Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Misaligned Incentives and Cyber-Insurance

This week we begin our discussion of information economics issues that have a big influence in cybersecurity. We will also be looking into ways that we can use this knowledge to suggest policy solutions to some cybersecurity problems.

First, I want you to read some economics theory that will help us talk about and think about cybersecurity. In class so far, we have been talking about motivations and trying to understand why people do things that they do. We have been talking about these motivations in isolation, without looking at how other people’s choices affect those motivations.

The field of economics looks at strategic interactions in motivations and choices. How do a defenders motivations and choices change based on what the attackers are doing? How do defenders motivations and choices change based on what other defenders are doing? How do attackers motivations and choices change based on what defenders do? How do attackers motivations and choices change based on what other attackers do? And when this iterates, what happens? If I change my decision based on your decision, and then you change your decision based on mine, then I might want to change again, and so on.

To get us started thinking about these kinds of strategic interactions in cybersecurity, please read some economics theory that will help us think about security incidents more generally. Read Hal Varian’s paper about System Reliability and Free Riding. (Alternative link) Varian is an economist (currently chief economist at Google) and so this paper is an economics paper.

Economics research papers aren’t easy to read, and while this one is easier than most, it still is a bit confusing. Try to read it, but don’t try to work through the math or understand the complicated logic. Instead, focus on the bottom line conclusions from each section. He analyzes 3 ways that groups of people can provide security (which he calls system reiliability): weakest link, best shot, and total effort. Figure out what the differences are between those three, and then try to understand properties of them. You don’t need to understand the math (unless you want to); focus instead on the numbered facts.

Next, start reading this paper about the economics of cybersecurity. Don’t read the whole thing right now, though; we’ll be breaking it into parts and reading different parts of it over the next three weeks. For this week, please read Sections 1 and 2 for background. Then read section 3.1 (p. 5-6) to start learning about a basic problem in economics, misaligned incentives; section 4.1.1 (ex ante vs. ex post, p.8-10) to start thinking about general ways to solve this problem, and section 4.2 (p. 15-20) to look at this solution around a specific cybersecurity problem (botnets).

Finally, submit a summary + question for this week. For the summary, let’s combine the two. Consider the botnet problem – lots of different defenders don’t want their computers to be botnets, but each defender makes their own decision. Of the three different types of defense – weakest link, best effort, or total effort – which best describes the botnet problem? Summarize the type of defense and your understanding of the botnet problem, and why you think that type of defense describes the botnet problem.