Enhancing the security of cyberspace is a critical issue for governments, companies and citizens globally. Our economic and social lives increasingly depend on secure ICT solutions (351 million Europeans use the Internet every day across all areas of digital society). Worldwide, the number of mobile phone users is expected to reach 5 billion by 2019 and 26 billion of devices are expected to be connected by 2020. However, there is a growing perception that such a level of interconnectedness brings opportunities but also new vulnerabilities. All these devices could be at risk of potential cyber-attacks. Statistics show that the number and the severity of cyber security incidents have increased enormously. But, it all adds up also to a significant market opportunity.

The cybersecurity@CEPS initiative will bring a multi-disciplinary policy prospective to the analysis of cybersecurity issues. Many scholars understand cyber-attacks as a problem of either criminal law or the law of armed conflict, whereas others take it as a software issue, or a business one involving reputation, trust, and insurance. Instead, it is important to understand that many firms that operate critical infrastructure tend to underinvest in cyber-defense because of problems associated with negative externalities, free riding, and public goods characterizing the cyber security market. Sharing information on data breaches is a case in point. The costs of this disclosure can be significant, while the benefits of improved disclosure – more efficacy and cost savings in security, usually are slow to arrive and benefit all firms (including competitors). The imbalance between costs (sustained by a firm) and benefits (occurring to all) generates a market failure. Therefore, it is clear that new conceptual approaches to cyber-security are required to make more incentive compatible the behavior of all players in this market.

CEPS will also approach cybersecurity as a management challenge. When it comes to cyber-attacks, the appropriate approach is: “it’s not a question of if, but a question of when”. Cyber security should not be seen as a technological problem to be delegated to technical experts but instead as an issue calling for a risk management approach shared among various units in each organization. This process should correspond to the willingness to master the risks linked to the use of information technologies and the costs generated by the protection of information systems from threats.

Cybersecurity@CEPS will promote research, conferences, collaborative efforts with the European institutions and other think tanks and universities worldwide.

Research Team: