Skip to content

Incentives Are Not Enough For Cybersecurity

May 8, 2013

This is derived from an assignment for my Cybersecurity in Critical Infrastructure Protection course.

Regulation is critical for ensuring that our critical infrastructure is protected from cyber threats. In a market-based system, security is an externality that private companies have no obligation to pay for unless forced to by regulation. Although some companies are compelled by patriotic duty to invest in cybersecurity, this is not a reliable mechanism for ensuring that we meet our goals for national security. Even with potential economic losses from cybersecurity breaches, there is no way to ensure compliance across the board with a voluntary framework. There will always be a company trying to undercut its competitor by avoiding costs for security. Given the interconnected nature of critical infrastructure (ex. financial, energy, and water sectors), a breach at one company could have broader physical and psychological impacts. It is in both private and national interest to institute regulations rather than a voluntary framework. This will ensure that national security goals are met and that no companies are put at risk by other companies. The loss of critical infrastructure services, even temporarily, could have ripple effects through the economy, which ultimately hurts all businesses, regardless of their attention to cybersecurity issues.

At the very least, regulators need to institute strong incentives to encourage adoption of a voluntary framework. Successful incentives should have financial and psychological elements. Financial elements could include tax breaks for companies that achieve specific levels of compliance or the ability to write off security expenditures. These types of incentives aim to reduce the costs associated with increasing security so that companies are not de-incentivized to invest. Fining companies who fail to invest in security can create a perverse incentive if companies are not always caught and the fines are less than the cost of investment (Farahmand et al., 2013). More psychological elements may include, for example, publishing a list of companies that achieve compliance with the voluntary framework to create a norm for security practices.  However, this may raise security concerns since companies that do not appear on this list would be known to be more vulnerable. In addition, companies that participate in the voluntary framework could be eligible for specific privileges – for example, a dinner with the President. This could serve to emphasize that cybersecurity is a national issue and reward companies that invest in a social, rather than financial way.

Beyond incentives, the accountability literature indicates that it is important to focus on processes, rather than outcomes, because this increases the accuracy of judgments and decreases commitment to potentially poor decisions (Lerner and Tetlock, 2004). As a result, companies should meet compliance by having good processes rather than being lucky enough to not be victim to an attack. However, methods like accountability only work when performance can be improved by increasing attention. If there is not enough information or more training is needed to improve decisions, accountability does not improve decision-making (Lerner and Tetlock, 2004). However, there are many aspects of cybersecurity that could benefit from just an increase in attention.


Farahmand, F., Atallah, M. M. J., & Spafford, E. H. (2013). Incentive Alignment and Risk Perception: An Information Security Application. IEEE Transactions on Engineering Management, 60(2), 238–246.

Lerner, J. S., & Tetlock, P. E. (2004). Accounting for the Effects of Accountability. Psychological Bulletin, 125(2), 255–275.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: