Increasing cybersecurity investments in private sector firms (2024)

Abstract

Introduction

The percentage of US critical infrastructure assets owned by private sector firms is usually estimated to be somewhere in the neighborhood of 85% [Although the exact percentage is not known, the 85% figure has been used in various government reports (e.g. see http://www.gao.gov/products/GAO-07-39 , accessed 26 October 2015)]. The way these assets are operated and managed has vastly changed over the last few decades due to the impact of the digital revolution related to computer-based information systems. These changes have increased the efficiency associated with using infrastructure assets. The digital revolution, however, has also created serious risks to the nation’s critical infrastructure due to actual and potential cybersecurity breaches (The term “cybersecurity” is used in this article to mean the protection of information that is transmitted via the Internet or any other computer network. The terms “cybersecurity” and “information security” are used interchangeably in this article). As noted by President Obama in his Executive Order on Cybersecurity of 12 February 2013:

Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront [ 1 ].

Numerous empirical studies point out the potential negative effects of these breaches on the performance of firms in the private sector (e.g. see [ 2 ]). The potential negative effects of cybersecurity risks and incidents on private sector firms have also been recognized by the US Securities and Exchange Commission (SEC), as evidenced by the publication of its Disclosure Guidance [ 3 ]. In fact, the SEC Disclosure Guidance recommends that firms disclose their cybersecurity risks and incidents in their annual 10-K reports.

The cybersecurity risks and incidents confronting private sector firms raise the following fundamental question: How much should a firm in the private sector invest in cybersecurity activities? Answering the above question has been the subject of Congressional Hearings (e.g. the 2007 Subcommittee of the US House Committee on Homeland Security), academic research (e.g. [ 4 ]), and discussions among executives (e.g. [ 5 ]). Unfortunately, there is no simple answer to this question. The above notwithstanding, it is helpful to keep in mind that private sector firms are driven to a large degree by the desire to earn profits. Consequently, cybersecurity investment decisions by private sector firms are largely the result of cost-benefit analysis [In the private sector, cost-benefit analysis usually is based on some form of net present value (NPV) analysis].

Cost-benefit analysis, however, normally only considers the private costs associated with cybersecurity breaches (i.e. the costs to the firm directly affected by the breaches). The externalities (i.e. spill-over costs to other firms, in both the private and public sectors, as well as to individuals) associated with cybersecurity breaches are generally not factored into the cybersecurity investment decisions by firms in the private sector (The sum of private costs and externalities is what economists refer to as social costs; an example of an externality related to cybersecurity would be a situation where a firm gets a computer virus and spreads that virus to its business partners through the firm’s computer interactions with these other firms. The spill-over costs would be the costs incurred by these business partners as a result of receiving the virus. If the spill-over costs could be easily traced to the firm spreading the virus, and the firm could be held liable for these costs, these costs would become part of the private costs of the firm spreading the virus). As Anderson and Moore [ 6 ] make clear the cybersecurity economics literature recognizes that externalities play a significant role in the underinvestment in cybersecurity. LeLarge ([ 7 ], p. 2210), emphasizing the effect of externalities, writes “security investments are always inefficient due to the network externalities.”

Holding externalities aside, there is evidence that firms invest in cybersecurity activities at a level below what would be optimal considering private costs alone. A cursory look at some firms that experienced a major cybersecurity breach recently (e.g. Target, Inc., JP Morgan Chase, Inc., and SONY, Inc.) indicates that it took a significant cybersecurity breach for the firms to ramp up their level of cybersecurity investments. Indeed, it is reasonable for the US federal government (hereafter referred to as the “government”) to assume that private sector firms are underinvesting in cybersecurity activities. Beginning with [ 8 ], the issue of incentive alignment has been a central theme in literature on the economics of cybersecurity. Pym etal. [ 9 ], for example, analyze the need for government intervention in cybersecurity in the context of an economic model of attackers and defenders. One should not be surprised, therefore, to find governments considering various incentives and/or regulations (hereafter referred to as government “incentives/regulations”) that would increase cybersecurity investments by firms in the private sector [The distinction between government “incentives” and “regulations” for purposes of this article is as follows. A government incentive (e.g. tax incentive for energy efficiency) provides some sort of subsidy to encourage firms to voluntarily take specific actions that are consistent with achieving a desired outcome. In contrast, a government regulation (e.g. [ 10 ]) is a law that mandates compliance with the law to achieve a desired outcome; pursuant to Presidential Executive Order 13636, the US Department of Homeland Security and the US Treasury Department have recently released reports examining possible incentives/regulations to motivate private firms to increase their investments in cybersecurity. In this regard, see [ 1 , 11–13 ]].

The primary objective of this article is to apply and extend economic production theory to the problem of assessing the impact of actual or proposed government incentives/regulations designed to increase the cybersecurity investments by firms in the private sector [While the model we present was motivated and is discussed in the context of cybersecurity, our analysis is more generally applicable to any loss-reducing investment by the firm (e.g. workplace safety or employee-theft prevention)]. The production theory framework is based on an analysis of the relationships among cybersecurity inputs and outputs. Our input–output analysis provides important insights regarding the impact of various types of government incentives/regulations designed to increase the cybersecurity investments by firms in the private sector (For purposes of this article, the terms “investments” and “expenditures” are used interchangeably). To our knowledge, this is the first study to conduct such an analysis.

The input–output analysis provided in this article shows that the impact of government incentives/regulations on the cybersecurity investment decisions of firms is dependent on two fundamental issues. The two issues are: (i) whether or not firms are utilizing the optimal mix of inputs to cybersecurity (i.e. whether or not firms are accurately conducting and using cost-benefit analysis related to the inputs of cybersecurity investments), and (ii) whether or not firms are able, and willing, to increase their investments in cybersecurity activities. An analysis of these two issues results in general implications concerning whether government incentives/regulations will likely result in improvements in cybersecurity investments by private sector firms.

The remainder of this article proceeds as follows. In “Literature review” section of the article, we briefly review the relevant prior literature. The analytical framework for assessing the impact of government incentives/regulations on cybersecurity investments is presented in “Cybersecurity inputs and outputs” section of the article. This framework is based on a microeconomic analysis via the inputs and outputs associated with cybersecurity investments. The analysis is initially presented in graphical terms. The “Cybersecurity inputs and outputs” section of this article also discusses the implications of our graphical analysis, with a focus on how government incentives/regulations could impact firms in the private sector to incorporate externalities, as well as private costs, in their cybersecurity investment decisions. A formal mathematical analysis supporting these implications is also provided in the “Cybersecurity inputs and outputs” section of the article. The “Existing government actions affecting cybersecurity investments” section of this article provides a few specific examples of existing government incentives/regulations that have the potential to substantially enhance the current level of investments in cybersecurity activities by private sector firms. The “Concluding comments” section of this article presents some concluding comments concerning the main arguments presented in this article, as well as recommendations and limitations associated with these arguments. The “Concluding comments” section of the article also includes directions for future research in the area.

Literature review

Private costs of cybersecurity breaches

Cybersecurity breaches are a fundamental concern to firms in the private sector of an economy (Although outside the scope of this article, cybersecurity breaches are also a fundamental concern to organizations in the public sector, as well as to individuals). Estimates of the total costs associated with such breaches often are discussed in terms of billions of dollars. Estimates of the costs of a cybersecurity breach to an individual firm, hereafter referred to as private costs, are often based on surveys in which participants tend to consider only the explicit costs of such breaches (e.g. the costs of detecting and correcting breaches, as well as any actual loss of physical assets) [For example, the surveys conducted by several professional organizations (e.g. [ 14–16 ]) generally do not consider the implicit costs of cybersecurity breaches]. Once the implicit costs (e.g. potential lost sales, potential liabilities) are considered, the total actual losses to firms operating in the private sector could be closer to a trillion dollars. Although determining the exact dollar costs resulting from cybersecurity breaches is problematic, there is little doubt that the number and sophistication of cybersecurity threats and breaches continue to grow (e.g. [ 15 ]).

