduces the chance of price discrimination.


We have discussed how many information security failures are caused by incentive failures, for example where the people who guard a system aren’t the people who suffer when it fails. Externalities make many security problems somewhat like environmental pollution; some aspects of information security are public goods, like clean air and water. Externalities also play a key role in determining which security products succeed in the market, and which fail. We started the discussion with the understanding that national security is a public good. Now we acknowledge how skewed that benefit truly is. In this piece, I hoped to expose some security risks that can be mitigated by applying the basic principles of economics.

Leave a Reply

Your email address will not be published. Required fields are marked *