The Strategy Bridge

View Original

Applying Behavioral Economics to Improve Cyberspace Strategy

Earlier this year, The Strategy Bridge asked civilian and military students around the world to participate in our seventh annual student writing contest on the subject of strategy.

Now, we are pleased to present the Second Place winner from Nia Carty-McDonald, a recent graduate of the Eisenhower School for National Security and Resource Strategy under National Defense University.


The Economics of Information and Cybersecurity—Threat Landscape

Microeconomic theories provide insights into how individuals and organizations behave in cyberspace, illuminating potential strategies for government intervention to mitigate threats to the national security of the United States. Failure to address the economic aspects of cybersecurity will undermine the integrity of critical infrastructure, erode public trust, and impede economic growth, ultimately leading to political and social instability. U.S. policymakers still grapple with recognizing and understanding cybersecurity's most corrosive challenges when combatting economically motivated cybercriminals: information asymmetries and misaligned incentives.

This understanding, combined with existing policy options that bolster cyber literacy and information sharing, is crucial to improving cybersecurity. Similarly, new laws and regulations that call for mandatory disclosure and innovative approaches to web accessibility must also distribute responsibilities and liabilities to incentivize those in positions to combat these economic barriers and lessen the growing vulnerability. Recognizing the impact of these economic market failures is crucial to establish sensible laws that strengthen the relationship between the public and private sectors.

Private-Public Divide: The Role of Government

The clear division between public and private responsibilities highlights the argument that advocates of cybersecurity legislation have made for years. That is—private network owners do not entirely assume cyber risks. Specifically, a loss stemming from a cyber-attack against a healthcare network, for example, will affect the network owner and numerous consumers. In economics jargon, this is an externality—a cost not considered because others internalize it. As a result, proponents of cybersecurity regulation assert that private network owners are reluctant to spend the appropriate amount on security proportionate to the risk. That creates a market failure, and research suggests that only government regulation can ensure society gets the optimal amount of cybersecurity.[1]

A Colonial facility in 2016. (Luke Sharrett/Getty)

Recent incidents such as the Equifax data breach, the SolarWinds hack, and the Colonial Pipeline ransomware attack have illustrated the consequences of inadequate information and cybersecurity measures. This highlights market failures as systems frequently fail because the organizations defending them do not bear the full effects of loss. The economic barriers—information asymmetries and misaligned incentives—suggest that government intervention is necessary to strengthen domestic and global cybersecurity. Furthermore, the standard view is that cybersecurity depends on technical solutions such as better firewalls, encryption, or malicious code detection software. However, it is challenging to understand cybersecurity problems without understanding the applied economics of those involved, both on the side of the defenders and the attackers.

A similar debate on cybersecurity as a public good indicates that governments provide or regulate public goods to avoid market failures. Ineffective cybersecurity measures pose significant risks to information societies' development, stability, and overall public good worldwide. The 2021 “Global Risks Report” published by the World Economic Forum categorized cybersecurity failures as clear and present dangers.[2] With increased dependencies on critical infrastructures and a rise in concerns about the consequences of potential cyber-physical incidents, governments and super-national organizations like the European Union (EU) are concerned with the possible failure of the private sector in delivering an acceptable level of security in the society without governmental intervention.[3] This concept dilemma led to proposals suggesting that cybersecurity should be treated as a public good. The alternative outcome is externalities where society ends up with less security investment from the defenders and more harm emanating from the attackers than would be socially optimal. Critical infrastructure industries are characterized by many different externalities, where the actions of individual organizations have side effects on others.

Cybersecurity, as a public good, intends to reaffirm a collective responsibility to improve cybersecurity and manage cyber-insecurity. However, the classic understanding of a public good based on its common taxonomy has been debated and modified. Paul Samuelson’s definition of types of economic goods has been the foundation of most discussions on cybersecurity as a public good, that a public good is non-excludable and non-rivalrous when consumed.[4]

Security systems such as anti-virus software, intrusion detection systems, and network firewalls are private goods. However, aspects of cybersecurity, such as threat intelligence, vulnerability sharing, and critical infrastructure protection, have the characteristics of public goods.[5] The data suggests that managing cybersecurity as a public good brings the advantages of systemic approaches to security, shared responsibilities among different stakeholders, and collaboration. Hence, public-private partnerships are crucial to overcoming the concerns of treating cybersecurity as a public good.

