Economics of Cybersecurity
Many cyber security failures in systems and organisations can only be explained and appropriately addressed by examining the problem through not only from the technical point of view but also through a deep societal, institutional and economic analysis.
Moreover, current structures at institutional level (national and international) as well as incentive frameworks (financial or regulatory, positive or negative) don't seem to be able to provide adequate coverage to threats.
With a multidisciplinary approach combining economic, behavioural, societal and engineering insights, measurement approaches and methodologies and combining methods from microeconomics, econometrics, qualitative social sciences, behavioural sciences, decision making, risk management and experimental economics, proposals are expected to cover one of the following two strands:
- Cybersecurity cost-benefit framework:
- Security and privacy cost models including the pricing of digital assets, modelling and methods for estimation of costs of intangible risks (reputation, non-critical service disruption…) and relevant metrics and indicators;
- The proposals should study and take into consideration relevant market sector specificities, and validate their models with relevant actors from these sectors.
- Optimal investment in information security, risk management and cyber security insurance;
- Incentives and business models:
- Identifying the incentives and striking the right balance between cooperative and regulatory approaches to information sharing regarding incidents and vulnerabilities;
- Consider behavioural aspects of security and privacy;
- Investigate the opportunities and risks of information security markets (e.g. bug bounties, vulnerability discovery & disclosure);
- Develop revenue models for criminal activity and the deployment of cost-effective security measures as necessary disincentive for attacks and cyber-criminal activity.
For both strands proposals should also investigate improvements and/or alternatives to current institutional and governance frameworks (market-driven as well as national and international regulatory) with a view to improving cybersecurity.
Based on their results, proposals should provide a set recommendations addressed to all relevant stakeholders including policy makers, regulators, law enforcement agencies (where applicable) as well as relevant market operators and insurance companies.
The Commission considers that proposals requesting a contribution from the EU between EUR 1 and 2 million would allow these areas to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts
- Improved societal understanding of information security failures and how they should be addressed.
- Improved risk-based information security investment.
- Increased societal resilience to cyber security risks through more efficient and effective institutional and incentives structures.
- Progress beyond the state of the art in information security economics models.