Action, Inaction, Trust, and Cybersecurity's Common Property Problem

K. Elliott; F. Massacci; J. Williams

doi:10.1109/MSP.2016.2

Action, Inaction, Trust, and Cybersecurity's Common Property Problem

K. Elliott, F. Massacci, J. Williams

Research output: Contribution to Journal › Article › Academic › peer-review

Abstract

© 2016 IEEE.Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing 'nothing' is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors' anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.

Original language	English
Pages (from-to)	82-86
Journal	IEEE Security and Privacy
Volume	14
Issue number	1
DOIs	https://doi.org/10.1109/MSP.2016.2
Publication status	Published - 1 Jan 2016
Externally published	Yes

Access to Document

10.1109/MSP.2016.2

Persistent URL (handle)

Persistent link

Cite this

@article{cdf1e03065034151ac6d1213d9d7c1bc,

title = "Action, Inaction, Trust, and Cybersecurity's Common Property Problem",

abstract = "{\textcopyright} 2016 IEEE.Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing 'nothing' is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors' anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.",

author = "K. Elliott and F. Massacci and J. Williams",

year = "2016",

month = jan,

day = "1",

doi = "10.1109/MSP.2016.2",

language = "English",

volume = "14",

pages = "82--86",

journal = "IEEE Security and Privacy",

issn = "1540-7993",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "1",

}

TY - JOUR

T1 - Action, Inaction, Trust, and Cybersecurity's Common Property Problem

AU - Elliott, K.

AU - Massacci, F.

AU - Williams, J.

PY - 2016/1/1

Y1 - 2016/1/1

N2 - © 2016 IEEE.Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing 'nothing' is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors' anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.

AB - © 2016 IEEE.Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing 'nothing' is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors' anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.

U2 - 10.1109/MSP.2016.2

DO - 10.1109/MSP.2016.2

M3 - Article

SN - 1540-7993

VL - 14

SP - 82

EP - 86

JO - IEEE Security and Privacy

JF - IEEE Security and Privacy

IS - 1

ER -

Action, Inaction, Trust, and Cybersecurity's Common Property Problem

Abstract

Access to Document

Persistent URL (handle)

Fingerprint

Cite this