One stream of empirical research on the costs of cybersecurity breaches has to do with the impact of such breaches on the stock market returns of firms that are publicly traded on the US stock exchanges [ 2 , 17–23 ]. These studies are of particular relevance to the study contained in this article for the following three reasons. First, as noted in the introduction to this article, most of the critical infrastructure assets in the USA are owned by firms in the private sector, and the majority of these assets are owned by firms that are publicly traded on the US Stock Exchanges [President Obama’s 12 February 2013 Executive Order 13636 [ 1 ] on “Improving Critical Infrastructure Cybersecurity” defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” As noted on the official website of the Department of Homeland Security ( http://www.dhs.gov/critical-infrastructure-sectors , accessed 26 October 2015), critical infrastructure sectors include: the chemical sector, communications sector, energy sector, financial sector, healthcare and public health sector, transportation systems sector, the defense industrial base sector]. Second, the impact of cybersecurity breaches on stock market returns implicitly considers such factors as potential lost sales and potential liabilities resulting from the breaches. Thus, the implicit, as well as the explicit, costs of cybersecurity breaches are incorporated into these studies (As noted earlier, empirical estimates of the costs of cybersecurity breaches based on surveys tend to ignore implicit costs. Florêncio and Herley [ 24 ] point out other serious methodological problems with such surveys). Third, the findings from these studies show that a particular cybersecurity breach could have a significantly negative impact on a firm, despite the fact that a large portion of these breaches does not have such an effect on firms.

A comprehensive study by Gordon etal. [ 2 ] examined the impact of cybersecurity breaches on the stock market returns of firms publicly traded on the US stock exchanges. Their study shows that, although some cybersecurity breaches do indeed have a statistically significant negative effect on firms, there has been a general downward shift in terms of the impact that cybersecurity breaches are having on firms (when measured in terms of the negative effect on the stock market returns of firms). These latter findings suggest, as pointed out by Gordon etal. [ 2 ], that investors are building up a tolerance for cybersecurity breaches and/or that firms are becoming much more adept at detecting and remediating such breaches prior to the point where such breaches cause critical damage to the firms. The above noted findings concerning the downward trend in the general impact of cybersecurity breaches on firms does not, however, negate the fact that devastating breaches can, and actually do, still occur. If anything, the findings by Gordon etal. [ 2 ] serve to highlight why it is so difficult to incentivize private sector firms to make the appropriate level of investments in cybersecurity activities. That is, the downward trend of the impact of cybersecurity breaches on stock market returns of firms in the private sector highlights the difficulties associated with expecting private sector firms to voluntarily incorporate the cost of externalities of such breaches in their decision-making. Furthermore, since the cybersecurity breaches seem to be having a decreasing effect on the stock market returns of firms experiencing the breaches, a real danger is that the tendency by private sector firms to underestimate the private costs associated with cybersecurity breaches will increase.

Cybersecurity investments considering only private costs

Investments on cybersecurity activities are best viewed in a manner similar to the way other investments are considered by an organization. In the private sector, this essentially means that benefits from investments need to be compared to the costs associated with such investments. In terms of accepting or rejecting an incremental cybersecurity investment opportunity, the basic analysis consists of computing the NPV. The use of cost-benefit analysis for efficiently allocating scarce resources (i.e. making the business case) is well established in the capital investment literature including the literature on investments in cybersecurity (e.g. see [ 25 ]).

The preceding discussion refers to the way a private sector firm might look at an incremental investment related to cybersecurity [Sophisticated models take into consideration such factors as real options (e.g. [ 26–28 ])]. Alternatively, if the firm were trying to optimize the total level of investments in cybersecurity activities, then the firm would want to minimize the sum of the costs of the cybersecurity investments plus the costs of the cybersecurity breaches. A rigorous approach to determining the optimal level of cybersecurity investments is provided by the Gordon-Loeb Model [ 4 ]. Gordon and Loeb [ 4 ] present an economic model to examine the optimal investment level of information security for a risk-neutral firm. Gordon and Loeb [ 4 ] show that, for two broad classes of cybersecurity breach functions, the optimal investment in information security is always less than or equal to 1/ e (approximately, 36.79%) of the expected loss from a security breach. Although [ 4 ] demonstrated this result for only two (broad) classes of security breach functions, they conjectured that the 1/ e rule is more general. Baryshnikov [ 29 ] proved that the 1/ e rule “holds in full generality.” LeLarge [ 7 ] also proved the generality of the 1/ e optimal investment rule.

Externalities and the social costs of cybersecurity breaches

As noted in the Introduction, externalities that arise from the networked environment play a significant role in the underinvestment in cybersecurity. One type of externality arises because some costs of a cybersecurity breach are imposed on other firms and consumers and are not borne by firm experiencing the (initial) breach. An extreme example of such a negative externality arises when a cybersecurity breach results in a firm’s computers becoming part of a botnet. In this case, a cybersecurity breach could result in a firm’s computers launching attacks that are costly to consumers and other firms, but not costly to the firm that unknowingly hosts a source of the attack. Such a negative externality results in a firm’s private costs of a cybersecurity breach understating the social costs of a cybersecurity breach.

In contrast to negative externality, investing in cybersecurity creates a positive externality by decreasing the likelihood of a cybersecurity breach to consumers and other firms (as well as to the investing firm). This latter case (i.e. a positive externality) results in a firm’s private benefits from cybersecurity investment understating the social benefits of such investment. Given that firms recognize that their own cybersecurity is enhanced by the cybersecurity investments of other firms, cybersecurity acts to a degree like a public good and gives rise to firms free-riding on the cybersecurity investments of others. Without added incentives/regulations, firms do not take into account the externalities affecting social costs and benefits, thus leading to cybersecurity underinvestment. Furthermore, when the externalities associated with national security aspects of the critical infrastructure assets owned by private sector firms are considered, private costs and benefits of cybersecurity investment further diverge from the social costs and benefits, thus accentuating the cybersecurity underinvestment problem.

Combating the underinvestment problem

Since the problem of underinvestment in cybersecurity has been well recognized, scholars, as well as information security professionals, have addressed the issue and analyzed a number of policy strategies designed to boost cybersecurity investment. One significant stream of research in the cybersecurity literature began with [ 30 ] (Moore and Anderson [ 31 ] provide a nice discussion of papers in this stream of literature). Taking into account the public goods nature of cybersecurity investment, Varian [ 30 ] provides a game-theoretic analysis of three scenarios where the overall reliability of the network depends on: (i) the efforts of all firms; (ii) on the effort of the firm supplying the smallest effort; and (iii) on the effort of the firm supplying the largest effort. Allowing the costs of effort to vary across firms, Varian [ 30 ] compares the social optimal with equilibrium under a strict liability policy and under a negligence policy [Note that in order to calculate the social optimal and determine optimal policies, the cost of effort must be known for each firm (in addition to function mapping effort to the probability of breach). Since the cost of effort may well be private information held by firms, asymmetric information is a further barrier to attaining the social optimal. Groves and Loeb [ 32 ] present a mechanism designed to handle such a problem in the context of public inputs]. With the liability policy, a fine is imposed on firms when there is system failure (i.e. the occurrence of a breach); and with the negligence policy, a fine is only imposed on a firm if it failed to meet a predetermined standard level of effort (due care). While the liability policy only levies a fine ex post in the event of system failure, Varian [ 30 ] recognized that via cybersecurity insurance, standards could be imposed ex ante .