Cybersecurity Practitioners’ PerspectiveS

According to an “Economics in Cybersecurity” op-ed by Kelly Douglas, a Senior Principal Consultant at Johns Hopkins University, businesses incur up to $500 billion annually from cyberattacks.[6] In 2020, the cybersecurity market grew to $177 billion and is forecasted to surpass $9 trillion after that.[7] In response, the U.S. government continues to invest billions of dollars in cybersecurity. Still, it needs to settle the debate that is currently being carried out in congressional hearings and executive boardrooms regarding how much cybersecurity investment is enough. The question remains to be answered as to why there is an exponential increase in cyberattacks despite massive investments by companies and government institutions to combat cyber threats. Douglas’ research implies, “Marginal return on security from investments is initially substantial. However, as threat sophistication increases, the marginal return on investments is low or even negative.”[8] This perspective supports my research by highlighting the inefficiency of cybersecurity markets. Specifically, cybercriminals see gains over the costs of breaking in, stealing information or money, or being able to exploit the system whenever possible. Cyber-defenders primarily see gains over security costs when they have to fully internalize a failure.

Dr. Tyler Moore, an Associate Professor of Cyber Security and Information Assurance at the University of Tulsa, draws a similar perspective that economics often better explains cybersecurity failures than technology alone.[9] Moore’s recent talk at the “Cybersecurity Speaker Series” supports my research as it explores information security and how misaligned incentives and similar economic theories result in increased cyber vulnerabilities despite spending record amounts on countermeasures.[10] Particularly, the balance between social and private benefits and costs should be factored into cybersecurity to achieve maximum social welfare.[11] One example of misaligned incentives in this context is an electric company that upgrades its operational infrastructure for efficiency gains, increasing the number of vulnerabilities and causing society to suffer from more outages.

On the other hand, Isabella Corradini, the author of Redefining the Approach to Cybersecurity, argues that technology is a panacea for cyber-insecurity when human beings have complete control instead of automation. Corradini’s perspective suggests that technological solutions are still the preferred approach to cybersecurity.[12] However, research reveals that consumers should be judicious when technology is presented as a fix-all solution for cybersecurity problems.

For instance, one of the most prominent threats in cybersecurity is social engineering attacks.[13] While such issues are common, they have proven difficult to resolve effectively because they are primarily related to innate human behavior. Attacks like social engineering combine elements from human to social to physical and technological, making strictly technical solutions inadequate.[14] From a psychological point of view, social engineering is a means of gaining information by exploiting individuals’ weaknesses.[15] Specifically, in cybersecurity, social engineering is defined as a tactic that uses persuasive communication to gain people’s confidence and influence their behavior to disclose sensitive information or do something dangerous.[16] This demonstrates the high complexity of mitigating this type of threat strictly with technology.

Furthermore, experts affirm that Artificial Intelligence (AI) will be an opportunity to secure cyberspace.[17] Whether this conviction is accurate or not, it is evident that AI also has the power to exacerbate existing threats and generate new ones. Alternatively, a more viable solution is a cybersecurity strategy that employs technological capabilities with a multidisciplinary vision that considers the economic barriers to cybersecurity outlined in the following sections.

Information Asymmetries

“The cybercriminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools,” said Candace Worley, VP for Intel Security.[18] Unlike other industries, the cybersecurity sector lacks data for making informed financial investment decisions. This is in part due to the unknown actual cost of cybercrime. According to some estimates, cybercriminals make $1 trillion annually, or 7 percent of the U.S. GDP.[19] A cursory analysis of data on past cybersecurity breaches reveals that the lack of information symmetry between cyber attackers and defenders means the latter are disadvantaged. Cyber attackers have access to a vast array of information and resources, which they can use to exploit vulnerabilities in systems and networks.

