MODELING)THE)LOJACK)EFFECT)IN)THE)) CYBER)SECURITY)MARKET))

CasatrinaLee 3May2014 i MODELING)THE)LOJACK)EFFECT)IN)THE)) CYBER)SECURITY)MARKET)) )A)STUDY)OF)INCENTIVES) Abstract:) Cybersecurityhasbecomeapertinentconcernamongbusinessesfollowing theincreasingdigitizationofoperations.hackingmethodsareeverevolvingand businessesstruggletodetectandrespondpromptly,aswellasdeveloppreventive measuresagainstfutureattacks.itiswidelyacknowledgedthatcooperationiskey inanindustry seffortsincombatingcybercrime,andinmypaper,ifocusmainlyon thefinancialservicessector.thereexistsanetworkofcollaborationwithinthe sector,suchasthefinancialservicesinformationsecurityanalysiscenterfsm ISAC),whichfacilitatesthesharingofanonymizeddataaboutattackinformation amongcompaniestoimprovesituationawareness.however,inlightoftheprivate costsinvolvedininvestinginresearch,companiesarereluctanttoinvestinr&d, preferringtoactasfreeriders.iturnmyfocustothelojackindustrywithinthe autotheftmarket,whichfacessimilarexternalitiesandincentiveproblems.imodel theincentiveproblemsofbothmarkets,analyzingthesimilaritiesanddifferencesin networkeffects.resultsshowthatalthoughthelojackmodelhassignificant positiveexternalities,excludableprivatebenefitsincentivizecarownerstoinvestin alojack.however,inthecybersecuritymarket,companieshavelittleincentiveto investmorethanthebareminimuminresearchduetothecontagioneffectsofboth negativeandpositiveexternalities.finally,idrawonthesuccessesofthelojackin deterringautothefttoapplythemtobetteroutlinetheopportunitiesfor collaborationforcybersecuritywithinvariousindustries. ) Keywords:cybersecurity,incentives,modeling,LoJack,contagioneffect,network effects,freerider,externalities,financialservices ANHONORSTHESIS SUBMITTEDTOTHEDEPARTMENTOFECONOMICS OFSTANFORDUNIVERSITY PRESENTEDBY: CASATRINALEE CYLEE1@STANFORD.EDU MAY2014 HONORSADVISOR: PROFESSORTIMOTHYBRESNAHAN DEPARTMENTOFECONOMICS

CasatrinaLee 3May2014 ii Acknowledgments) ) IamdeeplygratefultomyHonorsAdvisor,ProfessorTimothyBresnahan,for hisinvaluableguidanceandpatiencethroughoutthecompletionofthehonors Thesis.Despitehisbusyschedule,heisalwayseagertomeetforadiscussionand guidemethroughformulatingaconvincingeconomicmodel.iamgratefulforhis instructionthroughouttheprocessofpinningdownmythesistopic,pointingmein thedirectionofrelevantliteratureandironingoutthekinksinmypaper. IamalsothankfultoProfessorMarceloClericiMAriasforhiscontinued guidanceandsupportsinceiembarkedonthisjourneytowriteanhonorsthesis.i amgratefulthatheplantedtheinspirationinmeduringthejuniorhonorsseminar classitookunderhim. Finally,Iamthankfultomyfriendsandfortheirsupport,withoutwhichthis honorsthesiswouldnothavebeenpossible. ) )

CasatrinaLee 3May2014 iii ) Contents) ) Acknowledgments ii 1))Introduction 1 2))Literature)Review 5 3))Economic)Models 11 3.1LoJackModel 11 3.2CyberSecurityModel 14 4))Comparing)Models 20 4.1ComparativeAnalysis 20 4.2ContagionEffect 23 5))Discussion)&)Analysis 25 6))Conclusion) 29 7))Bibliography 32 )

CasatrinaLee 3May2014 CHAPTER1:INTRODUCTION 1 Chapter1 Introduction Asthemarketplacebecomesincreasinglydigitized,businessesmoveagreater partoftheiroperationsonline,anddataisincreasinglybeingmigratedtothecloud. Naturally,theneedtoprotectdatahasbecomemorepertinent.Hackingmethodshave evolvedtobecomemoresophisticated,withmillionsofattackshappeningeveryday. Newmodesofattackarebeingdevelopedrapidly,morespecificallyzeroPdayattacks, 1 makingitdifficulttoincentivizecompaniestoinvestinattackpreventionresearch,or eventorespondefficientlytotheseattacks. Therearenumerousexistingproblemsassociatedwithinformationsecurity. Companiesoftenlackinsightintothesourceandeffectofattacks,makingitdifficultfor themtotakepreventivemeasuresorrespondeffectively.companiesalsoacknowledge thatresearchincybersecurityisoftentootimepconsumingandcostpinefficient.with thehighcostsandlowreturnsofresearch,companieslackincentivestoinvestincyber securityresearch. 1 ZeroPdayattacksareattackswhichexploitapreviouslyunknownvulnerability,such thatdevelopershavenotimetoaddressandpatch

CasatrinaLee 3May2014 CHAPTER1:INTRODUCTION 2 NetworkeffectsoftheInternetfurtherexacerbatethisunderprovisionof research.thehighinterconnectivityoffirmsandnetworkshasresultedinhigh negativeexternalitiesonothermembersofthenetwork.onceamemberofanetwork hasbeenhacked,othermembersofthenetworkaremorevulnerableasitisnoweasier forthehackertoinfiltrateothermembersofthenetwork.positiveexternalities, however,canalsoresultfromthesenetworkeffectsiffirmsarewillingtoinvestin securitymeasures.asecurenetworkwouldbenefitthenetworkasawhole,andthis mutuallybeneficialrelationshipprovidesopportunityforcollaborationamong membersbysharinginformation.usefulinformationwouldincludeattacksources, attackvectors,aswellaseffectivemethodsofresponseandrecovery. Theautotheftindustryfacessimilarexternalities,andresearchhas demonstratedthatthelojack,despiteitsprivatecosts,hasbeensuccessfulin overcomingfreeriderproblems,thereforeincreasingpositiveexternalities,deterring criminalsandloweringcrimerate.iaimtoexaminethismodelinthehopesofapplying ittothecybercrimemarket. TheLoJackisahiddenradiotransmitterusedtoretrievestolenvehiclesandhas proventobeveryeffectiveinachievinggeneraldeterrenceamongcarthieves.lojacks facilitatecostandtimeefficienttheftdetectionandrecoveryofstolencarsasthepolice arebetterabletotrackthem.consequently,ahigherarrestratehasbeenassociated withtheincreaseduseoflojacks. AnimportantfeatureoftheLoJackisthatitisinvisibletocriminals.Thisfeature iskeyinachievinggeneraldeterrenceamongautothievesbecausecriminalsareunable todistinguishacarwithalojackinstalledfromacarwithoutalojackinstalled.witha