The use of ex ante negligence policies has been widely used in other contexts and has been proposed as a remedy for cybersecurity investment. Anderson etal. [ 33 ] note the analogy with car safety and recommend that the European Union develop standards for network-connected equipment. Sales [ 34 ] also discusses the use of standards as a possible remedy to underinvestment in cybersecurity and Bauer and van Eeten [ 35 ] lists information security standards as a technical measure of promise. As can be seen by the title of his article, “A Voluntary Cybersecurity Framework is Unworkable – Government Must Crack the Whip,” Gyenes [ 36 ] goes further in advocating mandatory cybersecurity standards.

The model we present and analyze in the next section of this article considers regulation from an ex ante negligence perspective rather than form an ex post liability perspective. Shavell [ 37 ], in the context of safety regulation, demonstrated that neither the ex ante nor ex post approach to motivating the welfare maximizing level of safety effort “… is necessarily better than the other and, their joint use is generally socially advantageous ([ 37 ], p.271).”

Information disclosure, information sharing, and the promotion of cyberinsurance have also been proposed as means of encouraging firms in the private sector to invest more in cybersecurity. Romanosky etal. [ 38 ], while not directly examining whether or not added disclosure requirements lead to increased cybersecurity investment, examine the impact of data breach disclosure laws on reducing identity theft. Gordon etal. [ 39 ] and Gal-Or and Ghose [ 40 ] provide game-theoretic models to investigate the benefits of information sharing. Cybersecurity insurance has also been investigated as a means of providing firms an incentive to strengthen their cybersecurity defenses. Insurance policies that require a level of due care (i.e. de facto standards) to attain a policy, or otherwise price policies (e.g. vary deductibles, premiums, and coverage) based on the policy holder’s cybersecurity defenses, provide such an incentive (Böhme and Schwartz [ 41 ] provide an excellent review of the cyber-insurance literature, while also providing a framework that unifies the literature as well as providing a guide for further research). Moore [ 42 ] examines additional incentive and regulatory strategies designed to increase cybersecurity investments by private firms (as well providing further discussion and analysis of the strategies presented above).

Cybersecurity inputs and outputs

Basic analysis

As pointed out in “Introduction” section, private sector firms will usually underinvest in cybersecurity. Accordingly, it is reasonable for the government to develop incentives/regulations to offset this underinvestment tendency. Ideally, the government would like to provide incentives/regulations to increase cybersecurity investments in private sector firms based on some target level of cybersecurity. Following this logic, the incentives/regulations would be based on the outputs of the firms’ inputs (or activities) related to cybersecurity. Under such an approach, the government would let firms decide on the best mix of inputs to use in order to reach the target level of cybersecurity. In reality, however, there is little agreement on how to measure the cybersecurity level of firms. For example, should the number of breaches, the time it takes to identify and remediate breaches, or the total social costs associated with breaches be this output measure? Furthermore, even if there were agreement on which metric to use, we would still be left with the problem of agreeing on the right way to quantify the metric. As a result of the difficulties associated with defining and measuring the level of cybersecurity, it is common, as well as rational, for the government to consider incentives/regulations based on the inputs to strengthen cybersecurity (e.g. security systems such as intrusion detection/preventions systems, antivirus software, one time password tokens, improved software, firewalls, encryption, internal control systems, training programs, two-factor authentication and security policies and standards) (As previously noted, there are parallels between issues surrounding automobile safety and cybersecurity. The use of input regulation in the auto industry is widespread with government standards for everything from bumpers to padded instrument panels to brakes).

The relationships between the inputs and outputs of cybersecurity are illustrated in Fig. 1 . This figure illustrates a case where a firm has three possible levels of cybersecurity represented by the three ISOSEC curves ( ISOSEC₃ > ISOSEC₂ > ISOSEC₁ ). Each ISOSEC curve in Fig. 1 represents the same level of cybersecurity for different combinations of inputs to cybersecurity. It is assumed, in Fig. 1 , that the firm has two, and only two, inputs ( $X$ and $Y$ ) to improve its cybersecurity level (Due to positive network externalities, the firm’s cybersecurity level (output) would also depend on the cybersecurity outputs (and, therefore, indirectly on the cybersecurity inputs) of all other firms. In our analysis, we assume all other firms’ cybersecurity levels are fixed and concentrate on the first-order effects of input regulation). Let $x$ represent the units of input $X$ and let $y$ represent the units of input $Y$ . For simplicity, we assume the measure of X is such that the cost of a unit of $X$ is one dollar, and similarly the measure of Y is such that the cost of a unit of $Y$ is one dollar. Thus, one could think of $x$ as the dollar expenditures for input $X$ and $y$ as the dollar expenditures for input $Y$ .

The horizontal axis in Fig. 1 measures the amount of one cybersecurity input (e.g. timeliness of patch updating of the firm), denoted as $X$ , for which we assume the government can get verifiable data. The vertical axis measures the amount of a second cybersecurity input (e.g. software quality) or a composite of all other security inputs, denoted as $Y$ , for which we assume the government cannot attain a verifiable measure. The firm’s level of cybersecurity is determined by the level of inputs ( $x,y$ ). As noted above, each ISOSEC curve is the set of all pairs of inputs ( $x,y$ ) resulting in a given level of cybersecurity and is assumed to be convex to the origin. The budget, B , for expenditures on cybersecurity inputs is the line segment given by the set ${(x,y)|x≥0,y≥0,andx+y=B}.$ Dotted lines in Fig. 1 represents the budget lines for three budget levels, where B₃ > B₂ > B_1.

An efficient firm expands its ex ante cybersecurity level (i.e. decreases the probability of a cybersecurity breach) by selecting a combination of cybersecurity inputs where the budget line is tangent to an ISOSEC curve. The point of tangency is where the marginal benefit (i.e. the marginal increase in the cybersecurity level) of input X equals the marginal benefit of input Y [We have assumed the inputs are measured in a way that one unit of each input cost one dollar. More generally, the point of tangency is where ratio of prices of the cybersecurity inputs equals the marginal rate of technical substitution of the cybersecurity inputs (i.e. the ratio of the marginal benefits of the inputs)]. At that point, the firm reaches the highest ISOSEC for a given budget level. In other words, an efficient firm spends its given budget for cybersecurity activities on the optimal mix of inputs, given the costs of the different outputs. This will map out on the firm’s optimal cybersecurity expansion path shown in Fig. 1 . If a firm were to take into account externalities, this would not change the firm’s expansion path [Taking externalities into account, however, would lead the firm to operate at a higher point on the expansion path. This statement is based on the assumption that externalities are only associated with the occurrence of a cybersecurity breach, and implicitly assumes that there are no externalities (e.g. pollution effects) associated with the use of one or more of the inputs ( X and Y )].

