Don't Regulate Cyberinsurance Markets
At Bejtlich’s recommendation, I read with great interest Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. The bulk of the paper describes the success and prospects of the cyberinsurance industry, but comes to a conclusion that we need government regulation to “facilitate private market development”. This conclusion isn’t based on their informative analysis of the cyberinsurance industry, but rather on an ethical judgement revealed in the third paragraph:
My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others. In economic terms, the private benefits of investment are less than the social benefits, making networked IT security a public good—and susceptible to the free-rider problem. As a consequence, private individuals and organizations won’t invest sufficiently in IT security to provide an optimal (or even adequate) level of societal protection.
The authors believe that current levels of IT security are sub-optimal and believe it will stay at those levels because “the private benefits of investment are less than the social benefits”. They don’t explain or rationalize these statements in the rest of the article. Instead, they explain the benefits and success of cyberinsurance, but make another value-judgement after noting that only 25% of the market uses cyberinsurance. This is too low in their eyes, so we obviously need government regulation to stimulate the industry, since IT security is a public good. But they never give reasons as to why IT security is a public good suffering from the free-rider problem. Not to my satisfaction, at least. They did offer this example as noted above:
My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others.
If you deem your neighboring systems as a threat because they don’t live up to your standard of protection and there is a risk of their systems being used to launch an attack, why don’t you take that into consideration when buying security? As Sammy Migues (via Alex) points out, it often makes no difference where the attack comes from. I don’t see how how their example illustrates that IT security is a public good, but let’s go along with it anyway.
The assertion that IT security is a public good suffering from the free-rider problem is one that not all economists would agree with. The free-rider problem and public goods theory are used by some economists to justify government regulation of markets. The supposed “market failure” that occurs because of the free-rider problem is merely an opinion of the economist doing the analysis. From whose point of view are we to judge what the optimal level of IT security is; that of the central-planning economist or that of the individual who owns the means to spend on security? From the point of view of the authors and many security practitioners, we need more security. Obviously companies aren’t buying enough, otherwise we wouldn’t be suffering breaches right? They think private interests aren’t buying the optimal amount of security because of “perverse economic incentives”, i.e. the security they buy benefits others more than it benefits themselves. But from the point of view of the individual actors in the economy, they are already buying the ideal amount security that the market can offer them, given the means they have available and the other options they have for using those means.
A rational approach to the problem looks at the situation from the point of view of the private actors in the market devoid of any personal preference. Each actor uses means (time, money, labor, producer goods) to produce ends (consumer goods or producer goods that later become consumer goods). Every action taken in the economy is aimed at improving the condition and enjoyment of some consumer somewhere. An individual (or company) might perceive a threat of invasion or damage to property. He will determine, to the best of his ability, if he has the means to mitigate the threat or reduce the chances that the threat occurs by buying some form of security. He will buy the security inasmuch as he values the security and the comfort and advantage it gives him. When making this decision whether or not to buy the security he also considers the other uses of his means. His final decision reveals how he values the respective ends. Would he rather use the means to buy or produce more widgets or buy security? We can’t know ahead of time what he would rather do with his means, we can only look at his actions to determine what he values.
Those who value security more than that actor can’t understand why he wouldn’t buy more, blame this on the “public goods” assertion and “perverse economic incentives” and call for government to force the actor to buy more security. Any such security regulation can only reduce the amount of wealth and comfort the economy produces because it is foisting one man’s values upon another - “for the public good”.
The paper pointed out that the cybersecurity market is young, small and growing. I’m sure it will do fine on its own. Let’s just keep government out of it.
This is cross posted from jonsnetwork.com