In contrast, defenders need more information, making identifying and addressing potential security threats easier. The evidence suggests increased motivation to underreport occurrences in business and government agencies. Institutions forgo disclosing how much money they lose to online fraud.[20] Businesses are hesitant to disclose cyber-espionage incidents because of reputational damage and adverse effect on stock price; banks are reluctant to admit fraud losses out of concern that it will deter customers from online banking platforms; operators of critical infrastructures refuse to disclose information on outages brought on by malicious attack out of concern that it will bring attention to systemic vulnerabilities. Information asymmetries exist when these unreliable pieces of information are combined to inform decisions. Therefore, public policies must consider forms of protection for cyber-defenders who disclose intrusions and losses. 

For example, the Yahoo data breaches in 2013 and 2014 affected over a billion user accounts.[21] This led to a reduction in the company's stock price and ultimately resulted in a discount of $350 million in Verizon's purchase of Yahoo's internet business.[22] Similarly, the Equifax breach in 2017 exposed millions of customers’ personal information. Equifax's stock price fell by approximately 30 percent in the weeks after the breach was made public.[23] These examples illustrate that cybersecurity breaches can have significant financial and reputational consequences for firms. In some instances, companies that fall victim to cybersecurity breaches amplified by information asymmetries bear the brunt of these costs. This dynamic creates a disincentive for firms to invest in cybersecurity, leading to a market failure. The costs of cybersecurity breaches are not reflected in the market price of cybersecurity services. Companies and governments must work together to address this problem through better information sharing and cooperation between cybersecurity stakeholders.

Economic Barrier—Misaligned Incentives

Like the previous economic theory, misaligned incentives in cybersecurity refer to instances where different actors—such as customers, providers, and regulators—have different goals, motivations, and interests that also lead to market failure. This misalignment is evident in the relationship between public and private organizations, which typically have divergent goals. Specifically, personal and social risks are misallocated when companies are motivated to protect their assets but fail to incur the costs of successful cyber-attacks.[24] This misallocation of risk possesses severe national security implications, as it can compromise critical infrastructure where the costs of effective cyber-attacks are borne by society rather than the individual target companies. This can be particularly problematic in the case of state-sponsored cyber-attacks, where the government may bear the costs.

Hence, incentives are misaligned between those responsible and those who benefit.[25] According to one executive at the Google Cloud Services office in Palo Alto, CA, this concept applies to most firms. They all operate to maximize or make profits but have no standard incentive to control their operations.[26] The market failure is further amplified by natural tension between efficiency and resiliency in information technology system designs. This is best exemplified by the strong push over the past decade toward network convergence, an open network of networks, or the Internet of Things (IoT). This construct is not without risk, namely when considering critical infrastructure.

A cursory analysis of 16 critical sectors indicates that these systems have become vastly interconnected or dependent on one another; therefore, the disruption of or attack on one may have spillover effects in other sectors degrading the operation of another system and potentially having a cascading effect. In past decades, critical infrastructure systems operated on distinct networks with incompatible protocols and equipment.[27] Different networks managed the phone system, electrical grids, and other servers. However, employing experts that run the many disparate applications over a common Internet infrastructure is more cost-effective than on different networks.[28] Nonetheless, a company’s decision to reduce its operating IT costs rarely considers an increase in a long-term security vulnerability. Entities are challenged to balance short-term incentives to reduce operating costs with the long-term objective of reducing vulnerability.

According to Denise Zheng, Director of the Technology Policy Program at CSIS, “How governments and companies address their misaligned incentives will dictate the effectiveness of their cybersecurity programs.”[29] Therefore, it is vital for companies to fully incur the costs of successful cyber-attacks to ensure that social risks are not misallocated and to contribute to the overall cyber-security of society.

Policy Recommendations

Aggregate Reporting: To overcome information asymmetries, the Cybersecurity and Infrastructure Security Agency (CISA) should leverage the MITRE ATT&CK framework to identify and analyze adversary behavior to produce a real-world set of mappings that can help develop attacker profiles, conduct activity trend analyses, and be incorporated into reporting for detection, response, and mitigation purposes.