Now let us look at Fig. 2 , and assume that the firm initially has a budget for cybersecurity expenditures equal to B₁ . If the firm were efficient in its allocation of the cybersecurity budget ( B₁ ) to inputs X and Y (i.e. the firm knows and uses the optimal mix of X and Y for a budget level of B₁ ), it would select the combination of inputs equal to $x1$ and $y1$ . That is, $(x1,y1)$ represents the efficient allocation of B₁ , in terms of providing the maximum cybersecurity level of ISOSEC₁ . However, suppose that the government wants to raise the level of cybersecurity achieved by this firm to a target cybersecurity level of ISOSEC _T . That is, even if it were assumed that the firm is investing the optimal amount to cover its private costs of cybersecurity breaches, the government could believe the firm is not investing enough to cover the externalities associated with such breaches. Notice that this latter argument is independent of the government’s ability to measure the exact level of security.

To raise the firm’s cybersecurity level to ISOSEC _T , let us assume the government imposes a regulatory constraint on X of $xR$ (recall that the government can get verifiable data on X ). In this article, we focus on the frictionless case where the regulator can enforce input standards without cost. In practice, the regulator could audit a firm’s compliance with the standards at a cost, although the audit would be imperfect [If we relax the assumption that the regulator can enforce the standards without costs, then adding compliance to our analysis would require considering the cost of auditing by the regulator, the penalties for non-compliance, and the fact that firms take into account the imperfect (i.e. probabilistic) nature of auditing. To the extent that firms take into account imperfect and costly enforcement, compliance would be lessened, as would the actual benefits of such input regulation; note that while enforcement of ex ante standards is imperfect and costly, enforcement of ex post liability rules are also imperfect and costly. Shavell [ 37 ] highlights two enforcement problems with liability rules: (i) prosecution is uncertain, and (ii) penalties sufficient to induce optimal behavior may not be feasible because of firms’ inability to pay such penalties].

However, under this scenario we also assume that the firm is not willing (or cannot afford) to raise its budget to B₂ . In other words, we assume the firm’s budget is fixed at B₁ . The firm would solve this constrained optimization problem by setting $X$ at the $xR$ level and setting $Y$ at the $yR$ level shown in Fig. 2 . As shown in Fig. 2 , at ( $xR,yR$ ), the cybersecurity level attained would be ISOSEC _R , which represents a lower level of cybersecurity than the pre-regulation level of cybersecurity of ISOSEC₁ . Thus, with the assumption that the firm remains with its initial cybersecurity budget constraint of $B1$ , the government regulation actually motivates the firm to decrease its level of cybersecurity. In other words, after complying with the regulation on input X (i.e. $x≥xR$ ), but not increasing its overall budget for cybersecurity spending (i.e. keeping the budget at B₁ ), the firm is no longer using its inputs in an efficient manner [Suppose the firm responded to the regulation by increasing the cybersecurity budget by ( x _R − x ₁ ) , so that the new budget equals B₂ in Fig. 2 . Then, with the regulation, the firm would select input levels ( x _R , y₁ ), and achieve the target information security level ISOSEC _T . Note, however, that although the cybersecurity level has increased, with the new budget B₂ , the firm could further increase its cybersecurity level by using a little less of the regulated input X and increasing the level of the unregulated input Y. Suppose, however, that the firm responded to the regulation by increasing the cybersecurity budget by an amount less than ( x _R -x ₁ ) , so that the new budget equals B₀ , where B₁< B₀< B₂ . One can easily verify that there exists a threshold budget level, call it B _T , where B₁ < B _T < B ₂ such that for B₀ < B _T , the firm responding to the regulation would select input levels such that the cybersecurity level would be less than the initial level ISOSEC ₁ (but greater than ISOSEC _R ); and for B₀ > B _T , the firm would select input levels such that cybersecurity level would be greater the initial level ISOSEC ₁ (but less that than ISOSEC _T )].

The above analysis illustrates a case where a regulation on an input to cybersecurity lowers the firm’s level of cybersecurity. With some minor changes to the analysis, it is easy to illustrate a situation where a regulation on an input to cybersecurity, without any government subsidy, could possibly increase the firm’s level of cybersecurity. For example, if the firm were initially allocating its cybersecurity budget of $B1$ inefficiently (i.e. the firm does not know the optimal mix of inputs for a given budget level) and spending $xR$ on X and $yR$ on Y , a government regulation that forced the firm to spend $y1$ on Y could possibly move the firm to spend $x1$ on X (instead of $xR$ ). In this scenario, the firm’s cybersecurity level would move from the $ISOSECR$ to the $ISOSEC1$ , given the budget constraint of $B1$ ( Fig. 2 ).

Now let us return to the assumption that the firm is able to determine the optimal mix of its cybersecurity inputs. Furthermore, we now assume the firm is willing (and able) to raise its cybersecurity budget to keep its cybersecurity expenditures on Y at $y1$ , after complying with the regulation that the level of input X must be at least $xR.$ At $(xR,y1)$ , with a budget of B₂ , the firm would reach the target cybersecurity level of ISOSEC _T ( Fig. 2 ).

Implications

The preceding analysis shows that the potential for government incentives/regulations to increase cybersecurity investments by private sector firms is dependent on the following two fundamental issues: (i) whether or not firms are utilizing the optimal mix of inputs to cybersecurity, and (ii) whether or not firms are able, and willing, to increase their investments in cybersecurity activities. Thus, three general implications are apparent from our input–output framework provided above. First, if it were assumed that the total expenditures by firms on cybersecurity activities (i.e. the budget for spending on cybersecurity inputs) are fixed, and that firms are already utilizing the optimal mix of cybersecurity inputs, for different levels of spending on cybersecurity (i.e. firms know the optimal expansion path shown in Fig. 1 ), government incentives/regulations that encourage changes in the resource allocations among cybersecurity inputs would lower the firms’ level of cybersecurity.

Second, if it were assumed that the total expenditures by firms on cybersecurity activities (i.e. the budget for spending on cybersecurity inputs) are fixed, but that firms are not able to determine the optimal mix of cybersecurity inputs (i.e. organizations do not know their optimal expansion path shown in Fig. 1 ), government incentives/regulations (e.g. mandatory cybersecurity standards) that encourage changes in resource allocations among cybersecurity inputs could either increase or decrease the level of cybersecurity in firms. In this case, the outcome of such incentives/regulations depends on whether the government could properly identify the source of cybersecurity resource misallocations and, in turn, tailor the regulation on inputs to help rectify the misallocation of resources. If it were assumed that the government could identify the source of cybersecurity resource misallocation, the government incentives/regulations on inputs to cybersecurity could, but not necessarily would, help firms reach a higher level of cybersecurity. The outcome in such a case would depend on whether or not the firm shifted its use of inputs closer to, or further away, from the optimal mix. If the government were not able to identify the aforementioned resource misallocations (which is a more realistic scenario), a more effective approach to having private firms reach a higher level of cybersecurity could be for the government to initiate incentives that would help to educate firms on how to efficiently allocate their resources (e.g. the establishment of training programs that assist firms in applying cost-benefit analysis to cybersecurity activities).

Third, if it were assumed that the cybersecurity budget of an organization is not fixed (i.e. relax the firm’s initial budget constraint), government incentives/regulations (e.g. mandatory cybersecurity standards, or tax incentives related to specific cybersecurity inputs) that encourage organizations to increase their cybersecurity investments could increase the cybersecurity level of such organizations. Whether or not the firm knows its optimal mix of inputs, a sufficient condition for an increase in a firm’s cybersecurity level is that the incentives/regulations would not cause a lowering of the expenditures on one or more cybersecurity inputs. There exist, however, other sufficient conditions such that even if the regulation on one input results in the lowering of expenditures on other inputs, the overall cybersecurity level would increase. If a lowering of the expenditures on some cybersecurity inputs were to occur, then the ultimate result on the cybersecurity level of a firm would be dependent on how the input level changes affect the marginal benefits of inputs [If the actual level of an organization’s cybersecurity (i.e. the output of cybersecurity input activities) could be unambiguously measured, then regulation on outputs would likely be the most effective means of addressing externalities].

