How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession
By Peter Guerra BlackHat 2009 Turbo Talk Whitepaper Abstract
It is widely accepted that malware and botnets are established predominately to conduct cyber crime. The purpose of this paper is to paint a broad overview of the link between information security and economics and to discuss some research on the link of the CANSPAM Act of 2003 and the exponential rise of malware, botnets, and cyber crime. Using economic theory, I hope to spark an interest in economics as a discipline and to show how perverse economic incentives can give rise to unintended information security consequences.
Economics and Information Security
The ties between the disciplines of economics and information security were initially explored in the seminal work by Ross Anderson (Anderson, 2000). The Workshop on the Economics of Information Security (WEIS) is the preeminent place where these topics are typically researched and discussed. It is generally accepted that economics can help to explain why the state of information security is so dismal.
However, it is worthwhile to first describe the following basic economic principles that apply to information security (Frank and Bernanke, 2007):
The Scarcity Principle – Having more of one good thing usually means having less of another. Also known as security trade‐offs.
The Cost‐Benefit Principle – Take no action unless its marginal benefit is at least as great as its marginal cost. Often associated with attack profiles.
The Incentive Principle – Cost‐benefit comparisons are relevant not only for identifying the decisions that rational people should make but also for predicting the actual decisions they do make.
All three of these principles help to explain different failures associated with information security. Cost‐benefit and scarcity help to explain why information security typically does not get the same share of resources as other IT groups. The incentive principle helps to explain why information security is often missing from large products, such as early iterations of Microsoft Windows (Anderson, 2009).
Another economic theory that is used frequently in literature is the Tragedy of the Commons, which describes how a common resource is used up by multiple individuals acting independently in their own self‐interest (Hardin, 1968). Many researchers have made the analogy that the Internet is the commons, and no one self‐interested individual or group is incentivized to protect the whole. For example,