Computer Crime Research Center

Economics of Cybercrime

Date: April 30, 2004
Source: Computer Crime Research Center
By: Lawrence Gordon, Robert Richardson

... However, maximizing a company's IRR isn't consistent with maximizing its value. In contrast, maximizing NPV is consistent with maximizing the company's overall worth.

While these points may seem confusing, the message is clear: Information security managers must understand basic economic concepts to level the playing field during the budgeting process.

So far, all we've considered is what might be called the economics of investments in information security. But economics as a discipline has a lot more tools in its kit beyond the ability to make decisions about investment advisability. Economics has also delved into what happens when the incentives in a market are misaligned. The manufacturer of an MP3 player has no direct incentive to prevent users from using its products to play music that infringes on a record producer's copyrights, for instance, but if the record producer loses revenue as a result, that has a real effect on the market. To the MP3 manufacturer, it's an "externality," or a "spillover effect."

The pollution emanating from a factory smokestack is a classic example of an externality. "The factory causing the pollution doesn't bear any of the costs of the pollution that are incurred downwind," says L. Jean Camp, an associate professor of public policy at the Kennedy School of Government at Harvard University and co-author of "Pricing Security", the first paper to argue that security is an externality. Similarly, if a company does a poor job at cybersecurity, other companies may be affected negatively. The recent MyDoom worm is a good example of how lax security by some can have a negative impact on others. If machines infected with a worm that, like MyDoom, doesn't harm the machine but carries out some other task without the owner's knowledge, Camp says, the owner doesn't have any direct incentive to spend money to defeat the worm. "It doesn't matter to you if your machines are being used for phishing and spamming all night--there's no marginal cost." The cost, in other words, is an externality to the owner of the infected machine.

One solution, Camp suggests, is to structure internal charges to promote timely patching. Vulnerability auditing might result in per-department lists of faults coupled with policies that force departments to fix each vulnerability or pay IT to do so. "It makes the direct costs such that, even ignoring the large external costs, the department wants to do the right thing," she says. "Economics is always about properly aligning incentives."

Another area in which economics has direct relevance to information security is information sharing, which has become a mantra of the Department of Homeland Security and other organizations, including the federally sponsored Information Sharing Analysis Centers, or ISACs--groups of companies in industry sectors that pool information to improve the security of their respective infrastructures. Although sharing information about cyberthreats is a laudable goal, economists have shown it to be extremely difficult to put into practice. Indeed, without the appropriate economic incentives, the free-rider problem--the tendency for participants to want to get all the information they can from other participants without sharing any of their own deep, dark secrets--typically prevents organizations from obtaining the potential value of information sharing in an information security setting. Dozens of groups are drawn together by the idea that members will share their mishaps and vulnerabilities confidentially with the group--think of the local chapters of the Information Systems Audit and Control Association (ISACA), the FBI's InfraGard and, of course, the ISACs. But without purposefully changing the incentives a member has to share sensitive information with these groups, each participant typically waits for others to do the sharing, rather than risk exposing information about his or her organization's weaknesses. For more information about infosec information sharing, see Gordon, Loeb and Lucyshyn's "Sharing Information on Computer Systems Security: An Economic Analysis" in the Journal of Accounting and Public Policy (Vol. 22, No. 6, 2003).

Indeed, information security is a troublesome market: Important information is routinely hidden from those who need it most, its most important characteristics are devilishly difficult to measure, and the vendors that provide security mechanisms often don't pay the costs when those mechanisms fail. Economists have spent decades developing tools to make sense of just this sort of off-kilter market system, so it's high time for information security managers to borrow their tools and expertise to measure and improve their company's cybersecurity. What are you waiting for?

LAWRENCE A. GORDON is Ernst &Young Alumni Professor of Managerial Accounting and Information Assurance at the Robert H. Smith School of Business, University of Maryland. Write to him at

ROBERT RICHARDSON is editorial director at the Computer Security Institute (CSI). Write to him at

Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2009-07-13 03:30:45 - marjan
2004-05-14 17:56:55 - I do agree the writer but one thing one... Naboro Harriet
2004-05-03 15:12:12 - I have found the article very interesting... Anthony C. Wright
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo