The growth of cybercrime activity is a source of increasing concern worldwide. In 2016 the number of attacks across the globe reached the highest level ever recorded. The ENISA Threat Landscape 2016 characterises the year 2016 as “the efficiency of cyber-crime monetization”. Especially among industry analysts, however, there is the perception that the cybersecurity industry has experienced many years of historical under-investment. Why is this happening? Many scholars understand cyber-attacks as a problem of either criminal law or the law of armed conflict, whereas others perceive it as a software issue, or a business one involving reputation, trust and insurance.
But these explanations are not sufficient. Instead, it is important to understand that many firms tend to underinvest in cyber-security because of problems associated with negative externalities, free riding and public goods associated with the cyber security market. Sharing information on data breaches is a case in point. The costs of this disclosure can be significant, while the benefits of improved disclosure – more efficacy and cost savings in security, usually are slow to arrive and benefit all firms (including competitors). The imbalance between costs (sustained by a firm) and benefits (accruing to all participants) generates a market failure. Therefore, new conceptual approaches to cyber-security are required in order to provide incentives to all players in this market to change their behaviour.
The new cybersecurity@CEPS initiative is working in this direction to bring multi-disciplinary policy prospective to the analysis of cyber security issues. For more information on this forward-looking programme within the Regulatory Affairs unit at CEPS, see https://www.ceps.eu/content/cybersecurityceps