Computer Viruses and Other Malicious Software: A Threat to the Internet Economy

Chapter 6. The Market Consequences of Cybersecurity: Defining Externalities and Ways to Address Them (p. 139-140)

The preceding chapter reported on the efforts and incentives of a variety of Internet market participantp. It indicated a number of market-based incentive mechanisms that contribute to enhanced security but also other instances in which decentralised actions may lead to sub-optimal outcomep. A pressing question is: Are participants in the information and communication markets responding adequately to malware, or are improvements possible? Pointing to a variety of reports that show increases in malicious attack trends, one might conclude that markets are not responding adequately. Our analysis revealed a more nuanced picture.

Three major categories of externalities

Real-world markets rarely meet the preconditions of standard economic theory. For example, decision makers rarely have complete information, they operate under conditions of bounded rationality, and they behave opportunistically. For these reasons, individual decisions rarely are as ideal as described by abstract modelp. Rather, real-world decisions are a process of "muddling through" second and third-best solutions, especially in an environment of rapid technological change. Whether a decision was good or bad is often revealed only after-the-fact. Assessing the direct and indirect economic cost of malware in realworld conditions is hence an important aspect of designing countermeasurep. Since the provision of security entails cost, tolerating a certain level of insecurity is economically rational. Therefore, the level of security realised depends on the costs and benefits of security to individual actors, and on potential collective measures to enhance security. Two key questions are:

1. Are market players taking the full range of costs into account when making security decisions?
2. If costs are externalised (passed on) to other market players or society at large, how serious are they in relation to the internalised (absorbed) costs?

While keeping in mind the scope and limitations of our study, we can offer a number of tentative conclusions with regard to these questionp. Across the information market’s value net, three relevant situations emerge for key market participants:

Category 1: No externalities, market participants absorb all the costs of their security decisions.

The decision-making unit, be it an individual user or an organisation, correctly assesses security risks, bears all the costs of protecting against security threats (including those associated with these risks) and adopts appropriate countermeasurep. The private and societal costs and benefits of security decisions are aligned. There may still be significant damage caused by malware, but this damage is borne by the market player itself.

This situation would be economically efficient, but due to the high degree of interdependency in the Internet, it is rare. That does not mean these situations are non-existent. In principle, end users – be they large organisations or skilled home users – who take adequate security measures and successfully prevent their machines from being compromised generate no externalities for the rest of the market– though some experts might argue that under certain conditions such behaviour creates positive externalities that are not taken into account and thus lead to an sub-optimal level of private investment (Kunreuther and Heal, 2003).