Abstract
What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.
Original language | English |
---|---|
Pages (from-to) | 52-60 |
Number of pages | 9 |
Journal | IEEE Security and Privacy |
Volume | 14 |
Issue number | 3 |
DOIs | |
Publication status | Published - 25 May 2016 |
Bibliographical note
ACKNOWLEDGMENTThe EU's 7th Framework Programme under grant agreement 285223 (www.seconomics.org) partially funded this work.
We thank the anonymous reviewers for their useful commentsand all the participants in the stakeholder validation meetings for their commitment and insight.
Keywords
- security
- cybersecurity
- regulations
- economics
- grid
- infrastructure
- privacy
Fingerprint
Dive into the research topics of 'Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers'. Together they form a unique fingerprint.Profiles
-
Matthew Collinson
- School of Natural & Computing Sciences, Computing Science - Senior Lecturer
- Cybersecurity and Privacy
Person: Academic