Listers, This might be of interest to some of us. Regards ---------- Forwarded message ---------- From: Richard Hill <rhill@hill-a.ch> Date: Thu, 24 Nov 2016 10:37:43 +0100 Subject: [Internet Policy] Economics of data breaches To: internetpolicy@elists.isoc.org I don't think that the ISOC 2016 Global Internet Report was yet posted to this list, so here it is: https://www.internetsociety.org/globalinternetreport/2016/ The report focuses on security issues, in particular the economic issues that engender the lack of security that we all know about. I think that it is an excellent report (full disclosure: I contributed to the report). I'd like to highlight here what I consider to be two of the key points in the report. The first point is that Internet growth rates are slowing down (see p. 33 of the Report). While this is not necessarily an issue in parts of the world where most of the population is already connected, it is a serious issue for developing countries, where significant proportions of the population are not connected. Lack of trust may be a factor in discouraging access to the Internet. As the Report says on p. 34: "The slowdown in Internet growth rates, particularly in regions that were already falling behind the global average, lends urgency to the Internet Society's objective to connect the unconnected. There is evidence that existing users are increasingly concerned about privacy and security issues worldwide, and this may start to spill over to new users, who might become more reluctant to go online. If people trust the Internet, they are more likely to use it. Trust is at the heart of the Internet economy, and more and more at the heart of economic growth. This lends urgency to our objective to promote and restore trust in the Internet." The other point is the clear identification of the economic issues that lead to inadequate security, in particular externalities. Security experts have long recognized that lack of ICT security creates a negative externality[1]. For example, if an electronic commerce service is hacked and credit card information is disclosed, the users of the service users will have to change their credit cards. This is a cost both for the user and for the credit card company. But that cost is not visible to the electronic commerce service. Consequently, the electronic commerce service does not have an incentive to invest in greater security measures. A comprehensive discussion is given in pages 103-107 of the Report, see in particular the examples on p. 101. A summary is presented on p. 18 of the Report: "There is a market failure that governs investment in cybersecurity. First, data breaches have externalities; costs that are not accounted for by organisations. Second, even where investments are made, as a result of asymmetric information, it is difficult for organizations to convey the resulting level of cybersecurity to the rest of the ecosystem. As a result, the incentive to invest in cybersecurity is limited; organisations do not bear all the cost of failing to invest, and cannot fully benefit from having invested." Best, Richard _______________________________________________ To manage your ISOC subscriptions or unsubscribe, please log into the ISOC Member Portal: https://portal.isoc.org/ Then choose Interests & Subscriptions from the My Account menu. -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A