The economics of cybersecurity: Boomerang effects from misaligned incentives
MetadataVis full innførsel
The paper under review is dedicated to the simulation of historical cases of poor information security decisions. Externalities like misaligned incentives that charge the third parties for bad information security are tough barriers to overcome. A number of proposals for regulatory options have been suggested. However, the claim that misaligned incentives have their impact on the third parties is not the whole truth. Security systems are complex not only in the sense of being composed of many interdependent parts. The most challenging part of their complexity resides in the propagation of effects, resulting in a highly unexpected, counterintuitive dynamic behavior. An interesting pattern that often recurs is “policy resistance”: the “policy” (namely, the action or intervention) misfires or backfires, as the propagation of effects causes unintended consequences that compromise or even oppose the intended outcome of the policy. The research paper deals with a detailed analysis of Information Security cases where putting the responsibility for bad security on the third party does backfire. The preliminary literature review so far has identified 9 cases. The objective of the scientific work is to develop qualitative system dynamics diagrams for the identified scenarios first. To build diagrams I start with identifying all the instances of the problem. I proceed with arranging them in a closed feedback loop. Then, for all the relations in the feedback loop I define whether presiding instance increases or decreases the value of the following instance. As a result, I get a diagram that allows to see all the system components and understand their interdependencies, including indirect ones. Moreover, I have two feedback loops, the first one is standing for intended consequences, and the other loop - for unintended ones. After I obtain enough quantitative details about the occurred incidents I build quantitative system dynamics models. The benefit of these models is the possibility to simulate with any set of initial conditions and, thus, get a snapshot of the system state over time. As one of the purposes of the target work is education, I further implement them as online simulation models allowing students to test different strategies and get insights into the misaligned incentives and their impact on security. In the final part of my thesis, I provide conclusions towards proper security treatment. Namely, I show how important it is for each security decision to think not only about direct consequences, but also about side effects that due to time delays remain unknown for a long time. I provide clear evidence that the unintended consequence of shifting responsibility to the third party will strongly backfire over time.