In economics, the pertinent concept here is that of social costs. Simply put, social economic costs are those incurred by society as a whole resulting from the actions of some segments of the economy. For example, if a company discharges toxic waste into a river, it transfers costs, at no cost to itself other than for the operation itself, to other members of society, such as the health costs incurred by those poisoned by the waste. Similarly for a company or motor vehicles emitting pollutants into the atmosphere. One way in which a company or individuals will be motivated to clean up the consequences of their actions is if they are charged in some way for the social costs that they are forcing on others.
So it is with cyber security. If we are to address the issues raised by Meyerrose and Coviello, we need to either have government mandate security standards, in contravention of the president’s words, or introduce economic inducements so that companies will act in the public interest. I have seen the results of “moral suasion” on implementing cyber security, and it doesn’t work. Shoring up the security of all the sectors that are part of and/or are dependent on the critical infrastructure, which is all of them, is too important to leave to the whims of corporate executives (or politicians, for that matter). Some form of incentive, whether a carrot or a stick, must be brought to the issue of having private companies take on greater responsibility for protecting the critical cyber infrastructure. And such motivators need to be carefully crafted so as not to lead to unintended consequences, as so often happens.
Popularity: 4%
