July 30, 2013

Economic aspects of Internet security

The security of the Internet depends on the behaviour of both infrastructure providers and end users. We show that there are several reasons why these parties have insufficient incentives to invest in cyber security.

Under which conditions will markets provide solutions for cyber-security issues, and what can governments do when markets fail to do so? This CPB Background document provides an overview of market failures that are potentially important for security on the Internet.

There are at least three reasons why markets might fail to deliver an optimal level of security on the Internet:  information asymmetry, externalities and market power. Information asymmetry might occur in various situations. For example, end users are not able to verify whether an Internet Service Provider (ISP) correctly informs its customers about its security performance. This uncertainty makes end users reluctant to pay for security. For ISPs, this means that their investments in cyber security do not give them an advantage over competitors; additional security will only increase costs.

When markets fail due to information asymmetry governments can intervene by enforcing transparency. This can be done by mandating the disclosure of cyber security incidents, by requiring certification or by setting minimum security standards.

Externalities might also be a reason for insufficient investments in security. Often, only part of the benefits of investments in security accrue to the investor. For example, improvements in the security of an ISP’s services will also benefit customers of other ISPs. When externalities are strong, governments may promote cyber security by subsidizing the use of secure technology or by setting minimum cyber-security standards. Temporary policy measures will suffice for the promotion of the adoption of safer communication protocols.

Market power, a third type of market failure, can also lead to suboptimal Internet security.  Large international network providers with low security performance feel little pressure from ISPs and other peering partners to improve their security levels as they are “too-big-to-block”. Governments might impose minimum security standards in order to improve security. International coordination would be required for these standards to be enforceable.

An economic perspective on Internet security is useful not only for identifying weak spots, but also for finding solutions to security problems. In time, economics may prove to be indispensable for making the Internet a safer place.



Henk Kox
Bas Straathof