The Economics of Cybersecurity: Boomerang Effects from Misaligned Incentives

It has been known for many years that security failures are caused at least as often by bad incentives as by bad design. However, the regulatory correction of bad incentives is not easy in practice and it is still lacking. In the meantime, simulation models of security systems can improve the situation by increasing the awareness that misaligned incentives can backfire as long-term consequences of security failures hit back the principal (that is, the organization that is responsible for providing system security). The online simulation model illustrates the point by describing and explaining the mechanisms that punished European banks when ATMs were introduced. European banks put the burden of proof on customers when they asserted that ATM transactions booked on their bank account were fraud committed by third parties. What seemed an easy ride for European banks turned out on the long-term to be a catastrophic mistake. An avalanche of fraud that exploited the bad security of the ATMs led to huge customer discontent and bad publicity. Ultimately, European banks had to compensate innocent customers and to improve ATM security. By comparing with the simulation for banks in the USA, which by law had the burden of proof if a customer complaint against a transaction, the insight can be gained that European banks had higher costs and had less satisfactory security than if they had assumed the full responsibility for ATM security from the outset.

An online simulation model can be found here:

The details of this online simulation model can be viewed in the paper:

The Economics of Cybersecurity : Boomerang Effects from Misaligned Incentives