Security Economics

An injurer (company) first balances expected cost of harm with the cost of prevention.

This morning at the Workshop on the Economics of Information Security (WEIS) was devoted to privacy. This is an area that was not historically important in ICS, but privacy is a major topic in smart grid applications that can closely track consumer behavior.

I tried to map the effective economic incentives to invest in security measures that improve privacy to the smart grid case. The implications are grim if you believe smart grid privacy is important (note that the last part of this sentence is not a throw away line; ask users if they care and the answer is yes, but do they care enough to modify behavior and can they modify behavior with a monopoly?)

The most pertinent paper was Empirical Analysis of Data Breach Litigation by Romanosky, Hoffman and Acquisti. The authors looked at US data breaches and federal litigation. Only 4% of the data breaches were litigated federally and about half of those were dismissed. The fact that many involved statutory violations had little impact on whether a case was litigated or dismissed.

The most important factor in litigation was actual harm. The loss of money or the cost to correct potential future loss. It will be much more difficult to show actual harm if your energy usage data is compromised. Even if you are robbed and believe the burglar determined your schedule based on smart grid compromised data, rather than by physical observation or a deployed camera, are you going to successfully sue the electric utility?

The data breach litigation was almost all class action suits representing 10’s or 100’s of thousands of affected users. There will not be that many users able to show actual harm of smart grid consumer usage data breach.

Gaynor, Hydari and Telang had a paper, Is Patient Data Better Protected in Competitive Healthcare Market, where there hypothesis was actually proved to be incorrect. They believed going in to the research that hospitals in competitive markets would have fewer data breaches. The data showed that hospitals in competitive markets had 5% more data breaches than hospitals that were essentially monopolies for an area.

The researchers now hypothesize that hospitals in competitive markets allocate resources to what patients care about, namely items related more to patient care. They found that items like a residency program or teaching hospital, items that would rate a hospital’s patient care higher, were more likely in a  competitive market. On second thought this is not surprising.

There was a panel to finish the morning. The panel talked for over an hour and barely touched on economics, why a company would spend money on privacy. Rather the focus was on privacy being a human right that can’t be taken away or waived. The financial reason a company would implement privacy would be based by government mandate rather than consumer demand.

Image by Christian Haugen