CISA is the designated hub for sharing cyber threat indicators and defensive measures between the federal and private sectors under the Cybersecurity Information Sharing Act of 2015 (CISA 2015). The Act established a portal at the Department of Homeland Security to facilitate private-public cyber-threat information sharing and certified the operability of the CISA’s Automated Information System (AIS).[30] While the Act allows information sharing regarding cyber threats and vulnerabilities through AIS, the Office of the Inspector General data indicates insufficient information sharing.[31] Specifically, the quality of information sharing between AIS participants is inadequate to identify or prevent cyber threats.[32] Undoubtedly, this lack of information exacerbates the challenge of detecting or responding to cyber threats.

A collective effort is required, beginning with a technology framework such as the MITRE ATT&CK model to address cyber threats and the challenges of effective information sharing.[33] The MITRE ATT&CK framework provides global accessibility that helps model cyber adversaries' tactics and techniques and then shows how to detect or stop them.[34] The framework recognizes that attackers are intelligent, adaptive, and persistent. These adversaries learn from every attack, whether it succeeds or fails, but defenders can learn from them as well. Utilizing this framework will provide a near real-time database for collaboration between the government, the private sector, and academia to help defenders reduce vulnerabilities, understand known behaviors, and recognize threats before adversaries. This effectively combats information asymmetries as CISA will help analysts accurately and consistently map adversary behaviors to the relevant ATT&CK techniques as part of cyber threat intelligence (CTI). This framework also encourages a cultural shift to help information sharing become a fundamental component in critical sectors.

Mandatory Disclosure: U.S. policymakers should require businesses and U.S. government agencies to disclose all cyber incidents and intrusions.

The first step in a comprehensive strategy is determining who is responsible for acting and how to assign the responsibility. Since information asymmetries and misaligned incentives are fundamental barriers to cybersecurity, implementing policies that improve information disclosure is crucial. Mandatory disclosure should be done through mechanisms like the Toxic Release Inventory (TRI) that effectively reduced the amount of toxic chemicals released into the environment through the 1986 Emergency Planning and Community Right-to-Know Act.[35] The Act forced manufacturers to disclose publicly to the EPA, which released the aggregated data called the TRI, the amount and type of toxic chemicals released into the environment.[36]

Mandatory information disclosure initiatives such as the TRI are practical examples of how disclosure shapes behavior. A similar framework is used in established breach-disclosure laws to motivate organizations to secure personal data. Specifically, in 2002, California implemented a breach notification law requiring businesses to notify affected individuals when unauthorized parties acquired personal data from their possession.[37] As a result, entities have increased awareness of the risks of losing personal data and have subsequently invested in preventative measures.[38] This demonstrates that the responsibility to disclose incidents improves the misallocation of risk that some entities currently shift to society and better aligns incentives to invest in cybersecurity.

When intrusions occur, those who detect them should be required to report to some designated body, such as an information security and analysis center (ISAC).[39] The ISAC would receive and oversee the reports and be responsible for producing public reports that create widespread dissemination. Without enactment of legislation to require such sharing from the government, history clearly shows that little such sharing will occur. Policymakers should articulate how mandatory reporting will improve security. There is little benefit to incident reports sitting in a repository. CISA should codify information with ISACs for distribution to rapidly disseminate information to thousands of critical infrastructure owners and operators. At the same time, mandatory disclosure is no panacea. Disclosure will help address the need for more information on incidents, but the slow nature of cyber-attacks on processes means that the effort could yield few reports.

The incentive for businesses to disclose rests on their belief that improved cybersecurity is necessary. It is unreasonable for companies to agree to invest in security without an accurate and consistent picture of how much is lost due to infrastructure insecurity. Additionally, entities that neglect to comply with the mandate assume full liability for remediation instead of a shared approach between the firm, government, and software developers from a preestablished remediation fund that helps subsidize incident cleanup. Therefore, the private and public sectors must collaborate to publish accurate and consistent statistics on losses now to motivate future investment.