Formal analysis

Suppose the government wishes to have the firm move to a higher cybersecurity level. If the government (i.e. regulator) could measure and verify the level of both cybersecurity inputs ( x and y ), the government could mandate that higher level of cybersecurity expenditures by imposing large penalties for firms failing to do so. Recall, however, that the government can get verifiable data only on cybersecurity input X . Hence, the government can only require the firm to increase expenditures on input X and must let the firm decide on the level of cybersecurity input Y . In the following analysis, we will examine the cybersecurity levels under such a government regulation under three different scenarios.

Scenario 1: The firm is able to determine the optimal mix, but is not willing (or able) to increase the total expenditures on cybersecurity inputs (i.e. the cybersecurity budget is fixed at the current level).

Scenario 2:The firm is not able to determine the optimal mix, and the cybersecurity budget is fixed (i.e. the firm is not willing or able to increase its expenditures on cybersecurity inputs).

For this scenario, assume before the regulation takes place, the firm’s cybersecurity inputs are $(x0,y0)$ , which differ from $(x1,y1)$ , but are subject to the same budget constraint $B1$ ( $i.e.x0+y0=B1$ ). Suppose the regulator mandates that the firm must increase the cybersecurity expenditures on activity X to at least $xR>x0$ , and the firm chooses to strictly obey the regulation and keep its current budget level the same. Hence, the firm will pick the post-regulation input mix as $(x=xR,y=B1−xR)$ . Note that by defining $yR=B1−xR$ , the firm’s post-regulation input mix would be represented by $(xR,yR)$ .

The following proposition (a formal proof of which appears in Appendix A) states the intuitive result that when the firm is not able to determine the optimal input mix, a regulation that motivates more efficient resource allocation would induce a lower probability of a cybersecurity breach (i.e. a higher cybersecurity level) without imposing higher total cybersecurity budget:

Scenario 3A: The firm may or may not be able to determine the optimal input mix but responds to the government regulation on a single cybersecurity input without lowering expenditures on other inputs. (Thus, the firm is willing and able to increase it cybersecurity budget).

For this scenario, assume prior to the introduction of the government regulation, the firm’s cybersecurity inputs are $(xP,yP)$ , which may, or may not, differ from the optimal unregulated input mix $(x1,y1)$ . Let $(xA,yA)$ be the firm’s input mix after the regulation. The government regulation requires the firm to spend at least $xR>xP$ on X, so that regulation can be stated as $xA≥xR>xP.$ For this scenario, the firm’s cybersecurity level will increase, as will the firm’s budget tor cybersecurity inputs. This observation is stated formally in the next proposition and the (straightforward) proof appears in the Appendix A.

Scenario 3B: The firm is able to determine the optimal mix and is willing (and able) to increase its cybersecurity budget so as to accommodate the government regulation.

We now move to the case where the firm is able to determine the optimal cybersecurity input mix and is willing and able to increase its cybersecurity budget in light of the government regulatory requirement. Note that in this scenario, we have removed the restriction that other cybersecurity inputs will not be lowered.

Before the regulation takes effect, the firm was at its unregulated optimal input mix $(x1,y1)$ . The regulation begins and mandates the firm to increase its cybersecurity expenditures on input X to at least $xR>x1$ . Denote ( $x^,y^$ ) as the firm’s optimal levels of cybersecurity inputs under regulation, i.e. ( $x^,y^$ ) solves the firm’s following optimization problem:

$maxx,y[v−S(x,y,v)]L−x−ys.t.x≥xR,$

where $xR>x1.$

Denote $S^=S(x^,y^,v)$ (i.e. $S^$ represents the probability that a cybersecurity breach occurs under regulation) and define $B^=x^+y^$ as the total level of cybersecurity expenditures for the regulated case. The constraint $x≥xR$ must be binding [This can be shown by first assuming that $x^>xR$ . This means that $(x^,y^)$ is a solution to $maxx,y[v−S(x,y,v)]L−x−y$ without the constraint, i.e. $(x^,y^)=(x1,y1)$ , which contradicts the assumption that to $x^>xR>x1$ . Hence, $x≥xR$ is a binding constraint]. Hence we have $x^=xR$ .

In the next two propositions, we provide two sufficient conditions for the government regulation to result in a decrease in the probability of a cybersecurity breach. The first sufficient condition is that the cybersecurity inputs X and Y are weakly complementary over the interval $[x1,xR]$ , in the sense that an increase in x will not decrease the marginal benefit of an increase in y [Our use of the term weakly complementary is in the spirit of the discussion on production inputs in Ferguson (1969, p. 71)]. Formally, we assume $Sxy=∂2S(x,y,v)∂x∂y≤0$ .

We now examine the case where X and Y are not weakly complementary inputs. In that case, $Sxy>0$ , and the inputs are said to be “competitive” in the sense that the marginal benefit of input Y declines when the input X increases. In this case, whether the regulation would induce a lower probability of a cybersecurity breach occurring is ambiguous. The firm is mandated to spend more on input X but would at the same time reduce expenditures on input Y (This can be proved in a similar fashion as Proposition 4), since the marginal benefit from input Y is now smaller. As a result, the decrease in the probability of a cybersecurity breach occurring from more spending on input X could be partly or even more than offset by the increase in the probability of a breach occurring due to less spending on input Y .

Figure 3 illustrates how the optimal post-regulation expenditures $y^$ varies as the sign of $Sxy$ changes. Since $x^>xR$ is binding, the optimal post-regulation input mix is always on the vertical solid line at $x^=xR$ . Comparing with the pre-regulation expenditures on input Y , the firm will invest more $y^$ if $Sxy<0$ , invest the same if $Sxy=0$ , and invest less if $Sxy>0$ . Note that the optimal post-regulation input mix could be either above or below the pre-regulation cybersecurity ISOSEC curve.

In our next proposition, the formal proof of which appears in Appendix A, we provide another sufficient condition for the post-regulation probability of a cybersecurity breach occurring to be lower than the pre-regulation probability. The following sufficient condition restates how the optimal y changes with changes in x .

Figures 4 and 5 summarize our analysis for Scenario 3B, i.e. when the firm is able to determine the optimal input mix and optimally adjusts the cybersecurity expenditure budget in response to the regulation. A regulation that increases expenditure on activity X from $x1$ to at least $xR$ would induce the firm to strictly obey the regulation and set $x^=xR$ . The post-regulation input Y , however, may move along the vertical line at $x=xR$ . In Figure 4 , the solid vertical line at $x^=xR$ represents the region where the regulation will lower the probability of a cybersecurity breach (i.e. increase the cybersecurity level). Any breach probability functions that satisfy our sufficient condition $−SxSy<−SxySyy$ would have post-regulation input mix falling into this region.

When X and Y are weakly complementary inputs, the firm would choose not to decrease input Y and the total cybersecurity level would increase. When X and Y are competitive inputs, the firm would decrease expenditures on input Y , but as long as the condition $−SxSy<−SxySyy$ holds, the post-regulation cybersecurity level would still be higher. In Fig. 5 , we combine Figs 3 and 4 to highlight that there is a region where the post-regulation y decreases and the probability of a cybersecurity breach also decreases (i.e. we have a higher cybersecurity level). In other words, a regulation may be able to lower the probability of a cybersecurity breach, even though the regulation results in a lowering of other inputs (i.e. input Y ).

