Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers

Fabio Massacci; Raminder Ruprai; Matthew Collinson; Julian Williams

doi:10.1109/MSP.2016.48

Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers

Fabio Massacci, Raminder Ruprai, Matthew Collinson, Julian Williams

Computing Science

Research output: Contribution to journal › Article › peer-review

9 Citations (Scopus)

95 Downloads (Pure)

Abstract

What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

Original language	English
Pages (from-to)	52-60
Number of pages	9
Journal	IEEE Security and Privacy
Volume	14
Issue number	3
DOIs	https://doi.org/10.1109/MSP.2016.48
Publication status	Published - 25 May 2016

Bibliographical note

ACKNOWLEDGMENT
The EU's 7th Framework Programme under grant agreement 285223 (www.seconomics.org) partially funded this work.

We thank the anonymous reviewers for their useful commentsand all the participants in the stakeholder validation meetings for their commitment and insight.

Keywords

security
cybersecurity
regulations
economics
grid
infrastructure
privacy

Access to Document

10.1109/MSP.2016.48Licence: Unspecified

Accepted Manuscript
(c) 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works
Accepted author manuscript, 837 KBLicence: Unspecified

Matthew Collinson
- School of Natural & Computing Sciences, Computing Science - Senior Lecturer
- Cybersecurity and Privacy
Person: Academic

Cite this

@article{5876749479b841a7b6b730ede4813908,

title = "Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers",

abstract = "What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.",

keywords = "security, cybersecurity, regulations, economics, grid, infrastructure, privacy",

author = "Fabio Massacci and Raminder Ruprai and Matthew Collinson and Julian Williams",

note = "ACKNOWLEDGMENT The EU's 7th Framework Programme under grant agreement 285223 (www.seconomics.org) partially funded this work. We thank the anonymous reviewers for their useful commentsand all the participants in the stakeholder validation meetings for their commitment and insight.",

year = "2016",

month = may,

day = "25",

doi = "10.1109/MSP.2016.48",

language = "English",

volume = "14",

pages = "52--60",

journal = "IEEE Security and Privacy",

number = "3",

}

TY - JOUR

T1 - Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers

AU - Massacci, Fabio

AU - Ruprai, Raminder

AU - Collinson, Matthew

AU - Williams, Julian

N1 - ACKNOWLEDGMENT The EU's 7th Framework Programme under grant agreement 285223 (www.seconomics.org) partially funded this work. We thank the anonymous reviewers for their useful commentsand all the participants in the stakeholder validation meetings for their commitment and insight.

PY - 2016/5/25

Y1 - 2016/5/25

N2 - What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

AB - What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

KW - security

KW - cybersecurity

KW - regulations

KW - economics

KW - grid

KW - infrastructure

KW - privacy

U2 - 10.1109/MSP.2016.48

DO - 10.1109/MSP.2016.48

M3 - Article

VL - 14

SP - 52

EP - 60

JO - IEEE Security and Privacy

JF - IEEE Security and Privacy

IS - 3

ER -

Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers

Abstract

Bibliographical note

Keywords

Access to Document

Fingerprint

Profiles

Matthew Collinson

Cite this