CasatrinaLee 3May2014 CHAPTER1:INTRODUCTION 3 higherprobabilityofbeingarrestediftheyhappentostealacarwithalojack,thieves arereluctanttotaketheriskofstealingarandomcarinthefirstplace.similartothe cybersecuritymarket,networkeffectsalsocomeintoplayhereintheformofpositive externalities.forexample,iflojacksarepopularinaparticularneighborhood, residentsofthatneighborhoodbenefitfromthehighincidenceoflojacksandenjoya lowerriskofthefteveniftheydonotinstallalojackthemselves.imodelthisincentive structureinmypaperbelow. GiventhesuccessofLoJackindeterringcrime,Iaimtoapplyasimilarmodelto themarketofcybercrime.inbothmarkets,weseeabarrieragainstinvestment car ownersarereluctanttoinvestinalojackandcompaniesarereluctanttoinvestin research becauseatthetimeofinvestment,themarginalbenefittothecarownerand companyiszero.noattackhastakenplaceyet,andthustheyaredisincentivizedto incuradditionalcostsininvesting.however,thebenefitsofcollectiveinvestmentare amplifiedwithgroupinvestment.asinvestmentisincreasedinbothmarkets,thethreat offallingpreytoasuccessfulattackislowered.thisimpliesthatthesocialbenefitof investingincrimepreventionclearlyexceedstheprivatebenefitofinvestment. However,thisresultalsoconsequentlysuggeststheclearpossibilityoffreeridersin bothmarkets. Specifictothecybercrimemarket,themodelshowsthatsharingofinformation amongcompaniesisoptimal,assumingthatsharingincursnocost.thisisbecause companiesareindifferentbetweensharingandnotsharinginformation,butthe collectivepoolingofinformationhelpsprovidebettersituationalawarenessofthe cybercrimelandscapeandthereforedecreasestheriskoffallingvictimtoanattack.

CasatrinaLee 3May2014 CHAPTER1:INTRODUCTION 4 Furthermore,themodelshowedthattheamountthatcompaniesarewillingto investincybersecurityresearchisinfactalowconstant,independentofthevaluethey placeontheirinformation,andindependentofthecurrentriskofattack.thissuggests againthatcompaniesareunwillingtoinvestbeyondthatequilibriumconstant, resultinginasevereunderprovisioninthecybersecuritymarket. Inmypaper,Ibreakdownthedifferencesbetweentheautotheftandcyber crimemarkets,morespecificallyintermsofthefreeriderandnetworkeffects.while theautotheftmarketisdiscreteie.breakingintoacardoesnotgainoneaccessinto another),thecybercrimemarketisrelativelylessdiscreteduetothehighlevelof interdependenceandconnectivity.thisresultsinhighnetworkeffects,whichcan compoundpositiveexternalitiesofcollaborativeresearch,butcanalsocompound negativeexternalitiesofacompanyinthenetworkgettinghackedandexposingother memberstoahigherriskofinfiltration. IaimtodrawonthesuccessesoftheLoJackindeterringautotheftandapply theminbetteranalyzingtheopportunitiesforcollaborationforcybersecurityamong networkmembers.mythesisisoutlinedasfollows.abriefliteraturereviewisprovided inchapter2,followedbymyeconomicmodelsoftheautotheftandcybercrime marketsinchapter3.inchapter4,icomparethecybercrimemarkettotheautotheft marketandsubsequentlyapplymyfindingsandprovidemoreinpdepthanalysisand suggestionsforthefinancialindustrytobetterreaptherewardsofcollaborationin cybersecurity.

CasatrinaLee 3May2014 CHAPTER2:LITERATUREREVIEW 5 Chapter2 LiteratureReview Companieshavethusfarfailedtodevelopaneffectivewaytodealwiththe threatofcybercrime.whiletheywidelyacknowledgethatpreventionisideal,itis impossibletodetermineastocksolutionormodeofpreventionforattacks,giventhe highrateatwhichattackvectorsevolve.this,ontheotherhand,hasincentivized criminalstopersistintheirhackingattempts,undeterredbythelegalramificationsor thepossibilityofbeingcaught.infact,researchhasshownthatthelikelihoodof detectingcybercrimeissolowthatthepenaltyinflictedwouldhavetobeofenormous magnitudetodetercybercrimegrady&parisi,2006).asaresult,companieshave provedtobemoreinclinedtochoose cure over prevention choosingtotackle attacksbypatchingtheproblem,ratherthanresolvingtherootvulnerability. However,inrespondingtoattacks,companiesfaceseveralchallenges.Firstly, thesystemneedstobeabletodetectwhenithasbeenhackedbeforeresponsecaneven begintotakeplace.secondly,thesystemneedstoundertakethemosteffectivepatchin

CasatrinaLee 3May2014 CHAPTER2:LITERATUREREVIEW 6 responsetotheinfiltration iftheattackwereazeropdayattack,responsebecomes evenmoreproblematic.thirdly,thesystemneedstohaveadequateresourcestodeal withtheattack;often,smallandmediumenterpriseslacktheseresourcesbauer&van Eeten,2008).Duetothesefactors,responseisslow,anddamageisrarelymitigated efficiently. Marketfailureispresentinthecybersecuritymarket,manifestingitselfinthe formofexternalities.whenafirmiscompromised,itpassesonthedamagetoits consumersintheeventofadatabreach.financialinstitutionshavechosento internalizesuchnegativeexternalitiesbycompensatingcustomersintheeventofa securitybreach,ratherthaninvestinginsecuritymeasuresbauer&vaneeten2011). Anotherformofnegativeexternalitiesisalsopresentamongmembersofacomputer network.duetothehighinterconnectivityofcomputersystems,abreachinamember s systemwouldresultinthesecurityofothermembersbeingcompromised.asexplained inapaperbyneilgandal,largenetworksaremorevulnerabletosecuritybreaches, preciselybecauseofthesuccessofthenetwork.inexamplegivenbygandal,inpart becauseofitslargeinstalledbase,microsoft sinternetexplorerislikelytobemore vulnerabletoattackthanmosaic sfirefoxbrowser.thisisbecausethepayoffto hackersfromexploitingsecurityvulnerabilitiesininternetexplorerismuchgreater thanthepayofftoexploitingsimilarvulnerabilitiesinfirefox. Ontheflipside,positiveexternalitiescanbecreatedwhencompaniesinvestin securitymeasuresandresearchtostrengthentheirsystems.viathesamenetwork effects,theentirenetworkisconsequentlystrengthened.suchmutuallydependent relationshipsofferanopportunityforcollaborationamongmembersofanetwork.