To provide the readers with examples, we consider a generalized version of the two single cybersecurity input breach functions discussed in [ 4 ]. These functions are $SI(x,y,v)=v(α1x+1)β1(α2y+1)β2$ for some $α1,α2>0,β1,β2≥1$ , and $SII(x,y,v)=v(α1x+1)(α2y+1)$ for some $α1,α2>0$ [They include broad classes of functions widely used in economics literature. It can be easily verified that they satisfy conditions (1–4)]. In Appendix A, a straightforward proof is given to show that these functions satisfy Proposition 5. That is, for these generalized functions, the post-regulation optimal expenditures on input Y decrease, yet the probability of a cybersecurity breach decreases.

Finally, we note that the model presented in this section, while providing insights in the context of cybersecurity, can also be used to analyze incentive/regulation in other contexts where the government seeks remedies for market failures due to externalities (e.g. pollution abatement and product safety). The economics literature on remedying externality problems is vast and continues to grow. For example, Cropper and Oates [ 44 ] provide an insightful review and analysis of externality remedies. Their analysis includes coverage of such classic economic remedies such as the imposition of Pigouvian taxes, marketable pollution permits, and standards. The parallels between environmental problems and cybersecurity problems have been noted before, most prominently by Camp and Wolfram [ 45 ] in suggesting marketable vulnerability permits.

Existing government actions affecting cybersecurity investments

Although there is as an a priori argument that firms will likely underinvest in cybersecurity activities, the government has already taken several actions that either have, or have the potential to, significantly offset the tendency by firms to underinvest in cybersecurity [The government actions discussed in this section (as well as the input incentive/regulations analyzed in our model) have no direct impact on security incentives of IT producers (i.e. software manufacturers, network operators, and network hardware manufacturers). Instead, these government actions affect the demand for improved cybersecurity, which in turn should provide indirect incentives for IT producers. Clearly, the design and analysis of direct incentives/regulation for IT producers, while outside the scope of this article, is a topic worthy of further investigation (e.g. see [ 46 ])]. Given the conditional impact of government incentives/regulations on cybersecurity investments by private sector firms, it is strongly recommended that the existing actions be recognized, evaluated, and more effectively utilized before, or at least in conjunction with, considering new government incentives/regulations concerning cybersecurity investments. Two such actions of particular note are the Sarbanes-Oxley Act of 2002 and the 2011 SEC Disclosure Guidance on Cybersecurity Risks and Cyber Incidents (Although these actions pertained only to publicly traded firms, such firms include virtually all of the firms that own an element of the nation’s critical infrastructure). Before examining these two government actions, we highlight some other government actions that are closely aligned with our analysis of incentives and regulations of cybersecurity inputs.

Regulations that specify security processes to be followed are, in essence, regulations on a set of inputs. For example, the 1999 Gramm-Leach-Bliley Act [ 47 ] “… obliges banks to protect the security and confidentiality of customer information by… specifying processes that banks must comply with, such as adopting a written information security program and establishing programs to assess and mange operational risks ([ 42 ], p. 106).” Our emphasis on regulating inputs is consistent with regulation security processes, providing the regulation on security processes does not include regulating all inputs. That is, our analysis provides insights to any situation where some, but not all, inputs are regulated.

Another example of a direct government regulation on inputs is the de facto regulation of firms by having them comply with a cyber regulation, so that they can avoid the imposition of a penalty. For example, some states do not require firms to make notifications of breaches if the data are encrypted [ 48 ]. A final example is the proposed mandatory strong authentication of identity requirement for critical infrastructures proposed in a Commission Report chaired by US Representatives Langevin and McCaul, Scott Charney and Lt. General Raduege [ 49 ].

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) of 2002 requires firms to have strong internal control systems in place, where internal control systems are defined in terms of reliable financial reports (see Sections 302 and 404 of SOX). In a modern computer-based information system environment, firms cannot produce reliable financial reports results without having secure computer systems. For accelerated filers, SOX (Section 404) requires external auditors to attest to the quality, or lack thereof, of the firm’s internal controls of their financial information reporting systems [SOX, as modified by the Dodd–Frank Act of 2010, requires only accelerated firms to have external auditors attest to the quality of internal controls. Generally speaking, accelerator firms are large firms, with revenues over $75 million per year (see [ 50 ])]. As indicated in various empirical studies, one category of material weaknesses (MW) in internal control systems identified by managers and auditors has to do with the security of computer-based information systems (e.g. [ 51 ]). More generally, it has been shown that MW in internal control systems have a negative impact on the cost of equity of firms [ 52 , 53 ].

Presumably, the SOX reporting requirements have been accompanied by an increase in cybersecurity investments. Unfortunately, since firms in the private sector do not disclose the level of expenditures on cybersecurity activities as a separate category on their financial reports filed with the SEC, the presumption that the passage of SOX had a positive impact on the cybersecurity investments of firms has never been verified. Furthermore, since SOX only applies to financial reporting systems (With the increasing use of integrated enterprise systems, an increasing percentage of a firm’s IT systems affect the financial reporting systems of firms), its ability to motivate firms to make the appropriate level of cybersecurity investments is limited. The above notwithstanding, the fact that firms are required to report their MW in their 10-K reports filed with the SEC (which include MW related to the security of their computer-based information systems) leads us to conjecture that SOX has motivated corporate executives to increase their expenditures on at least one cybersecurity input beyond what they would be without SOX. More to the point, we believe that SOX is already operating as a government incentive for firms to allocate additional investments to their internal control system, which is clearly an important input to cybersecurity. In terms of our model, this additional investment in the cybersecurity input of internal control would essentially shift the expenditure level toward some unspecified higher level (i.e. moving the expenditures on $x1$ toward what our model calls $xR$ .

Gordon etal. [ 54 ] provide evidence that is consistent with this conjecture. They show that firms listed on the US Stock Exchanges have significantly increased their voluntary disclosures of cybersecurity related activities. The fact that these voluntary disclosures are associated with a statistically significant increase in the stock market returns of the disclosing firms (see [ 55 ]) provides additional support for this conjecture.

In our opinion, the potential of SOX to offset the tendency to underinvest in cybersecurity activities by private sector firms has been substantially underutilized by the government. Indeed, to our knowledge this is the first article to point out the direct link between the financial reporting of MW in IT security and a cybersecurity framework for government incentives related to cybersecurity.

SEC Disclosure Guidance

The SEC Disclosure Guidance on Cybersecurity Risks and Cyber incidences [ 3 ] is another government action that is particularly germane to the issue of cybersecurity investments by private sector firms (Although the SEC Disclosure Guidance related to cybersecurity is technically speaking not a binding requirement, the fact that the disclosure is voluntary will provide a poor defense in the event of a suit by investors). Unlike SOX, which is focused on the inputs to cybersecurity via its emphasis on computer-based information systems, the SEC Disclosure Guidance focuses on the cybersecurity output in terms of cybersecurity risks and incidents. As stated in the SEC Disclosure Guidance:

Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

Many firms have reacted to the SEC Disclosure Guidance with an extensive discussion of the cybersecurity risks facing their firms in Item1A of their 10K as well as the Management Discussion Section of the firm’s 10K, filed with the SEC. In Appendix B, we present the Risk Factors reported by Lockheed Martin in their 10-K for 2013 as a representative example of a rapidly growing trend by firms to voluntarily report information concerning cybersecurity activities on the 10-K reports. In fact, since the SEC’s Disclosure Guidance was published in 2011, one is hard pressed to find a major corporation that does not voluntarily report some sort of information concerning its cybersecurity activities. This trend notwithstanding, we are still only able to conjecture that the increased reporting of cybersecurity related activities are accompanied by an increase in cybersecurity investments. In other words, while it seems reasonable to assume that corporate executives are increasing their level of investments in cybersecurity related activities as a result of the SEC Disclosure Guidance, hard evidence supporting this conjecture does not currently exist (As noted earlier in the article, there is scant information on the actual level of investments in cybersecurity activities by firms. The information that does exist is based largely on survey data which is of questionable reliability due to such problems as nonresponse bias, difficulty in verifying the actual respondent, and difficulty in verifying the amounts reported. Thus, it is difficult, if not impossible, to prove or disprove the accuracy of this statement). In fact, there have been calls for changing the SEC’s Disclosure Guidance on cybersecurity risks and incidences to a more formal regulation that requires firms to disclose more detailed information than currently is taking place. A leading advocate of this latter position is Senator John Rockefeller. In a letter to the SEC Chairperson (Ms. Mary Jo White) on 9 April 2013, Senator Rockefeller wrote [ 56 ]:

In October 2011, the SEC responded to my request and announced that it was issuing staff guidance on disclosure obligations regarding cybersecurity risks and cyber incidents. I applauded this decision as an important first step in the right direction, and it certainly made a positive impact on disclosures. However, given the growing significance of cybersecurity on investors’ and stockholders’ decisions, the SEC should elevate this guidance and issue it at the Commission level. While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices.

We agree with the underlying concern raised by Senator Rockefeller in his letter to the Chairperson of the SEC. The “true costs and benefits of companies’ cybersecurity practices” have not been identified as a result of the 2011 SEC Disclosure Guidance on Cybersecurity Risks and Cyber Incidences. However, there are steps that the government could take to improve this situation and, in turn, potentially improve the level of cybersecurity investments by private sector firms, even without raising the guidance to a Commission level issue. For example, the government (e.g. the SEC) could examine the correlation between the disclosures (or lack thereof) currently taking place and cybersecurity breaches in private sector firms. A study of this sort would create a form of market discipline that could (and likely would) result in increased investments in cybersecurity activities so as to prevent cyber incidences. Of course, if the market discipline turns out to be insufficient, then changing the disclosure guidance to a formal regulation could be a future action by the SEC. If the SEC were to follow Senator Rockefeller’s recommendation, our suggestion is that the annual level of cybersecurity expenditures by firms be included in the additional information to be disclosed. In our opinion, disclosing information on the level of capital expenditures would go a long way toward putting market pressure on firms to increase their cybersecurity budget because it would signal to investors, creditors, and customers the importance the firms attach to cybersecurity (Alternatively, an increase in a firm’s annual spending on cybersecurity activities could be interpreted as a signal that the firm is having problems in this area. Thus, not surprisingly, firms have been reluctant to reveal this information). In addition, if firms were required to disclose their annual cybersecurity expenditures, it would allow the government to more effectively develop incentives/regulations that are designed to increase the budget for cybersecurity activities.

Other examples of government actions affecting cybersecurity investments

Besides SOX and the SEC Disclosure Guidance, there are many industry-specific government regulations that are likely to offset the tendency by private sector firms to underinvest in cybersecurity inputs. Two such regulations that have presumably had a significant effect on increasing cybersecurity investments in private sector firms are the Gramm-Leach Bliley Act (GLB) of 1999 [ 47 ] and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 [ 57 ]. GLB and HIPAA impose stringent privacy and information security rules on financial institutions and health providers, respectively. As a result, both of these Acts provide strong incentives for firms in the private sector to increase their investments in cybersecurity inputs [ 58 ]. Presumably, the firms affected by these laws are investing enough in cybersecurity to cover the private costs and at least some of the externalities resulting from cybersecurity breaches. Anecdotal evidence provided to the authors, by a variety of firms in both of these industries, confirms this presumption. Unfortunately, we have no way of knowing if this anecdotal evidence is generalizable because private sector firms do not provide public information on the actual expenditure level of investments in cybersecurity activities. However, the significant penalties associated with noncompliance to these Acts suggest that this evidence about increased cybersecurity investments is likely to be true.

The above noted industry-specific regulations only apply to two specific sectors of the nation’s critical infrastructure. There are other regulations that apply to a specific subset of firms or sectors. For example, in 2003 California enacted the Notice of Security Breach Act [ 59 ] which requires that any company that maintains personal information of California citizens and has a security breach threatening the confidentiality of that information must disclose the details of the event. Clearly, this regulation motivates firms to increase their investments in a variety of cybersecurity inputs in an effort to avoid the likelihood of disclosing of a security breach. However, unless government agencies were to come up with regulations for each and every sector of the critical infrastructure (a very unlikely scenario), general incentives/regulations to encourage firms to make the appropriate level of cybersecurity investments are required. The reporting of MW under SOX, and the SEC’s guideline on cybersecurity risks and cyber incidences, represent two examples of the types of general incentives/regulations that can help accomplish the goal of increasing cybersecurity investments among a broad array of private sector firms that own US critical infrastructure assets.

Concluding comments

President Obama has recognized the importance of cybersecurity to the US national security (e.g. [ 1 ]). Recognizing the importance of cybersecurity is a necessary first step in resolving the challenges associated with cybersecurity risks and incidents. The next step, however, is to find solutions to these challenges. One such challenge, which has been the focus of this article, has to do with the tendency by firms in the private sector to underinvest in cybersecurity. Thus, it is appropriate for governments to consider the use of incentives and regulations to offset this tendency. Based on an input–output analysis, this article has examined the conditions under which incentives/regulations are likely to be most effective in encouraging a more appropriate level of cybersecurity investments by private sector firms.

Two examples of existing US federal government actions affecting cybersecurity investments were also discussed in this article. These examples are the Sarbanes-Oxley Act of 2002 and the 2011 SEC Disclosure Guidance on Cybersecurity Risks and Incidents. As pointed out in this discussion, the government would be wise to examine existing incentives/regulations before, or at least in conjunction with, initiating new ones. In particular, we believe that even as other incentives/regulations are being considered, a more effective utilization of SOX and the SEC Disclosure Guidance could go a long way toward resolving the problem associated with underinvestment in cybersecurity activities by a large subset of private sector firms.

It should be noted that private sector firms do not make cybersecurity investments in isolation of other firm-related investment decisions (e.g. new product investments). A limitation of this article is that we did not consider these other investment decisions in our discussion. In other words, cybersecurity investments need to compete for scarce organizational resources. Thus, no matter how carefully one tries to analyze the impact of government regulations and/or incentives related to cybersecurity investments on private sector firms, the ultimate impact will be determined by a variety of interactive concerns, many of which are unrelated to cybersecurity issues. In addition, government policies are often considered and adopted as a set of policies. As a result of this integrative process of government policies, the productivity of information security could also be changed by policies concerning other factors. Thus, looking at individual government policies directed at information security in isolation of other government policies could lead to misleading conclusions concerning the impact of the changes in the information security policy.

It is important to monitor the derivative effect of any incentives/regulations directed at improving cybersecurity investments by private sector firms. One component of such monitoring is the gathering of data on the level of investments in cybersecurity activities by private sector firms visa vie other firm-level investments (e.g. capital investments unrelated to cybersecurity). Unfortunately, at the present time, reliable empirical data on the actual level of cybersecurity investments is unavailable. Thus, one recommendation suggested in this article is for the US federal government to consider the development of a national database that tracks cybersecurity investments by private sector firms. A database on the level of investments in cybersecurity activities (and their effectiveness) by private sector firms could be maintained by a government agency and/or a research center within a university. The mere collection of such data could (and most likely would) serve to provide an incentive, via the marketplace, for firms to invest more into cybersecurity-related activities.