Cyber Literacy: The U.S. Government should regulate web accessibility by requiring businesses, agencies, and individuals wanting Internet access or operating in cyberspace to obtain a license to support and encourage digital literacy.

According to the 2022 Declaration of the Future of the Internet, over the last year, the U.S. has worked with partners from all over the world—including civil society, industry, academia, and other stakeholders to reaffirm the vision of an open, accessible, global, interoperable, reliable, and secure Internet and reverse negative trends in this regard.[40] Like the EU’s General Data Protection Regulation (GDPR), digital platform governance requires a multistakeholder approach. Internet governance must shift toward public regulation. The common regulatory approach to managing digital platforms is to block access to platforms such as YouTube and Meta throughout the country or cut Internet access altogether. However, this approach has been largely ineffective due to free speech infringement and effects on the usefulness of the Internet for functional purposes (e.g., educational resources). Today, the private sector plays an increasingly important role in cyberspace. Internet Service Providers (ISP) serve as Internet gateways and are becoming de facto digital regulators.

Instead of companies like Twitter and Google being responsible for implementing content filtering, a more effective strategy is to require these entities to oversee license authentication to access specific sites based on demographics, website use, and other prescribed criteria. The licensing model binds access to cyber hygiene. Operators would be forced to obtain education/training for access and specific levels of technology upgrades in the systems. Like the security clearance model that grants access to information based on a clearance designation, an Internet license would limit access to sensitive websites, thus helping prevent malign cyber operations that prove damaging to a nation's interests.[41]

Policymakers should direct agencies to leverage the National Cybersecurity Center of Excellence (NCCoE) as one approach to execute this strategy, as the NCCoE’s focus is to improve cybersecurity education and encourage experts from industry, government, and academia to address the real-world needs of securing complex IT systems and protecting the nation’s critical infrastructure.[42] The capabilities of these Centers should be present throughout strategies established to improve society’s cyber hygiene at the lowest levels.

National Cybersecurity Center of Excellence (NIST.gov)

One notable example of success in digital literacy and improved cybersecurity is Finland's comprehensive security approach that focuses on improving the cyber skills of citizens through education, so cybersecurity becomes essential for everyone, not just industry or public organizations.[43] In this same vein, U.S. state and local governments adopting a licensing model should integrate curriculum in primary education to ensure young people have sufficient skills to operate in a digital environment, understand cyber security threats, and know how to protect themselves for their required level of access. Notably, such regulation should not counter existing laws for entities required by law or other legal mandates to make its website accessible.

Conclusion

Addressing cybersecurity through an economic lens highlights the impact of market failures—information asymmetries and misaligned incentives. Some entities fail to invest in adequate security controls because they do not incur the full costs associated with a security incident. The current public and private divide creates an environment where society shoulders most of the risk of cyber-insecurity. This necessitates government regulation to reduce these market failures and secure current and future national security interests in cyber. According to CISA, “America's cyber adversaries move with speed and stealth.”[44] To keep pace with relevance, all organizations, including those beyond critical infrastructure sectors, must be able to share information and respond to cyber risk in as close to real-time as possible.

Failure to implement these regulations increases cyber vulnerability that results from market failures and will continue to threaten national security, especially critical infrastructure. Implementing these recommendations will require changes to laws and U.S. cyber-culture, which will take time. While they will reduce cyber vulnerabilities, they are no panacea for eliminating them. However, applying an economic perspective is critical for understanding the current state of cybersecurity and actionable mechanisms that include government intervention to improve it in the future.


Zannia Carty-McDonald is a Resource Manager with numerous years of Financial Management experience across the Army and Joint Forces. She recently completed Joint Professional Military Education at the Eisenhower School of National Security and Resource Strategy at National Defense University as a Defense Senior Leadership Program Cohort 2022 participant. The views expressed are the author’s alone and do not reflect those of the U.S. Army, the Department of Defense, or the U.S. Government.