CasatrinaLee 3May2014 CHAPTER2:LITERATUREREVIEW 7 AndersonusesthenetworkeffecttobetterillustratethisinthecontextoftheInternet 2001).ThemorepeopleusetheInternet,themorevalueithasforitsusers.Inthe realmofcybersecurity,themorecompaniesshareinformationwitheachother,the largerandmoreexhaustivethepoolofresources,andthereforethemoreeffectiveitis inpreventingsecuritybreaches.thesharingofinformationrelatedtomethodsfor preventing,detectingandcorrectingsecuritybreachesisdesirableasithelpsprevent organizationsfromfallingpreytosecuritybreachespreviouslyexperiencedgordon, Loeb&Lucyshyn,2003).Thisknowledgeofthecybersecuritylandscapeistermed situationalawareness.additionally,suchinformationhelpsorganizationsrespond morequicklyandefficientlywithfocusedsolutionsifanactualbreachoccurs.threats canbemoreeffectivelyprepemptedandattackscanbemoreefficientlypatched, thereforealleviatingpotentialdamagesofthecyberattack.situationalawareness thereforeinvolvesachievingvisibilityofemergingthreats,andiskeyinfacilitatingthe anticipationandmanagementofattacks. Asmuchasinformationsharinghasbeentoutedapossiblesolutionforcyber security,thereisamajorinherentproblempcompanieslackadequateeconomic incentivestofacilitatesuchsharing.andersonandmooreindicatemisaligned incentivesasthemainreasonforthefailureofinformationsharing2006).thisis corroboratedbyapaperbyvaneetenandbauer,highlightingtheissueofthefreerider problem2009).individualbusinessesandusersmaysufferfromtheperceptionthat theirownriskexposureislow,coupledwiththeinterconnectivityassociatedwith computernetworks,whenafirminvestsincybersecurityactivities,itbearsallthe costsbutdoesn treapallthebenefits.thelargertheshareofbenefitsthataccrueto

CasatrinaLee 3May2014 CHAPTER2:LITERATUREREVIEW 8 otherfirms,thesmallertheincentiveforafirmtoincreaseitsinvestments.companies arethereforedisinclinedtoinvestinandsharetheirsecuritysolutionsbecauseitwould allowothercompaniesinthenetworktobenefitfreelyfromit.forexample,joiningand reportingtoinformationsecurityanalysiscentersisacs)isvoluntary,withno incentivesinplacetoencouragefullreportinganddiscouragefreeriding.membersmay underpinvestinthedevelopmentofinformationsecuritymeasuresinanticipationof obtainingthemforfreefromotherisacmembersgordon,loeb&lucyshyn,2003).as aresult,thesecuritylevelofthenetworkislessthanideal. Zoominginonthefinancialservicessector,thereisanexistingframeworkfor informationsharingunderthefspisacfinancialservicesinformationsharing& AnalysisCenter).Itisuniqueinthatitseemstohavesucceededincreatingasuccessful partnershipininformationsharingdespitethepotentialpitfallsasmentioned previously.accordingtothecurrentpresidentandceoofthefspisacbillnelson,most oftheinformationsharedcomprisesofanonymizeddataaboutattackvectorsand sources.however,littleresearchisdonebytheisaconsecuritymeasures;without extractingvaluefromthesharedinformationtodevelopnewsolutions,thefspisac simplybecomesadatacollectioncenter. Wefirsthavetodistillthefactorsthathavecontributedtothesuccessofthe LoJackintheautotheftmarket.WiththeLoJack,asmallradiotransmitterishiddenin oneofmanypossiblelocationswithinacar.whenthecarisreportedtobestolen,the transmitterisremotelyactivatedbythepolice,allowingthepolicetotrackthestolen car spreciselocation.lojackpequippedstolenvehicleshavea90%recoveryrate,

CasatrinaLee 3May2014 CHAPTER2:LITERATUREREVIEW 9 comparedtoa63%recoveryrateforvehiclesthatlackatrackingsystem.helperin, 2009). InanempiricalpaperbyAyresandLevitt,itisfoundthattherearestrong positiveexternalitiesbythelojackinachievinggeneraldeterrence1998).they furtherfoundthateachdollarspentonlojackresultedinareductioninthecostsof autotheftofapproximately$10.becausethereisnoexternalindicationthatthelojack hasbeeninstalledinacar,itdoesnotdirectlyaffectthelikelihoodthataprotectedcar willbestolen.however,itwasfoundthattheavailabilityandadoptionoflojacksina particularareaisassociatedwithasharpfallinautotheft.morespecifically,the introductionoflojackinacityhasbeenshowntoreduceautotheft,eventhoughthe initialusemaybeverysmall.thereasonforthisisthatwhiletheoddsofastolencar havingalojackinstalledareverysmall,anautothiefmaytypicallystealmanycarsa year.onceheunknowinglystealsacarwithalojackinstalled,heiscaught,aswiththe restofhisaccomplicesbankman,2001). However,similartothecaseofcybersecurity,thereisthephenomenonof underprovision.whileitwasfoundthatthemarginalsocialbenefitofanadditionalunit oflojackhasbeenfifteentimesgreaterthanthemarginalsocialcostinhighcrime areas,thosewhoinstalllojack,however,obtainlessthantenpercentofthetotalsocial benefits,leadingtounderprovisionbythemarketayres&levitt,1998).inother words,peopleareinclinedtofreerideondeterrencephenomenonofthepresenceof thelojackintheneighborhood,butarereluctanttopersonallyinvestinone.an individualcarowner sdecisiontoinstallthelojackonlytriviallyaffectsthelikelihood ofhisorhercarbeingstolensincethievestypicallybasetheirtheftdecisionsonmean

CasatrinaLee 3May2014 CHAPTER2:LITERATUREREVIEW 10 LoJackinstallationrates.AsthievesareunabletodistinguishcarswithLoJacksfrom carswithout,thedeterrenceeffectisverystrong,andtheextentofpositiveexternalities arisingfromlojackusageisverylarge.itisthereforecrucialthatoneisableto incentivizecarownerstoinvestinalojack. Movingon,weexaminetheexactmechanismbywhichtheLoJackhasachieved itslargesocialbenefits.itdisruptstheoperationsof choppshops. 2 Intheabsenceof LoJacks,identifyingthesechopPshopsrequireoperationsthatarehighlytimeand resourceintensive,whereastheinstallationofthelojackoftenleadspolicedirectlyto theheartofcriminaloperations.however,itiscrucialtonotethatthereisan interestingsubstitutioneffectintheformofoldervehicles;oldervehiclesarelesslikely tohavelojacksinstalledandarethereforemoretargetedbycriminals.consequently, whiletheoverallautotheftratedecreases,thetheftrateforoldervehiclesincreases. LoJacksareexpensive$700),andwhiletheyhaveprovenveryeffectivein reducingautotheftrates,thesereductionsarepurelyanexternalityfromthe perspectiveofthecarownerinstallingalojack.theonlyinternalizedbenefitsof installingalojackarehigherretrievalratesandlowertheftdamagesonceavehicleis stolenayres&levitt,1998).inlightoftheseeffects,iwillcomparetheexternalities andnetworkeffectsinbothmarketsingreaterdetailinthefollowingsections. 2 Wherestolenvehiclesaredisassembledforresaleofparts.

