What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

Economic Impacts of Rules-versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers / Massacci, Fabio; Ruprai, R.; Collinson, M.; Williams, J.. - In: IEEE SECURITY & PRIVACY. - ISSN 1540-7993. - STAMPA. - 14:3(2016), pp. 52-60. [10.1109/MSP.2016.48]

Economic Impacts of Rules-versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers

Massacci, Fabio;
2016-01-01

Abstract

What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.
2016
3
Massacci, Fabio; Ruprai, R.; Collinson, M.; Williams, J.
Economic Impacts of Rules-versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers / Massacci, Fabio; Ruprai, R.; Collinson, M.; Williams, J.. - In: IEEE SECURITY & PRIVACY. - ISSN 1540-7993. - STAMPA. - 14:3(2016), pp. 52-60. [10.1109/MSP.2016.48]
File in questo prodotto:
File Dimensione Formato  
ieee-s_p_magazine-2015-massacci.pdf

accesso aperto

Descrizione: Articolo Principale
Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.02 MB
Formato Adobe PDF
1.02 MB Adobe PDF Visualizza/Apri
07478546.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 379.91 kB
Formato Adobe PDF
379.91 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/169304
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 9
  • ???jsp.display-item.citation.isi??? 5
social impact