The traditional logic concerning cybersecurity has been that market incentives work against it. Yet the security industry has seen tremendous growth in size and revenue over the past few years, even without regulation.
At the USENIX Enigma Conference Thursday, Vaibhav Garg, senior director of cybersecurity research and public policy for Comcast Cable, argued that the forces that once seemed misaligned have been realigning.
The seminal paper in how companies weigh the value of cybersecurity is almost two decades old.
Cambridge University's Ross Anderson argued in 2004 that a handful of factors led to a market failure in incentivizing security. The costs of a breach, he wrote, was often passed on to third parties, neither customer nor vendor, leading to little reason to bolster security (15 years later, Equifax would be an example of this). Customers were not good at evaluating the security of the products they buy, including security products themselves.
Finally, Anderson wrote, security could get in the way of interoperability and adoption of a product. To use Garg's example from his talk, it is more important to consumers that Bluetooth speakers seamlessly connect than it is that significant gatekeeping is in place.
"While these arguments are being made in the economics literature," said Garg, "if you look at the market dynamics, the size of the cybersecurity market has continued to increase. So it used to be around $3.5 billion in 2004. And it's expected to [total] beyond $1 trillion [for the five-year period ending in] 2025."
If market incentives were mostly misaligned in cybersecurity, that kind of investment would not show that kind of growth, Garg said. He identified seven factors that re-incentivize cybersecurity in the modern world.
- First, companies see increasingly impacted by the theft or disruption of internal data — a stolen trade secret is a bigger concern today than in 2004.
- Second, customers increasingly work security measures into contracts, or at least have a tacit understanding of a certain level of security.
- Third, the market is increasingly built around products where it is easy to change vendors. It takes less effort to change your cloud networking service today than buy a new mainframe in 2004.
- Fourth, when companies integrate products, security externalities of one product become the internalities of the product it connects to. Garg used the example of internet providers who give customers a router. Security problems in the router affect bandwidth usage, which the ISP would want to limit, even if the customer does not notice.
- Fifth, security can be a market differentiator for a more expensive good.
- Sixth, brand reputations suffer after breaches.
- Seventh, the threat of collateral damage encourages linked vendors to improve their security for the collective. If one online shop suffers an incident, all online shops suffer consumer's reluctance.
Whether and why market incentives encourage security is not just an academic issue. It could change how policy makers approach the problem.
"About 20 years of research has focused on the notion that security is a market failure that requires some kind of policy intervention," he said. "The challenge with policy interventions is that policy interventions by their very nature tend to be a little bit static. They tend to be a little bit slow to evolve versus cyberattacks, which tend to evolve very quickly."
"To the extent that we need a policy intervention, that should really be tailored by taking into account the context of the incentives in that particular domain," he later added.