The Law and Economics of Cybersecurity: An Introduction

One of the most controversial theoretical issues of our time is the governance of cybersecurity. Computer security experts, national security experts, and policy analysts have all struggled to bring meaningful analysis to cybersecurity; however, the discipline of law & economics has yet to be fully applied to the issue. This introduction presents work by leading national scholars who examine this complex national security challenge from a law and economics perspective. The focus spans from a discussion of pure market solutions to public-private issue analysis, providing a valuable basis for policy considerations concerning the appropriate governmental role on the issue of cybersecurity

An Analysis of Changing Transparency Regarding Cybersecurity in Annual Reports

This paper studies the annual reports of 75 listed firms in the Netherlands in relation to the disclosure of cybersecurity information from a financial law and economics perspective in four consecutive financial years (2018-2021). Also, we study legislative developments (especially in the US) regarding cybersecurity disclosure requirements. Furthermore, we discuss the social and private costs and benefits of cybersecurity transparency. We draft hypotheses regarding the actual disclosure of cybersecurity information and propose a research design of an empirical study covering four financial years. The results of our study show that over time disclosing information regarding cybersecurity increases. However, the information value of the disclosures could improve since companies still disclose mostly technical measures that are hard to compare. In order for these efforts to have a social benefits, harmonization efforts need to be made

A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises

Cybersecurity remains one of the key investments for companies that want to protect their business in a digital era. Therefore, it is essential to understand the different steps required to implement an adequate cybersecurity strategy, which can be viewed as a cybersecurity project to be developed, implemented, and operated. This article proposes SECProject, a practical framework that defines and organizes the technical and economics steps required for the planning and implementation of a cost-effective cybersecurity strategy in Small and Medium-sized Enterprises (SME). As novelty, the SECProject framework allows for a guided and organized cybersecurity planning that considers both technical and economical elements needed for an adequate protection. This helps even companies without technical expertise to optimize their cybersecurity investments while reducing their business risks due to cyberattacks. In order to show the feasibility of the proposed framework, a case study was conducted within a Swiss SME from the pharma sector, highlighting the information and artifacts required for the planning and deployment of cybersecurity strategies. The results show the benefits and effectiveness of risk and cost management as a key element during the planning of cybersecurity projects using the SECProject as a guideline

Game Theory Meets Network Security: A Tutorial at ACM CCS

The increasingly pervasive connectivity of today's information systems brings up new challenges to security. Traditional security has accomplished a long way toward protecting well-defined goals such as confidentiality, integrity, availability, and authenticity. However, with the growing sophistication of the attacks and the complexity of the system, the protection using traditional methods could be cost-prohibitive. A new perspective and a new theoretical foundation are needed to understand security from a strategic and decision-making perspective. Game theory provides a natural framework to capture the adversarial and defensive interactions between an attacker and a defender. It provides a quantitative assessment of security, prediction of security outcomes, and a mechanism design tool that can enable security-by-design and reverse the attacker's advantage. This tutorial provides an overview of diverse methodologies from game theory that includes games of incomplete information, dynamic games, mechanism design theory to offer a modern theoretic underpinning of a science of cybersecurity. The tutorial will also discuss open problems and research challenges that the CCS community can address and contribute with an objective to build a multidisciplinary bridge between cybersecurity, economics, game and decision theory

A Graphical Adversarial Risk Analysis Model for Oil and Gas Drilling Cybersecurity

Oil and gas drilling is based, increasingly, on operational technology, whose cybersecurity is complicated by several challenges. We propose a graphical model for cybersecurity risk assessment based on Adversarial Risk Analysis to face those challenges. We also provide an example of the model in the context of an offshore drilling rig. The proposed model provides a more formal and comprehensive analysis of risks, still using the standard business language based on decisions, risks, and value.Comment: In Proceedings GraMSec 2014, arXiv:1404.163