JultikaUniversity of Oulu repository

Economic agents make rational cybersecurity investment decisions considering the costs and the benefits of their choice. Problems arise when the private costs and benefits do not align with social costs and benefits. The presence of externalities commonly leads to underinvestment and the situation is aggravated by the presence of informational challenges that are typical for cyberspace. In cases of critical infrastructure interdependence, firms are often unaware that their underinvestment impacts other network agents, who might be equally unaware of the situation. Without accurate information on cybersecurity it is difficult to provide incentives for private agents to invest in cybersecurity. Therefore, in this thesis, we present information sharing as a means to handle the informational challenges and bring cybersecurity investment closer to a socially optimal level. In this thesis, we develop an economic model for determining the optimal level of cybersecurity investment for private critical infrastructure operators. Our goal is to analyse cybersecurity investment decisions in a network of interdependent critical infrastructure operators. As the agents’ information systems are bound together, the critical elements of each system are now the critical elements of all the interdependent systems. A failure in one system will be externalized to the other agents’ systems. As a result, an agent’s decisions to invest in cybersecurity and to share breach information also impact the welfare of other agents. We assume that an agent’s investment costs increase in its own aggregate investment, but decrease in the other agents’ investment and information sharing effort. Therefore, an agent’s cybersecurity investment and information sharing decisions affect the other agents’ optimal cybersecurity investment level and their incentives to share breach information. We utilize our model to examine the incentives of private critical infrastructure owners and operators to invest in cybersecurity and share breach information. Critical infrastructure protection is a matter of national security of supply, and thus societal costs of a breach might be higher than the private costs incurred by the owner and operator. Hence, governmental intervention is justified. However, due to the unique qualities of cyberspace, we abandon traditional top-down orders and introduce a social planner, who is a member of the same network as the critical infrastructure providers. The social planner influences network agents’ incentives through its own cybersecurity investment and information sharing efforts. The model presented in the thesis is based on a definition of cybersecurity as public externality. The definition is based on a four layer framework model of cyberspace, where the content of a layer determines security on that layer as a good, and the protection of the lower layers impacts the security of the subsequent layers. On the physical layer, security is determined by private goods, and by club goods and private goods on the logical and informational layers. In our model, cybersecurity investment refers to these rivalrous and excludable security investments made on the lower layers of cyberspace. Cybersecurity is the positive externality of these investments. For this reason, there is no free riding in cybersecurity investment.