The Economics of Malware

33 Pages Posted: 13 Jul 2012

See all articles by Michel van Eeten

Michel van Eeten

Delft University of Technology

Johannes M. Bauer

Michigan State University-Department of Media and Information

John Groenewegen

Delft University of Technology - Faculty of Technology, Policy and Management

Wolter Lemstra

Nyenrode Business University; Delft University of Technology - Faculty of Technology, Policy and Management

Date Written: August 15, 2007

Abstract

In many cases, an economic perspective on cybersecurity – and malware in particular – provides us with more powerful analysis and a fruitful starting point for new governmental policies: incentive structures and market externalities. This report sets out to develop this perspective, building on the innovative research efforts of the past six years. More work is needed, however. As we will see, most of the research so far has been based on the methods of neoclassical and new institutional economics. While powerful, these methods are based on rather stringent assumptions about how actors behave – such as their rationality, their security tradeoffs and the kind of information they have – and how they interact with their institutional environment. We discuss the implications of these neoclassical and new institutional approaches in more detail in the next chapter. For now, we briefly key mention three limitations: (1) they provide limited insight into how actors actually perceive the cost, benefits and incentives they face; (2) they have difficulties taking into account dynamic and learning effects, such as how a loss of reputation changes the incentives an actor experiences; and (3) they treat issues of institutional design as somewhat trivial. That is to say, the literature assumes that its models can indicate what market design is optimal, that this design brought into existence at will and that actors will behave as the model predicts. If the past decade of economic reforms – such as privatization, liberalization and deregulation – have taught us anything, it is that designing markets is highly complicated and sensitive to context. It cannot be based on formal theoretical models alone. Institutional design requires an in-depth empirical understanding of current institutional structures.

To provide the basis for new policies, we propose to complement the state-of-the-art understanding of the economics of malware with qualitative field research that provides empirical evidence on the way in which actors actually make security tradeoffs, how they perceive their institutional environment, the incentives they face and how these have changed, as well as the externalities that arise from these incentive structures.

Suggested Citation

van Eeten, Michel and Bauer, Johannes M. and Groenewegen, John and Lemstra, Wolter, The Economics of Malware (August 15, 2007). TPRC 2007. Available at SSRN: https://ssrn.com/abstract=2103773

Michel Van Eeten (Contact Author)

Delft University of Technology ( email )

PO Box 5015
Delft, 2600GA
Netherlands

Johannes M. Bauer

Michigan State University-Department of Media and Information ( email )

409 Communication Arts Building
East Lansing, MI 48824-1212
United States
517-355-8372 (Phone)
517-355-1292 (Fax)

HOME PAGE: http://www.msu.edu/~bauerj

John Groenewegen

Delft University of Technology - Faculty of Technology, Policy and Management ( email )

P.O. Box 5015
2600 GB Delft
Netherlands

Wolter Lemstra

Nyenrode Business University ( email )

Straatweg 25
Breukelen, NL-3621BG
Netherlands

Delft University of Technology - Faculty of Technology, Policy and Management

P.O. Box 5015
2600 GB Delft
Netherlands

Register to save articles to
your library

Register

Paper statistics

Downloads
203
Abstract Views
1,007
rank
147,225
PlumX Metrics