A Dynamic Cyber Security Economic Model: Incorporating Value Functions for All Involved Parties

Abstract

One cannot develop effective economic models for information security and privacy without having a good understanding of the motivations, disincentives, and other influencing factors affecting the behavior of criminals, victims, defenders, product and service providers, lawmakers, law enforcement, and other interested parties. Predicting stakeholders’ actions and reactions will be more effective if one has a realistic representation of how each of the various parties will respond to internal motivators and external stimuli. In this chapter, reactions of involved parties are assumed to be based on “personal utility functions.” However, it is not sufficient merely to develop static utility functions, since the net value of security and privacy changes dynamically. External events, such as the announcement of a new threat, also have a significant effect on both subjective and objective net value. Knowing how such value functions vary over time helps determine the overall dynamic impact of security and privacy measures on the behavior of various participants and ultimately on the economic model that describes these behaviors. Also in this chapter, the authors enumerate the many factors that affect all the various parties and examine how these factors affect the responses of all those involved due to the economic impact of particular exploits and situations as they affect different groups.