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 11 Chapter3 LoJackModel Wedefinethevariablesasfollows: = "#$%""#""#$%& = "#$%"#$""#$%&&"'"#$%& = "##$"#$"%&'; = 1"h"#h""#$%&"#$%&&', 0"h"#$% = "#$%$&'&h""#""#$%&"#$, h" = = "#$%&""#"#$%&""#$%& Tisdefinedasafunctionofthefractionofthepopulationofcarownersinthe marketwhochoosetoinvestinalojack.

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 12 WedefinePersoni sutility )asfollows: " = 0, = 1 " = 1, = WithoutaLoJack,Personi sutilityofhiscarisdiscountedbytheriskoftheft. WithaLoJack,hisutilityisunaffectedbytheriskoftheft,andhisvaluationisonly reducedbythefixedcostofbuyingandinstallingalojack. ToincentivizePersoni"toinvestinaLoJack, : = 1 > : = 0 > 1 < 1) LetusassumethatmisthenumberofpeoplewhochoosetoinvestinaLoJack ie.mpeoplehave < ).Inthismodel,weseektofindequilibriumvaluesof, andsuchthattheyfulfillthefollowingconditions: 1. = 2. = "#$%&""#$"h" 3. = Utilizingtheseequations,wecanderivetheequilibriumvaluesofanindividual s valueofhiscar),theequilibriumriskofcartheft),aswellasthenumberofpeople whowouldinstallalojack).

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 13 WhenPersonichoosestoinstallaLoJack,hisprivatebenefitis0,sincenotheft hasoccurredyet.however,theprobabilityofatheftoccurringt)decreasesasthe numberoflojacksinstalledincreasesie.mincreases).thisisclearlyasocialbenefit andindicatespositiveexternalitiesoflojackusage.weexpressthesocialvalueofa higherfractionoflojackadoptionhigher )onthemarketasawholeasfollows: Socialbenefit=totalprivatevalue +socialbenefitofdecreasedriskoftheft "" =0 + " 2) Notetheterm0isobtainedfromthezeromarginalbenefitthataLoJack adopterexperiencesafterinstallingalojackbecausenothefthasoccurredand therefore,notangiblebenefitcanbefelt.thesecondterm "" " representsthesumofsocialbenefitsovereachcarowner.thefirstderivativeoftis negativebecausethetheftratedecreaseswithanincreasedfractionoflojackadoption. ThisbenefitisnotexclusiveonlytothosepeoplewhohaveinstalledtheLoJacksince theoveralltheftrateforbothlojackadoptersandnonpadoptersdecreasesalike.the benefitisthusrepresentedbytheproductoftheirindividualvaluationofthecar ) andthemarginaldecreaseinriskoftheftonsocietyasawholeborneoutofagreater fractionoflojackadoptionamongcarownersintheregion. Here,wecanseethatbecausethegeneraldecreaseintheftratebenefitsthe entirecarownerpopulation,theexcessofsocialbenefitsascomparedtoindividual marginalbenefithasencouragedfreeridingandresultedinunderprovisioninthe marketforlojacks.

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 14 CyberSecurityModel Weexaminethefinancialindustrywithrespecttothemarketforcybersecurity, specificallybecausethefinancialindustryisthemostdevelopedintherealmofcyber security,andbecausecybersecurityisattheforefrontofcompanies priorities.the financialindustryhasanexistingorganization,thefinancialservicesinformation SharingandAnalysisCenterFSPISAC),inwhichbankscooperateandshare anonymizeddataoncyberattacks. Wedefinethevariablesasfollows: = "#$%""#$%&$%'"#$%&'$"""#$ = "##$"#$"%&'; = 1""#$%&'h"#$"#$%&'$", 0"h"#$" = "#$""#$#%"#""#"$%h = "##$"#$"%&'; = 1""#$%&'"#$#%""#"$%h, 0"h"#$% = "#$%$&'&)""##$%h"#$%, h" =,,, < 0 = "#$%&""#$%""#$%& Tisdefinedasafunctionofthefractionofbanksthatchosetoshareattack informationandthecumulativeamountofmoneyinvestedinresearch.thisassumes thatthesharingofattackinformationandresearchhavevaluablepayoffs. Wefirstconsidertheissueofsharinginformationwithintheorganization.We canassumethatthecostofsharinginformationis0,sincecompaniesarenotengaging inadditionaleffortsinthecourseofsharinginformationwithothercompaniesinthe

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 15 organization.sincethecostofsharinginformationis0,companieswouldbeindifferent betweenchoosingtoshare = 1)andnottoshareinformation = 0).GiventhatT isdependentonsand <0ie.thegreaterthenumberofcompanieswhoshare information,thelowertheriskofbeinghacked),companiesareincentivizedtoshare ie. = 1). Therefore,sharingofinformationS)isassumedtobeefficientlyprovidedinthis model,giventhatallbanksshareatzerocost.thisassumptionissupportedbythefsp ISAC,whichconfirmsthatallbankscontributeanonymizeddatatotheorganization voluntarily.thisisattributedtothefactthatsharingofdataincurslittletimeor monetarycosttoindividualbanksaslongassufficientinfrastructuretocollectrelevant datawasalreadyinplace. IfBanki"choosesnottoengageinresearch = 0), Payoff= 1 ), = 0, = h"#"#$"#h"#"#$ "#$%&'"#$%) Consequently,thereisnocontributionbyBankitothereductionofcrimerate. IfBankichoosestoengageinresearch = 1), Payoff= 1, 0, = h"#"#$"#h"#$ "#$%&'$&"#) Consequently,thisincreases andreducest,asasocialbenefit,muchlikethe caseinthelojackmodelabove.thisimpliesthat <.Itisimportanttonotethat isawhollyprivatecostchosensolelybythebank,andcanbeperceivedasthebank s contributiontogroupresearchassumingthebankdoesnotengageinanyresearchon