A second recommendation suggested in this article revolves around the need for firms to determine the optimal mix of their cybersecurity inputs. Whether increasing their cybersecurity budget or keeping it fixed, it is important for firms to understand the process by which they can derive the most efficient allocation of their cybersecurity-related resources. To facilitate improved resource allocation decisions among firms, the government could establish a training program on cost-benefit analysis applied to cybersecurity expenditures. This program could be established in conjunction with a university and open to all firms, either at no cost or at a minimal cost to firms. That is, the government could essentially provide a subsidy by covering all, or some part, of the costs associated with the training program as an incentive for firms to increase their cybersecurity level via a more efficient allocation of their cybersecurity resources.

Funding

This work was supported by the US Department of Homeland Security (DHS) Science and Technology Directorate (Contract #N66001-112-C-0132); the Netherlands National Cyber Security Centre (NCSC); and Sweden MSB (Myndigheten för samhällsskydd och beredskap) – Swedish Civil Contingencies Agency.

Appendix A

Proof of Proposition 1

Proof of Proposition 2

With fixed budget $B1$ , the firm’s probability of a cybersecurity breach can be rewritten as $S(x,B1−x,v)$ , which reaches minimum (highest cybersecurity level) at $x=x1$ with the first-order condition $dS(x,B1−x,v)dx|x=x1=0$ and the second-order condition $dS2(x,B1−x,v)dx2>0$ satisfied. This implies that $S(xR,B1−xR,v)$ is decreasing in $xR$ on interval $[0,x1]$ and increasing in $xR$ on interval $[x1,∞)$ . Hence, regulation requirement $x=xR$ will decrease the firm’s probability of a cybersecurity breach if it moves the input mix toward $(x1,B1−x1)$ , and increase the firm’s probability of a cybersecurity breach if it moves the input mix away from $(x1,B1−x1)$ .  Q.E.D.

Proof of Proposition 3

After the firm responds to the regulation, the probability of a cybersecurity breach is characterized by $S(xA,yA,v).$ Since the firm meets the government regulatory requirement and does not lower its expenditures on Y , we have $xA ≥ xR>xP$ and $yA ≥ yP.$ Since the security breach function is assumed to be decreasing in X and in Y [see equations (2) and (3) ], we have $S(xA,yA,v)<S(xP,yP,v)$ . That is, the firm’s probability of a cybersecurity breach has decreased, which means its cybersecurity level has increased. Since $xA>xP$ and $yA ≥ yP$ , we have $xA+yA>xP+yP$ (i.e. the firm’s cybersecurity budget has increased).  Q.E.D.

Proof of Proposition 4

Proof of Proposition 5

Hence, $y¯R(xR)$ is decreasing in $xR$ with the slope of marginal rate of technical substitution (MRTS) of the security breach function.

Proof that generalized version of security breach probability functions from Gordon and Loeb (2002) satisfying Proposition 5.

• I For $SI(x,y,v)=v(α1x+1)β1(α2y+1)β2$ , we calculate the following derivatives:

  $Sx=−α1β1v(α1x+1)β1+1(α2y+1)β2$

  $Sy=−α2β2v(α1x+1)β1(α2y+1)β2+1$

  $Sxy=α1α2β1β2v(α1x+1)β1+1(α2y+1)β2+1$

  $Syy=α22β2(β2+1)v(α1x+1)β1(α2y+1)β2+2$

  $SxSy=α1β1(α2y+1)α2β2(α1x+1)$

  $SxySyy=α1β1(α2y+1)α2(β2+1)(α1x+1)$

  $−SxSy<−SxySyy.$

The above calculations show that for this class of breach function, $−SxSy<−SxySyy$ , which implies the regulation leads to an improved cybersecurity level.

• II For $SII(x,y,v)=v(α1x+1)(α2y+1)$ , we have:

  $Sx=α1(α1x+1)(α2y+1)2v(α1x+1)(α2y+1)lnv$

  $Sy=α2(α1x+1)2(α2y+1)v(α1x+1)(α2y+1)lnv$

  $Sxy=α1α2(α1x+1)(α2y+1)v(α1x+1)(α2y+1)lnv[(α1x+1)2(α2y+1)2lnv+2]$

  $Syy=α22(α1x+1)2v(α1x+1)(α2y+1)lnv[(α1x+1)2(α2y+1)2lnv+1]$

  $SxSy=α1(α2y+1)α2(α1x+1)$

  $SxySyy=α1(α2y+1)α2(α1x+1)·(α1x+1)2(α2y+1)2lnv+2(α1x+1)2(α2y+1)2lnv+1$

  $−SxSy<−SxySyy.$

  (When $Sxy≤0$ , $−SxSy<−SxySyy$ holds. When $Sxy>0$ , it follows that $(α1x+1)2(α2y+1)2ln⁡v+2<0$ . Hence, $(α1x+1)2(α2y+1)2ln⁡v+2(α1x+1)2(α2y+1)2ln⁡v+1<1$ , we have $−SxSy<−SxySyy$ again.)

For this second class of breach function, we also have $−SxSy<−SxySyy$ , the regulation again leads to a higher cybersecurity level.  Q.E.D.

Appendix B

In Lockheed Martin’s 10-K Annual Report filed with the SEC, for the fiscal year ending 31 December 2013, under Item 1A: Risk Factors, the following statements concerning cybersecurity related issues are made:

Our business could be negatively affected by cyber or other security threats or other disruptions.

As a U.S. defense contractor, we face cyber threats, insider threats, threats to the physical security of our facilities and employees, and terrorist acts, as well as the potential for business disruptions associated with information technology failures, natural disasters, or public health crises.

We routinely experience cyber security threats, threats to our information technology infrastructure and unauthorized attempts to gain access to our company sensitive information, as do our customers, suppliers, subcontractors and venture partners. We may experience similar security threats at customer sites that we operate and manage as a contractual requirement.

Prior cyber attacks directed at us have not had a material impact on our financial results, and we believe our threat detection and mitigation processes and procedures are adequate. The threats we face vary from attacks common to most industries to more advanced and persistent, highly organized adversaries who target us because we protect national security information. If we are unable to protect sensitive information, our customers or governmental authorities could question the adequacy of our threat mitigation and detection processes and procedures. Due to the evolving nature of these security threats, however, the impact of any future incident cannot be predicted.

Although we work cooperatively with our customers, suppliers, subcontractors, venture partners, and acquisitions to seek to minimize the impact of cyber threats, other security threats or business disruptions, we must rely on the safeguards put in place by these entities, which may affect the security of our information. These entities have varying levels of cyber security expertise and safeguards and their relationships with government contractors, such as Lockheed Martin, may increase the likelihood that they are targeted by the same cyber threats we face.

The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. Additionally, some cyber technologies we develop, particularly those related to homeland security, may raise potential liabilities related to intellectual property and civil liberties, including privacy concerns, which may not be fully insured or indemnified by other means. Occurrence of any of these events could adversely affect our internal operations, the services we provide to our customers, our future financial results, our reputation or our stock price; or such events could result in the loss of competitive advantages derived from our research and development efforts or other intellectual property, early obsolescence of our products and services, or contractual penalties

(see: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/2013-Annual-Report.pdf , p. 16, accessed 26 October 2015).

References

© The Author 2015. Published by Oxford University Press.