[kictanet] Fwd: [Internet Policy] Economics of data breaches

Barrack Otieno otieno.barrack at gmail.com
Fri Nov 25 08:07:12 EAT 2016 

Listers,

This might be of interest to some of us.

Regards

---------- Forwarded message ----------
From: Richard Hill <rhill at hill-a.ch>
Date: Thu, 24 Nov 2016 10:37:43 +0100
Subject: [Internet Policy] Economics of data breaches
To: internetpolicy at elists.isoc.org

I don't think that the ISOC 2016 Global Internet Report was yet posted to
this list, so here it is:

  https://www.internetsociety.org/globalinternetreport/2016/

The report focuses on security issues, in particular the economic issues
that engender the lack of security that we all know about.  I think that it
is an excellent report (full disclosure: I contributed to the report).

I'd like to highlight here what I consider to be two of the key points in
the report.

The first point is that Internet growth rates are slowing down (see p. 33 of
the Report).  While this is not necessarily an issue in parts of the world
where most of the population is already connected, it is a serious issue for
developing countries, where significant proportions of the population are
not connected.  Lack of trust may be a factor in discouraging access to the
Internet.  As the Report says on p. 34:

"The slowdown in Internet growth rates, particularly in regions that were
already falling behind the global average, lends urgency to the Internet
Society's objective to connect the unconnected. There is evidence that
existing users are increasingly concerned about privacy and security issues
worldwide, and this may start to spill over to new users, who might become
more reluctant to go online. If people trust the Internet, they are more
likely to use it. Trust is at the heart of the Internet economy, and more
and more at the heart of economic growth. This lends urgency to our
objective to promote and restore trust in the Internet."

The other point is the clear identification of the economic issues that lead
to inadequate security, in particular externalities.

Security experts have long recognized that lack of ICT security creates a
negative externality[1]. For example, if an electronic commerce service is
hacked and credit card information is disclosed, the users of the service
users will have to change their credit cards.  This is a cost both for the
user and for the credit card company.  But that cost is not visible to the
electronic commerce service.  Consequently, the electronic commerce service
does not have an incentive to invest in greater security measures.

A comprehensive discussion is given in pages 103-107 of the Report, see in
particular the examples on p. 101. A summary is presented on p. 18 of the
Report:

"There is a market failure that governs investment in cybersecurity. First,
data breaches have externalities; costs that are not accounted for by
organisations. Second, even where investments are made, as a result of
asymmetric information, it is difficult for organizations to convey the
resulting level of cybersecurity to the rest of the ecosystem. As a result,
the incentive to invest in cybersecurity is limited; organisations do not
bear all the cost of failing to invest, and cannot fully benefit from having
invested."

Best,
Richard

_______________________________________________
To manage your ISOC subscriptions or unsubscribe,
please log into the ISOC Member Portal:
https://portal.isoc.org/
Then choose Interests & Subscriptions from the My Account menu.



-- 
Barrack O. Otieno
+254721325277
+254733206359
Skype: barrack.otieno
PGP ID: 0x2611D86A

More information about the KICTANet mailing list