The Strategy Bridge is read, respected, and referenced across the worldwide national security community—in conversation, education, and professional and academic discourse.

Thank you for being a part of The Strategy Bridge community. Together, we can #BuildTheBridge.


Header Image: The United States Seen From Orbit, United States, 2015 (NASA).


Notes:

[1] Market Failure: A situation where the market fails to allocate resources efficiently. In other words, the market fails to produce the socially optimal level of goods and services, resulting in a misallocation of resources. This can occur due to a variety of reasons, such as the presence of externalities (where the actions of one party affect others who are not involved in the transaction), public goods (goods that are non-excludable and non-rivalrous in consumption). These market failures can lead to welfare losses and can be corrected through government intervention, such as taxes, subsidies, regulations, and public provision of goods and services.

[2] Marsh McLennan,. "The Global Risks Report 2021 16th Edition." Cologny, Switzerland: World Economic Forum, 2021.

[3] Kookyoung Han and Jin Hyuk Choi. "Implications of false alarms in dynamic games on cyber-security." Chaos, Solitons & Fractals 169, 2023: 113322.

[4] Paul A.Samuelson, "The pure theory of public expenditure." The review of economics and Statistics (1954): 387-389.

[5] Elke Krahmann. "Security: Collective good or commodity?." European journal of international relations 14, no. 3, 2008: 379-404.

[6] Douglas Kelly, “The Economics of Cybersecurity,” Academic Conferences International Limited, 2017, https://www.proquest.com/conference-papers-proceedings/economics-cybersecurity/docview/1897683119/se-2.

[7] Ibid.

[8] Ibid.

[9] University of Texas, Strauss Center for International Security and Law. "The Economics of Cybersecurity." Strausscenter.org, 8 April 2021, https://www.strausscenter.org/events/the-economics-of-cybersecurity/.

[10] Gordon E. Moore "Cramming More Components onto Integrated Circuits." Reprinted from Electronics, Volume 38, Number 8, April 19, 1965. http://static.cs.brown.edu/courses/csci1800/sources/lec27/Moore.pdf.

[11] Benjamin Powell. Is Cybersecurity a Public Good? Evidence From the Financial Services Industry, 2005. George Mason University Journal of Law, Economics, & Policy, pp. 497-511. Retrieved from http://www.benjaminwpowell.com/scholarlypublications/ journal-articles/is-cybersecurity-a-public-good.pdf.

[12] Isabella Corradini. “Redefining the Approach to Cybersecurity.” Building a Cybersecurity Culture in Organizations: How to Bridge the Gap Between People and Digital Technology vol. 284 49–62. 30 Apr. 2020, doi:10.1007/978-3-030-43999-6_3.

[13] Nic Chantler, and Roderic Broadhurst. "Social engineering and crime prevention in cyberspace." Proceedings of the Korean Institute of Criminology, 2008: 65-92.

[14] James H. Stewart Jr., "Social engineering deception susceptibility: Modification of personality traits susceptible to social engineering manipulation to acquire information through attack and exploitation." PhD diss., Colorado Technical University, 2015.

[15] Jayanth Kancherla, Motivational and Psychological Triggers in Social Engineering, April 24, 2020. https://ssrn.com/abstract=3750474 or http://dx.doi.org/10.2139/ssrn.3750474.

[16] James H. Stewart Jr., "Social engineering deception susceptibility: Modification of personality traits susceptible to social engineering manipulation to acquire information through attack and exploitation." PhD diss., Colorado Technical University, 2015

[17] Muhammad Mudassar Yamin, Mohib Ullah, Habib Ullah, and Basel Katt. "Weaponized AI for cyber attacks." Journal of Information Security and Applications 57 (2021): 102722.

[18] New Global Cybersecurity Report Reveals Misaligned Incentives, Executive Overconfidence Create Advantages for Attacker." Business Wire. February 28, 2017. https://www.businesswire.com/news/home/20170228006741/en/New-Global-Cybersecurity-Report-Reveals-Misaligned-Incentives-Executive-Overconfidence-Create-Advantages-for-Attacker.

