State-of-the-Art of the Economics of Cyber-Security and Privacy

Diskussionspapiere extern

Nicola Jentzsch

Waterford: WIT, 2016, 77 S.
(IPACSO - Innovation Framework for ICT Security Deliverable ; 4.1)

. January 2016.


This document is an overview of the state-of-the-art in the economics of Privacy and Cyber-security (PACS). It is the Deliverable D4.1 under the FP7-financed project “Innovation Framework for Privacy and Cyber-security Market Opportunities.” This is the most comprehensive overview on the economics of PACS to date. This document is intended for a diverse readership. Policymakers may use it in order to obtain an overview of the most recent research and insights that can be derived on the effectiveness of specific policy measures (such as data breach notifications). Researchers can use it as introductory reading and to obtain an overview of the field. Innovators and entrepreneurs may use this report to obtain a better understanding of the market they are operating in. It is stated that Privacy and Cyber-security markets differ from bricks-and-mortar markets because of the immateriality of the products and services provided and because of amplified network externalities that exist in these markets. These can lead to inefficiencies in terms of social welfare, misleading price signals or even market breakdown. The first chapter of this report introduces the reader to the basic concepts of economics, economic incentives and incentivization as well as to decision-making in the cyber-security domain. It covers proactive and reactive investment strategies, components of the cost/benefits of PACS investments and the security returns on investment model. The diverse field of cyber-economics is then mapped by sorting the research works into 5 areas: (1) game-theoretical approaches to cyber-security; (2) Experimental and psychological research; (3) Victim studies; (4) Methodological Advances; and (5) Other research. One of the most important parts of the document is the discussion of market failures in cyber-security markets and problems such as information asymmetries, networks externalities, public goods, interdependent security and natural monopoly cost structures. In the chapter on the economics of privacy, basic concepts are discussed such as the different types of transactions that exist. The literatures in this field are sorted into the following categories: (1) Empirical works (laboratory experiments and surveys); (2) Hypothetical scenarios; (3) Field experiments (including survey-based experiments); and other research (including methodological advances). Market failure problems are also discussed for markets for personal data products/services and privacy products/services. Other topics covered in that chapter span from the challenges of privacy preference measurement to the development of privacy metrics. Moreover, attention is also devoted to the monetization of privacy and the economic value of personal data with different methods to obtain estimates of valuations. The conclusion from these sections is that it is a great challenge if not impossible to obtain an unbiased and exact estimate of the valuation of personal data. Much more effort needs to be invested in developing robust market mechanisms, where data subjects can actively participate. The report further covers policy-instruments and incentive schemes in the area of PACS, ranging from mandatory to voluntary instruments. Finally, the report concludes with an overview of research challenges for further work and for the future H2020 agenda.