The Economics of Malware
33 Pages Posted: 13 Jul 2012
Date Written: August 15, 2007
In many cases, an economic perspective on cybersecurity – and malware in particular – provides us with more powerful analysis and a fruitful starting point for new governmental policies: incentive structures and market externalities. This report sets out to develop this perspective, building on the innovative research efforts of the past six years. More work is needed, however. As we will see, most of the research so far has been based on the methods of neoclassical and new institutional economics. While powerful, these methods are based on rather stringent assumptions about how actors behave – such as their rationality, their security tradeoffs and the kind of information they have – and how they interact with their institutional environment. We discuss the implications of these neoclassical and new institutional approaches in more detail in the next chapter. For now, we briefly key mention three limitations: (1) they provide limited insight into how actors actually perceive the cost, benefits and incentives they face; (2) they have difficulties taking into account dynamic and learning effects, such as how a loss of reputation changes the incentives an actor experiences; and (3) they treat issues of institutional design as somewhat trivial. That is to say, the literature assumes that its models can indicate what market design is optimal, that this design brought into existence at will and that actors will behave as the model predicts. If the past decade of economic reforms – such as privatization, liberalization and deregulation – have taught us anything, it is that designing markets is highly complicated and sensitive to context. It cannot be based on formal theoretical models alone. Institutional design requires an in-depth empirical understanding of current institutional structures.
To provide the basis for new policies, we propose to complement the state-of-the-art understanding of the economics of malware with qualitative field research that provides empirical evidence on the way in which actors actually make security tradeoffs, how they perceive their institutional environment, the incentives they face and how these have changed, as well as the externalities that arise from these incentive structures.
Suggested Citation: Suggested Citation