[19] Tyler Moore. "The economics of cybersecurity: Principles and policy options." International Journal of Critical Infrastructure Protection 3, no. 3-4 (2010): 103-117.

[20] Robert McMillan, “FDIC: Hackers Took More than $120m in Three Months,” Computerworld, DG News Service, March 8, 2010, https://www.computerworld.com/article/2762543/fdic--hackers-took-more-than--120m-in-three-months.html.

[21] Nicole Perlroth, “All 3 Billion Yahoo Accounts Were Affected by 2013 Attack,” The New York Times (The New York Times, October 3, 2017), https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html.

[22] Ibid.

[23] Electronic Privacy Information Center, “Epic - Equifax Data Breach,” Electronic Privacy Information Center, https://archive.epic.org/privacy/data-breach/equifax/.

[24] Douglas Kelly. The Economics of Cybersecurity. Reading: Academic Conferences International Limited, 2017. https://www.proquest.com/conference-papers-proceedings/economics-cybersecurity/docview/1897683119/se-2.

[25] Ross Anderson and Tyler Moore. 2006, Oct 27, The Economics of Information Security, Science Magazine, Vol. 314, Issue 5799, pp. 610-613. http://science.sciencemag.org/content/314/5799/610.

[26] Security executive, Google Cloud Services, April 2023, Palo Alto, CA

[27] “The Cybersecurity of Critical Infrastructure,” Cyber.nj.gov, NJCCIC, February 18, 2021, https://www.cyber.nj.gov/alerts-advisories/the-cybersecurity-of-critical-infrastructure.

[28] Tyler Moore. "The economics of cybersecurity: Principles and policy options." International Journal of Critical Infrastructure Protection 3, no. 3-4 (2010): 103-117.

[29] “New Global Cybersecurity Report Reveals Misaligned Incentives, Executive Overconfidence Create Advantages for Attacker,” Business Wire, March 1, 2017, https://www.businesswire.com/news/home/20170228006741/en/New-Global-Cybersecurity-Report-Reveals-Misaligned-Incentives-Executive-Overconfidence-Create-Advantages-for-Attacker.

[30] Office of Inspector General, “Additional Progress Needed to Improve Information Sharing under the Cybersecurity Act of 2015,” (Homeland Security, 2021 August, 16), 1.

[31] Ibid.

[32] Ibid.

[33] “Mitre Att&ck,” MITRE, March 1, 2023, https://www.mitre.org/focus-areas/cybersecurity/mitre-attack.

[34] Ibid.

[35] Shameek Konar and Mark A. Cohen. 1997. Information as Regulation: The Effect of Community Right to Know Laws on Toxic Emissions. Journal of Environmental Economics and Management 32(1):109-124

[36] Ibid.

[37] California Civil Code §1798.82. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.82&lawCode=CIV.

[38] Deirdre K. Mulligan and Kenneth A. Bamberger. 2007. Security Breach Notification Laws: Views from Chief Security Officers. Samuelson Law, Technology & Public Policy Clinic, University of California-Berkeley School of Law. http://www.law.berkeley.edu/ files/cso_study.pdf.

[39] “National Council of ISACs,” natlcouncilofisacs, https://www.nationalisacs.org/.

[40] “A Declaration for the Future of the Internet.” U.S. Department of State. April 13, 2022. https://www.state.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet.pdf.

[41] "Global Industrial Control Systems Cybersecurity Professional." Defense Counterintelligence and Security Agency. https://www.dcsa.mil/mc/pv/mbi/gicp/.

[42] "Critical Cybersecurity Hygiene: Patching the Enterprise." National Cybersecurity Center of Excellence. Accessed April 28, 2023. https://www.nccoe.nist.gov/projects/critical-cybersecurity-hygiene-patching-enterprise.

[43] Helsinki, Finland. Eisenhower Industry Study Visit, April 2023, European Centre of Excellence for Countering Hybrid Threats

[44] "Information Sharing: A Vital Resource." Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/information-sharing-vital-resource