Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers

Fabio Massacci, Raminder Ruprai, Matthew Collinson, Julian Williams

Research output: Contribution to journalArticle

4 Citations (Scopus)
4 Downloads (Pure)

Abstract

What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.
Original languageEnglish
Pages (from-to)52-60
Number of pages9
JournalIEEE Security and Privacy
Volume14
Issue number3
DOIs
Publication statusPublished - 25 May 2016

Fingerprint

Critical infrastructure
Economic impact
Rule-based
Operator
Investing
Economics
Grid
Unintended consequences
Incentives
Electricity transmission
Phase transition
Charge
Coast
Risk assessment
Public policy

Keywords

  • security
  • cybersecurity
  • regulations
  • economics
  • grid
  • infrastructure
  • privacy

Cite this

Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers. / Massacci, Fabio; Ruprai, Raminder; Collinson, Matthew; Williams, Julian.

In: IEEE Security and Privacy, Vol. 14, No. 3, 25.05.2016, p. 52-60.

Research output: Contribution to journalArticle

Massacci, F, Ruprai, R, Collinson, M & Williams, J 2016, 'Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers', IEEE Security and Privacy, vol. 14, no. 3, pp. 52-60. https://doi.org/10.1109/MSP.2016.48
Massacci F, Ruprai R, Collinson M, Williams J. Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers. IEEE Security and Privacy. 2016 May 25;14(3):52-60. https://doi.org/10.1109/MSP.2016.48
Massacci, Fabio ; Ruprai, Raminder ; Collinson, Matthew ; Williams, Julian. / Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers. In: IEEE Security and Privacy. 2016 ; Vol. 14, No. 3. pp. 52-60.
@article{5876749479b841a7b6b730ede4813908,
title = "Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers",
abstract = "What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.",
keywords = "security, cybersecurity, regulations, economics, grid, infrastructure, privacy",
author = "Fabio Massacci and Raminder Ruprai and Matthew Collinson and Julian Williams",
note = "ACKNOWLEDGMENT The EU's 7th Framework Programme under grant agreement 285223 (www.seconomics.org) partially funded this work. We thank the anonymous reviewers for their useful commentsand all the participants in the stakeholder validation meetings for their commitment and insight.",
year = "2016",
month = "5",
day = "25",
doi = "10.1109/MSP.2016.48",
language = "English",
volume = "14",
pages = "52--60",
journal = "IEEE Security and Privacy",
number = "3",

}

TY - JOUR

T1 - Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers

AU - Massacci, Fabio

AU - Ruprai, Raminder

AU - Collinson, Matthew

AU - Williams, Julian

N1 - ACKNOWLEDGMENT The EU's 7th Framework Programme under grant agreement 285223 (www.seconomics.org) partially funded this work. We thank the anonymous reviewers for their useful commentsand all the participants in the stakeholder validation meetings for their commitment and insight.

PY - 2016/5/25

Y1 - 2016/5/25

N2 - What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

AB - What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

KW - security

KW - cybersecurity

KW - regulations

KW - economics

KW - grid

KW - infrastructure

KW - privacy

U2 - 10.1109/MSP.2016.48

DO - 10.1109/MSP.2016.48

M3 - Article

VL - 14

SP - 52

EP - 60

JO - IEEE Security and Privacy

JF - IEEE Security and Privacy

IS - 3

ER -

Access to Document

  • Accepted Manuscript

    (c) 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works

    Accepted author manuscript, 837 KBLicence: Unspecified