Cybersecurity – Critically Underprovided

By Matej Mavricek, Policy Fellow

Cybersecurity today is as much a part of our lives as health care, and in more than one way resembles immunization efforts. Our information is as much in danger from a variety of threats as our bodies are in danger from a variety of pathogens, and the response to both is similar: awareness, prevention, and, if necessary, treatment. Much like immunization, the more people use security measures properly and diligently, the less danger there is to the population as a whole. But because there is a cost to security, some will eschew their own responsibility and rely on others to take the necessary precautions, in a classic example of free rider problem. Such behavior can only be combated on a societal level, if we are ever to have an optimal level of security from threats to our personal information.

The age we live in, the information age, has brought us technological capacity beyond the imagination of just a decade or two ago. While there are still no flying cars, we are able to communicate instantaneously and costless with everyone on the planet through the internet. An average internet user today can consume in a day more information than an average person living in the 17th century could in their entire lifetime. We are able to go everywhere in the world, read anything, even see what it would be like to be standing on a corner of a street in New Delhi, Paris or Chicago without leaving the comfort of our ergonomic chair.

Beyond mere consumers of information, we have become generators of information. The modern web (2.0 or 3.0 depending on who is asked) allows us to project everything about our lives, even our DNA sequence, for public use of everyone in the world.  Our calendars, GPS locations, thoughts and even medical records now all exist in a virtual location.

While this enabled our lives to run smoother, and leave us with more free time for pursuits we might consider more vital, this preponderance of personal information stored online has not come without cost. Of the simplest ones, there is the cost of time necessary to manage dozens if not hundreds of different online identities in forms of username and passwords.  Others are more complicated, such as guarding our personal information against phishing and hacking schemes, that take active and continuous efforts to combat. The preponderance of ways we use the internet has also created a preponderance of ways in which someone can obtain our information without our consent, and use it maliciously.

Cybersecurity is the term we give these efforts to safeguard our information, whether we are an individual, an organization or a larger entity, such as a city or a country. They encompass awareness, prevention and treatment efforts to safeguard information. The first part, awareness, comes from continuous education on part of users and generators of information, who need to be aware of the threats in order to most efficiently decide how to guard against them. Prevention comes in many forms, from precaution and savvy (such as not responding to Nigerian princes) to protocols and programs (such as antivirus or firewall applications). Finally, treatment is attempted to recover hijacked systems and contaminated files.

In this way, cybersecurity resembles very closely our efforts to safeguard our health. We educate ourselves on the latest developments in medicine, we take precautions in response to contemporary threats (during flu season, for example), and we resort to hospitals and medicine when things have progressed beyond our ability to cope with them. Cybersecurity then resembles immunization very closely: both are used to protect against specific threats, both have to be continuously monitored and occasionally redone, and both have a cost. This cost can be a monetary cost, a cost of time or merely convenience. This cost is also what prevents some from obtaining the proper immunization (or cybersecurity) despite the risks.

However, part of this behavior is psychological – the larger the proportion of a population that has been immunized against a risk, the lesser the risk to the rest of the population. Which means some members of society will count on others to bear that cost, and immunize themselves, thus lowering the risk for everyone. And this is a typical example of what economists call free-riding, or avoidance of cost in provision of a public good. A public good is defined as any good that provides equal benefit to all in a society regardless of who bore the cost (non-rivalrous), and none in society can be prevented from consuming it (non-excludable). Traditional examples of a public good are clean air, national defense, public radio, but immunization & cybersecurity also fall within the category.

The problem of “free-riding” means that public goods are always underfunded, and as a result are always underprovided. This is true in the case of immunization & cybersecurity – left to ourselves, we would never provide enough national defense, public radio or cybersecurity, as some members of society would eschew their share of the cost, whatever form that cost took.

This is what is called a market failure, and where the government is usually required to step in in some fashion in order to insure optimal provision of the public good. In a perfect world, the government would subsidize those goods we want more of (such as cybersecurity, immunization, national defense, clean air, etc.) and offset it by taxing those goods we want less of in society, the exact opposite of a public good, called public “bads” (such as smoke stacks, cigarettes, alcohol, household waste).

Overall, cyber security, despite the best efforts of those who dedicate their careers to it, will remain an underprovided good because there is a cost associated to each individual, but the benefit is shared among all individuals in society. In order to have functional and well provided goods in society, not only must we fight the urge to “free-ride” on others (by having very weak passwords, for one), but also push for the government to effectively subsidize the good in a myriad of ways – provide funding for research, endorse standards in the industry and enable communication and information dissemination in order to make fighting cybersecurity easier.