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 16 itsownusingitsownresources).clearly,thesociallypreferredoptionwouldbefor = 1. Abankwillchoosetoinvestinresearchif: 1 < 1 1 < 1 < < < = ) 3) Weseektofindequilibriumvaluesof,andsuchthattheyfulfillthe followingconditions: 1. = 2. =, 3. "#$$%& 1 "# Utilizingtheseequations,wecanderivetheequilibriumvaluesofanindividual bank svalueofprotectingitsinformation),theequilibriumriskofcybercrime),as wellastheoptimalamountthatabankshouldinvestinresearch). Focusingonconditions2and3, "#$%$&' 1 = 1,

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 17 = 1 = 0 = 4) Substitutingthisresultinto =,weobtain: = = 1 5) Weseeherethattheoptimalamountthatabankshouldinvestinresearchis1. Thisisaconstant,independentofthebank svalueitplacesonprotectingits information,andindependentofthecurrentriskofcrime.thiscanbeattributedtothe factthateachbankisreluctanttoinvestinmorethantheminimumtocontributeto loweringtheriskofcrime,preferringtospreadouttheresponsibilityandputtheonus equallyoneverymemberoftheorganization.theyarechoosingtosacrificethelongp termrewardsofengaginginresearchandthecompoundingbenefitsofnetworkeffects inastrengthenednetworkinfavorofshortptermcostsavings. Clearly,thisisamyopicapproach,butisunfortunatelyrampantinthecurrent market.researchhasalsoshownthat,ratherthaninvestinresearchandprevention, banksandfinancialinstitutionshavechosentointernalizethecostsofbeinghackedby compensatingcompanies.intheiropinion,thebenefitsofresearchfailtooutweighthe timeandmonetarycosts.asmorebanksadoptthismindset,thelackofacredible researchteamandfoundationisperpetuated.knowingthattheircounterpartshave adoptedthismindset,individualbanksarelesslikelytobethesolememberinthe

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 18 networkinvestinginresearch.inthiscase,networkeffectsandthepotentialbenefitsof increasedresearchinvestmentarenottapped. Toquantifysuchbenefits,welookatthesocialvalueofincreasing : Socialbenefit=privatevalueformarginalbank +socialbenefitofdecreasedriskoftheft =0+, " "" 6) Notetheprivatevalueforthemarginalbankis0,regardlessofwhetherit choosestoinvestinresearchornot.thisisbecauseresearchhasatimelag,whetherin conductingtheresearchortheutilityofresearchresults,andthebenefitatatime wherenohackinghasoccurredis0. Thesecondterm, " representsthesumofsocial "" benefitsovereveryoneinthecommunity.thefirstderivativeoftwithrespecttois negativegiventhatthecrimeratedecreaseswithanincreasedoverallinvestmentin research.likeinthelojackmodelabove,thisbenefitisnotexclusivetothosebanks thathavechosentoinvestinresearch,butbenefitseverymemberoftheorganizationas awholebydecreasingtheprobabilityofaneffectivehackingattempt.thebenefitis thusrepresentedbytheproductoftheirindividualvaluationsoftheirinformation andthemarginaldecreaseinriskofhackingonthecommunityasawholeborneoutof agreatercumulativeinvestmentinresearch. Giventhattheresearchiscollaborative,andthereisnoprivateresearchdoneby banks,thesocialbenefitissharedamongallthebanksequally.thereinliestheproblem ofincentives sinceallbenefitissharedbutallcostisprivate,thereisanincentiveto

CasatrinaLee 3May2014 CHAPTER3:ECONOMICMODELS 19 becomeafreerider,resultinginunderprovisionofsecurityresearch,similartothecase oflojacksabove. Wefoundthat = 1forallbanks.Thisseemstobeaunanimousdecision,with nobankchoosingtoinvestmorethantheequilibrium.thisequilibrium,however,isnot optimal,astheriskofhackingcanbefurtherdecreasedwithincreasedinvestmentin research.yetifanybankchoosestoinvestmorethantheperceivedequilibrium,itis unlikelythatotherbankswillfollowsuit.giventhattheresearchisnonprivalrousand nonpexcludablewithinthefspisac,theproblemoffreeridersarises.

CasatrinaLee 3May2014 CHAPTER4:COMPARATIVEANALYSIS 20 Chapter4 ComparativeAnalysis WhilewecandrawsimilaritiesbetweenthecybersecurityandLoJackmarkets intermsofunderprovision,therearenumerousdifferencesthatneedtobehighlighted, specificallyinthestructureofitsrespectiveexternalities. 1 Differingstructuresofnetworkeffects FortheLoJackmarket,theskillsandtoolsrequiredtostealacarisdirectly transferrablefromcartocar.inotherwords,onceacriminalisequippedwiththe knowledgeandtoolsofhowtostealacar,thereisnoeconomicbarrierpreventinghim fromstealinganothercar.however,stealingonecardoesnotautomaticallygainhim accesstoanothercarie.theautotheftmarketisdiscrete). Incontrast,inthecybersecuritymarket,moreoftenthannot,criminalsrequire specificinsiderknowledgeinordertogainaccesstothesystemontopofgeneral hackingskills.thisknowledgeisuniquetoindividualcompaniesandisless transferrabletoothercompanies.thatsaid,however,onceacriminalgainsaccesstoa

CasatrinaLee 3May2014 CHAPTER4:COMPARATIVEANALYSIS 21 company ssystem,thebarriertogainingaccesstosystemsofothercompaniesinthe networkisloweredie.thecybercrimemarketislessdiscrete).whilethelojack criminalisnotboundbygeographicalorregionalrestrictionsinapplyinghis knowledge,thecybercriminalisboundbythenetworkofcompaniesheistryingto infiltrateie.thisknowledgemaynotbeapplicabletoanothernetworksuchasthefood andbeverageindustry). 2 Differingfreeridereffects IntheLoJackmarket,therearelittletonofreeridereffects.Acarowner installingalojackhasnodirectimpactontheprobabilityofhisimmediateneighbor s cargettingstolen.therefore,thelojackisexcludable.thefreeridereffectonlykicksin whentheinstallationoflojacksinaspecificregionexceedsaparticularthresholdsuch thatthegeneraltheftratedecreases.evenso,whilecarownerswhochoosenotto installlojacksmaybenefitfromthegeneraldecreaseintheftrate,theyreapnobenefits whentheircarswithoutlojacksarestolen.here,weseethattheincentivetobeafree riderislow. Inthecybersecuritymarkethowever,itisacknowledgedthatthereisaninfinite numberofwaysthatacompany ssystemcouldfail,bothontheindividualcompanyand collectivenetwork)levels.investmentinresearch,therefore,doesnot,inanyway, guaranteeareturn.giventhehighmonetarycostsofresearch,coupledwiththetimep intensiveeffortsandcontrastedwiththefastpaceatwhichattackvectorsevolveand develop,researchisexpensiveandmaynotpresentitselfasaneconomicallyrational decisionforcompaniesatfirstglance.infact,bankshaveshownthattheypreferto

CasatrinaLee 3May2014 CHAPTER4:COMPARATIVEANALYSIS 22 compensatecustomersforanysecuritybreachestheirnetworkmaysufferratherthan investinresearchbauer&vaneeten,2011).thereinliestheincentiveforcompanies tofreerideonresearchcarriedoutbyothercompaniesinthenetwork.likeinthe LoJackmodel,companieswhodonotcarryoutresearchbenefitfromthegeneral increaseinprotectionofthenetwork.intheeventofinfiltration,theyexperiencea negativepayoff,butsodotheothercompaniesintheirnetwork,whomayhaveinvested inresearch.ielaborateonthesenetworkeffectsbelow.inlightofthis,theincentiveto freerideisdrasticallyhigherinthecybercrimemarketthanthatofthemarketfor LoJacks.

CasatrinaLee 3May2014 CHAPTER4:COMPARATIVEANALYSIS 23 ContagionEffect Duetothehighinterconnectivityofnetworkswithinthefinancialindustry,the probabilityofabankgettinghackedisnolongeronlydependentonsimplysharing informationandengaginginresearch.whenabankinthenetworkgetshacked,other membersofthenetworkaresubsequentlymoresusceptibletogettinghackedaswell. Thiscontagioneffectthereforechangesthepayoffofeachindividualbank.Weassume thatthethreatfunctionisunchanged. Takingintoaccountthecontagioneffect, Banki spayoff= 1 "" ) 7) Here, istheprobabilitythatbankiishacked,isthenetworkeffect coefficient,and "" istheprobabilitythatanotherbankinthenetworkishacked,and affectsbankivianetworkeffects. WeseeherethatthecontagioneffecthasloweredBanki'spayoff.Therefore,the contagioneffectservesasamotivatingfactorforbankstoshareinformationwithinthe network,asmentionedabove,particularlysincethecostofsharinginformationiszero. Italsomotivatesbankstoengageinresearchtocontributetotheoverallsecurityofthe networktomaximizetheirsecurity. Thisisanimportantresultanddistinguishesthecybersecuritymarketfromthe LoJackmarket.TheinvestmentinaLoJackisverymuchindividual.AslongasPersoni investsinalojack,thegeneralrateoflojackinvestmentinpersoni sregiondoesnot affecthim.ontheotherhand,acollectivelyhighrateoflojackinvestmentinaregion withoutpersoniinvestinginonemayresultinalowerprobabilityofpersoni'scar gettingstolen,butdoesnothingtoaidrecoveryofpersoni'scarifitgetsstolen.

CasatrinaLee 3May2014 CHAPTER4:COMPARATIVEANALYSIS 24 Incontrast,companies researcheffortsareindividualresponsibilities.they contributetosecuringthenetworkasawholeastheyinvestinthecollectiveresearch donebythenetwork.italsobettersecurestheirindividualsystemfrombeinghacked, thereforeindirectlysecuringthenetworkatthesametime.theyshould,therefore, theoreticallybemoreinterestedincontributingtoimprovingtheoverallsecuritylevel oftheirnetwork.basedonourlastmodel,weseethatcollectiveeffortsarekeyincyber securitytoamplifynetworkeffectsandcorrespondinglyamplifythepositive externalitiesoverthenegativeexternalities.

CasatrinaLee 3May2014 CHAPTER5:DISCUSSION&ANALYSIS 25 Chapter5 Discussion&Analysis Asprovenbythemodelsabove,collaborationisdefinitelyadvantageousin tacklingtheproblemofcybersecurity.thefinancialservicessectoralreadyhasthefsp ISACinplace;onewouldnaturallyhopetoputinplacesimilarorganizationsinother industriestopromotecooperationinothersectors.however,asmuchasinformation sharinghasbeentoutedapossiblesolutionforcybersecurity,thereisamajorinherent problempcompanieslackadequateeconomicincentivestofacilitatesuchsharingin industriesotherthanthefinancialservicessector.instead,marketfailureand externalitiescomeintoplay. Firstandforemost,companiesareunwillingtoshareinformationwithother companies,becauseitmaymeanlosingtheircompetitiveedge,particularlyin industrieswheresystemsarepartofthecompany swinningmoves.forexample, Amazon.compridesitselfonitsefficientretailsystemandsupplychain,withsecure paymentoptionsandshortturnovertimes.theywouldbereluctanttoshareintimate informationabouttheirsystemsanditsvulnerabilitiestotheircompetitorsinthesame

CasatrinaLee 3May2014 CHAPTER5:DISCUSSION&ANALYSIS 26 spacewhoarelookingtooptimizetheirrespectivesystemstocompeteinthe ecommercemarket. Also,companiesarereluctanttoadmitwhenevertheirnetworkhasbeen breached,becauseofthepublicbacklashthatcouldoccurwhentheircustomerslearn thattheirinformationhasbeenleaked.thiscouldhavenegativeramificationsonthe hackedcompany sreputation.in2011,sonywasthevictimofamassivedatabreach andhadnaturallybeenreluctanttosharethecrimewiththepublic.itwasheavily criticizedwhenitfinallyadmittedtohavingbeenhacked,whichonlyservedtoamplify thepublicbacklash.onecanonlyimaginethatotherretailcompaniesliketargetwould becautiousinrevealingitsnetworksecurityflaws. Furthermore,aswehaveshownabove,informationsharingbringswithitthe problemoffreeriders.theproblemoffreeriderssimplyservestoincreasethebarriers againstencouragingcollaborationinotherindustriesagainstcybercrime.todate,the mosteffectiveeffortincombatingcybercrimehasbeeninthefinancialservices industry,insettingupthefspisac.wecanattributeseveralreasonstoitscollaborative successasopposedtootherindustries. Firstly,thepersonalinformationthatcustomersprovidetofinancialservices companiesaremuchmoresensitiveandimportantie.socialsecuritynumbers, personallyidentifiableinformation,bankaccountnumbers)thanthoseprovidedto retailerseg.shoppingpreferences).entrustedwithsuchinformation,financialservices companiesareheldresponsibleinensuringthattheinformationissecure.the importanceofhavingasecurenetworkisthereforemuchhigherinthefinancialsector thaninotherindustries.

