A recent ITU study dedicated to the "Financial Aspects of Network Security: Malware and Spam" (July 2008) reviews some of the current leading thinking and research on the economics of cybersecurity. The full study can be found here.
Security flaws are often due to perverse incentives rather than the lack of suitable technical protection mechanisms. As individuals and companies do not bear the entire costs of cyber incidents, they do not tend to protect their system in the most efficient way. If they did support all the financial consequences, they would have stronger incentives to make their network more secure for the good of all interconnected networks. Measures to improve information security enhance trust in online activities and contribute directly and indirectly to the welfare gains associated with the use of information and communication technologies (ICTs).
However, some expenditure on security is only necessary because of relentless attacks by fraudsters and cyber-criminals that undermine and threaten trust in online transactions. Such costs are not welfare-enhancing but instead a burden on society. Two vectors through which such attacks are carried out are malware and spam. During the past two decades, the production and dissemination of malware has grown into a multibillion dollar business. Damages created by fraudulent and criminal activities using malware and the costs of preventative measures are likely to exceed that number significantly. Malware puts the private and the public sector at risk because both increasingly rely on the value net of information services. Spam and malware have multifaceted financial implications on the costs and the revenues of participants in the ICT value chain. The costs carried by all stakeholders across the value network of information services are affected directly and indirectly by this. But most of the financial flows between the legal and illegal players in the underground cybercrime economy are only partially known. The ITU study is a survey of existing resources and data available when it comes to the economics and financial aspects of cybersecurity.
Access the ITU study on the "Financial Aspects of Network Security: Malware and Spam" (July 2008) here.