The Economics of Internet Security

NSF Project CNS-0627399

The Economics of Internet Security: Theoretical and Empirical Analysis
Ginger Davis, Alfredo Garcia and Barry Horowitz
University of Virginia

Overview:
While there exists a large body of technical literature on cyber security, research on the economics of cyber security is still in its very early stages. In this project undertake theoretical and empirical analysis aimed at enabling a better understanding of the economics of cyber security. In the first part of our work, we have analyzed the incentives for the provision of cyber security when ISP's are prevented from implementing price discrimination (i.e. "net neutrality"). Underinvestment in cyber security in equilibrium follows when the social value derived from usage (which is at least equal to a fraction of the surplus derived from e-commerce) greatly exceeds the revenue at stake associated with the telecommunications companies. In the second part of our work, we analyze the time series associated with web traffic for a representative set of on-line businesses that have suffered widely reported cyber security incidents. The premise here is that cyber security incidents may prompt (security conscious) on-line customers to opt out and conduct their business elsewhere or at the very least, refrain from accessing on-line services. For companies relying almost exclusively on on-line channels,
this presents an important business risk. We test for structural changes in these time series that may have been caused by these cyber security incidents. Our results consistently indicate that cyber security incidents do not affect the structure of web traffic for the set of on-line businesses studied.

Publications:

"The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy" Alfredo Garcia and Barry Horowitz, Journal of Regulatory Economics, Vol. 31 No. 1 (2007) pp. 37-51
"Application of Collaborative Risk Analysis to Cyber Security Investment Decisions", Barry Horowitz and Jonathan Crawford FSTC Innovation Journal, Vol 2 (1) (2007) pp. 2-5
"A Statistical Approach to TCP Session Classification", Moscalu, T. and Steel, A. M. and Brown, E. D. L. and Lim, Y. L. and Davis, G. M., published in Proceedings of the 2008 IEEE Systems and Information Engineering Design Symposium, 2008.
"Empirical Analysis of the Effects of Cyber Security Incidents", Ginger Davis, Alfredo Garcia and Weide Zhang, revised and resubmitted Risk Analysis
"Linking the Economics of Cyber Security and Corporate Reputation", Barry Horowitz, Ben Brooker, Jonathan Crawford, under revision

Conferences:

"Linking the Economics of Cyber Security and Corporate Reputation", Barry Horowitz, Ben Brooker, Jonathan Crawford, DIMACS Workshop on Information Security Economics, January 18, 2007 and 2007 WEIS Workshop on the Economics of Information Security
"Workshop: Investing in Cyber Security: Can We Make Better Choices?", Barry Horowitz (panelist), November 2007, Darden Business School, University of Virginia
"Statistical Methods for Detecting Computer Attacks from Streaming Internet Data," Ginger Davis, invited speaker to session on Enhancing Knowledge and Assessing Risk through Analysis of Massive Data, INTERFACE conference, May 2008, Durham, NC.
"Statistical Methods for Detecting Computer Attacks from Streaming Internet Data," topic-contributed to session on Multivariate Outlier Detection: Applications and Methodology, Joint Statistical Meeting, August 2008, Denver, CO.