CasatrinaLee 3May2014 CHAPTER5:DISCUSSION&ANALYSIS 27 Thereluctanceofotherindustriestoshareinformationwiththeircompetitorsis alsolessconspicuousinthefinancialsectorbecausesuchinformationisnottheedgeby whichfinancialservicescompaniescompeteinthemarket.financialinstitutionsare,in fact,highlymutuallydependentandthebulkoftheirrevenuecomesfromlarge investments,ratherthantheprecisemechanismsoftheirsystemsandcustomer preferences.theirhighmutualdependencealsonecessarilyimpliesahighercontagion effect,whichwouldposeagreaterthreatintheeventofanetworkbreach.these factorsthereforeuniquelyincentivizefinancialinstitutionstopartakeincollaborative effortstocombatcybercrime. Wedoknow,fromouraboveanalysis,thatsuchcollaborationandresearchisa highpcostandhighptimeinvestment.however,cooperationcancollectivelystrengthen thenetworkandhaveanetpositiveeffect.thesepositiveeffectsincludeincreased situationalawarenessofthecybercrimelandscape,aswellasmoreefficientdetection ofnetworkbreachesgiventhemyriadwaysthatanetworkcanbeinfiltrated. InformationsharingisclearlyincentivePcompatible,whileresearchactionseemstobe incentivepincompatible. GiventhatresearchistimeandcostPintensive,theuseofhoneypotscouldbea plausiblealternative,astheyarerelativelylowcost,butyetcontributetothedatabase ofknowledgeasaprecursortoresearch.honeypotsaretrapssettocounteract attemptsatunauthorizeduseofinformationsystems.theyinvolvecomputersthat seempartofthenetworkbutareactuallyisolatedandmonitored.thesecomputers seemtocontaininformationorresourcesofvaluetoattackers,baitinghackers,from whichthefspisaccanlearnvaluableinformationonthecriminals modus"operandiand

CasatrinaLee 3May2014 CHAPTER5:DISCUSSION&ANALYSIS 28 techniques.thisisacollective,yetactivemechanism,asitbuildsonthecollective strengthoftheorganization,isabletogleanusefulfindings,butrequireslessactive participationonthepartofindividualcompanies. Researchcouldbeoutsourcedwithstipulatedindividualinvestmentsinresearch expenditure.thisway,theresearchprocesswouldbemorecoherentandequitable. Whiletheaboveanalysisonlytakesintoaccountcollaborativeresearch,companiesmay beincentivizedtoconductprivateresearchontopofthat.this,whileclearlyservingto strengthentheindividualcompany ssystem,alsobenefitsthenetworkasawhole,by virtueofthestrongnetworkeffectsinthecybersecuritymarket.apossibleexampleof outsourcedresearchincludestheinterpolglobalcomplexforinnovationigci),which issettobecomeoperationalinsingaporein2014.thiswoulddefinitelyprovehighly effectivegiventhattheigciwouldhaveaccesstoinformationbeyondindustryand geographicalborders.researchwouldallowthreatstobeprepempted,andresponse andrecoveryfacilitated.

CasatrinaLee 3May2014 CHAPTER6:CONCLUSION 29 Chapter6 Conclusion ModelingtherespectivemarketsintheLoJackandcybercrimemarketshave illuminatedseveralkeysimilarities.theincentivestructuresofbothmodelsaresimilar, withemphasisoncontrastingmarginalprivatebenefitsofinvestinginalojackand cybersecurityresearchrespectivelywiththesocialbenefits.duetothefactthattherisk offallingvictimtoanattackdecreaseswithincreasedbuypinforboththelojackand cybersecuritymarkets,bothmodelsdemonstratesocialbenefitsthatfaroutweigh privatebenefits. Thereisacleardisincentiveforindividualsinbothmarketstoinvestinthe LoJackandcybersecurityresearchrespectively.Thisisbecauseoftheprivatecost incurredtotheindividual monetarycostofthelojackandtimeandmonetarycostsof cybersecurityresearch butyetzeromarginalprivategainssincenoattackhastaken placeyet.thereisthereforeabarrieragainsttheinitialinvestment. However,weknowthatwitheachindividual sinvestmentinthemarketreduces therespectiverisksofcrime,resultinginpositiveexternalities.inthelojackmarket,

CasatrinaLee 3May2014 CHAPTER6:CONCLUSION 30 whileanindividualwhochoosesnottoinvestinalojackmayreapthebenefitsofa loweredtheftrate,hereapsnobenefitifhiscaristargetedsinceitcannotberecovered easilywithoutalojack.thisitselfservesasmotivationforindividualstoinvestina LoJack.Ontheotherhand,companieswhodonotinvestincybersecurityresearch benefitfromtheloweredthreat,andalsoreaptherewardsofresearchconductedby othermembersofthenetworkwithoutneedingtospendasinglecent.successful researchbyothercompanieshelptostrengthenthenetworkasawhole,andmembers ofthenetworkwhochoosenottoinvestinresearchbenefitfromtheincreasedsecurity, effectivelybecomingfreeriders.therefore,duetodifferencesinthestructureof externalitiesandnetworkeffectsofthetwomodels,theincentiveeffectsaredifferent. Specifictothecybercrimemarket,assumingthatsharingofinformationwithin thenetworkincursnocost,themodelalsoshowsthatsharingofinformationamong companiesisoptimal.thepoolingofinformationhelpsimprovesituationalawareness ofthecybercrimelandscapeandthereforedecreasestheriskoffallingvictimtoan attack.furthermore,themodelshowedthattheamountthatcompaniesarewillingto investincybersecurityresearchisinfactalowconstant,independentofthevaluethey placeontheirinformationandofthecurrentriskofattack.thisagainreferstothe rampantexistenceoffreeriderswithinthemarket. Applyingthesefindingstothecybercrimemarket,wemustacknowledgefirst andforemostthat,althoughthesharingofinformationseemstobefeasibleand beneficialinthefinancialservicesindustry,thisisnoteasilytransferrabletoother industries,suchasretail.otherindustrieslackeconomicincentivestocooperateand fearpublicbacklashifinformationabouttheirsecuritybreachesareleaked.incontrast,

CasatrinaLee 3May2014 CHAPTER6:CONCLUSION 31 informationsecurityissuchakeyfacetoftheoperationsoffinancialinstitutionsthat theirmutualinterdependenceforcesthemtocooperate. Ontheresearchfront,apossiblealternativewouldbetheuseofhoneypots. Thesehoneypotscangleanvaluableinformationonattackvectorsbyposingastraps. ThisrequiresacollectivecontributionfromeachmemberoftheFSPISAC,butisowned bynoonemember,thereforealleviatingthefreeriderandunderprovisionphenomena. Anotherplausiblealternativewouldbetooutsourceresearchtointernationalbodies, thereforeallowingresearchcontributionsbyeachmembertobemoreequitable. Inall,inmodelingthemarketforcybercrime,itisevidentthatbothsharingand investmentinresearchiskeyforeffectiveimprovementinsecurity.tocombatthe problemoffreeriders,itisimportantfortheorganizationtosetcontractualtermssuch thatmembersareboundtocontributetoresearchinordertoreapthefullbenefitsof increasedsecurity.internationalbodiesarealsowellppositionedtoalleviatethefree riderproblembecausenotonlyaretheyimpartialandlesssusceptibletoincentive problems,theypossessgreaterresourcesthatcanincreasetheeffectivenessand holisticnatureoftheirresearch.

CasatrinaLee 3May2014 CHAPTER7:BIBLIOGRAPHY 32 Chapter7 Bibliography Abbas,Haider,Hemani,Ahmed,Magnusson,Christer&LouiseYngstrom. AStructured ApproachforInternalizingExternalitiesCausedbyITSecurityMechanisms. 2 nd " International"Workshop"on"Education"Technology"&"Computer"Science2010). Acquisti,Alessandro&SashaRomanosky. PrivacyCosts&PersonalDataProtection: Economic&LegalPerspectives. Berkeley"Technology"Law"Journal."Vol24.No.3. 2009) Anderson,Ross."WhyinformationsecurityishardPaneconomicperspective."Computer" Security"Applications"Conference."358P3652003) Anderson,Ross&ShailendraFuloria. SecurityEconomics&CriticalNational Infrastructure. Economics"of"Information"Security"&"Privacy."2010) Anderson,Ross&TylerMoore. Economics&InternetSecurity:ASurveyofRecent Analytical,Empirical&BehavioralResearch. The"Oxford"Handbook"of"the"Digital" Economy,"Oxford"University"Press.2011)

CasatrinaLee 3May2014 CHAPTER7:BIBLIOGRAPHY 33 Anderson,Ross&TylerMoore. TheEconomicsofInformationSecurity. Science.Vol 314.2006) Anderson,Ross,Clayton,Richard&TylerMoore. TheEconomicsofOnlineCrime. Journal"of"Economic"Perspectives.Vol23.No.3.3P20.2009). Andrijcic,Eva&BarryHorowitz. AMacroPEconomicFrameworkforEvaluationof CyberSecurityRisksRelatedtoProtectionofIntellectualProperty Risk"Analysis." Vol26.No.4.2006). Arora,Ashish,Nandkumar,Anand&RahulTelang. DoesInformationSecurityAttack FrequencyIncreaseWithVulnerabilityDisclosure?AnEmpiricalAnalysis. Information"Systems"Frontiers."Vol8,No.5.350P3622006) Aviram,Amitai&AvishalomTor. OvercomingImpedimentstoInformationSharing. Harvard"John"M"Olin"Discussion"Paper"Series."No.427.2003) Ayres,Ian&StevenLevitt. MeasuringPositiveExternalitiesfromUnobservableVictim Precaution:AnEmpiricalAnalysisofLojack The"Quarterly"Journal"of"Economics." Vol113.No.43P771998) Bauer,Johannes&MichelvanEeten. Cybersecurity:StakeholderIncentives, Externalities&PolicyOptions. Telecommunications"Policy."Vol33.706P719" 2009). Bauer,Johannes&MichelvanEeten. EconomicsofMalware:SecurityDecisions, Incentives&Externalities. STI"Working"Paper"2008). Bauer,Johannes&MichelvanEeten. EmergingThreatstoInternetSecurity Incentives,ExternalitiesandPolicyImplications. Journal"of"Contingencies"&" Crisis"Management,Vol17,No.4.2009).

CasatrinaLee 3May2014 CHAPTER7:BIBLIOGRAPHY 34 Bauer,Johannes&MichelvanEeten. IntroductiontotheEconomicsofCyberSecurity. Communication"&"Strategies.No.812011) Bolot,Jean&MarcLelarge. CyberInsuranceasanIncentiveforInternetSecurity. 7 th " Workshop"on"the"Economics"of"Information"Security.2008) Cook,Phillip. CoproductioninDeterringCrime. American"Society"of"Criminology.Vol 10.Issue1.2011) Cordes,Joseph. AnOverviewoftheEconomicsofCybersecurity&Cybersecurity Policy. The"George"Washington"University"Cyber"Security"Policy"&"Research" Institute."2011). Gandal,Neil. AnIntroductiontoKeyThemesinCyberSecurity. Tel"Aviv"University"&" CEPR."2006). Gordon,Lawrence,Loeb,Martin&WilliamLucyshyn. Sharinginformationon computersystemssecurity:aneconomicanalysis. Journal"of"Accounting"&" Public"Policy.2003)461P485 Gorden,Lawrence&Loeb,Martin. TheEconomicsofInformationSecurityInvestment. ACM"Transactions"on"Information"&"System"Security.Vol5,No.4.2002) Grady,Mark&FrancescoParisi. TheLawandEconomicsofCybersecurity:An Introduction. The"Law"and"Economics"of"Cybersecurity.2006) Johnsen,Bruce&SupriyaSarnikar. CyberSecurityintheNationalMarketSystem. Rutgers"Business"Law"Journal."Vol6.No1.2009) Katz,Michael&CarlShapiro. TechnologyAdoptioninthePresenceofNetwork Externalities. Journal"of"Political"Economy."Vol94,No4.1986)

CasatrinaLee 3May2014 CHAPTER7:BIBLIOGRAPHY 35 Kobayashi,Bruce. AnEconomicAnalysisofthePrivateandSocialCostsofthe ProvisionofCybersecurityandotherPublicSecurityGoods. Supreme"Court" Economic"Review.2005) Li,Xinghan. CybersecurityasaRelativeConcept. An"International"Journal."Vol18.11P 242006) Locke,Gary. Cybersecurity,Innovation&theInternetEconomy. The"Department"of" Commerce"Internet"Policy"Task"Force.2011) Moore,Tyler. IntroducingtheEconomicsofCybersecurity Proceedings"of"a"Workshop" on"deterring"cyber"attacks:"informing"strategies"&"developing"options"for"us" Policy." Mulligan,Deirdre&FredSchneider. DoctrineforCybersecurity. Cornell"University," University"of"California,"Berkeley."2011) Ozment,Andy&StuartSchechter. BootstrappingtheAdoptionofInternetSecurity Protocols. 5 th "Workshop"on"the"Economics"of"Information"Security.2006) Picker,Randal. CyberSecurity:OfHeterogeneity&Autarky. The"Law"School"of"The" University"of"Chicago."2004). Powell,Benjamin. IsCybersecurityaPublicGood?EvidencefromtheFinancial ServicesIndustry Journal"of"Law,"Economics"&"Policy."Vol1.No.22005) Swire,Peter. AModelforWhenDisclosureHelpsSecurity:WhatisDifferentAbout ComputerandNetworkSecurity? Journal"on"Telecommunications"and"High" Technology"Law."Vol2.2004)