Role of economic policies in the security of critical infrastructures
Barreto Suarez, Carlos Alfredo
MetadataShow full item record
In the last few years we have witnessed the development of sophisticated attacks that target critical infrastructures. Such attacks can cause catastrophic damage; for instance, attacks on the electricity system can impact a variety of industrial, commercial, and residential customers. Protecting critical infrastructures remains a challenge, because the cyber threats evolve in time and these systems have both correlated risks and information asymmetries. Moreover, many security problems arise due to improper economic incentives, rather than technical difficulties. In this research we investigate how economic policies affect the security of critical infrastructures. First, we illustrate the importance of economic incentives showing how policies designed to protect systems have the opposite effect. In particular, we analyze how a company exploited ﬂaws in contractual policies (asymmetric information) to proﬁt by sponsoring attacks. We also show how to redesign the policies to prevent these situations. Second, we analyze attacks that leverage the market’s infrastructure to manipulate the demand of users. We ﬁnd that an attacker with enough inﬂuence can either increase his proﬁt (protecting his anonymity) or cause blackouts. The attacker can succeed in markets with both centralized and distributed structures; however, attacks on distributed systems produce less proﬁt, but also make it more difficult to detect and penalize attacks. Third, we investigate the optimal allocation of resources to protect systems against cyber threats that evolve in time. We model the evolution of threats with a Markov process and contemplate three protection schemes: prevention (e.g., secure code development), detection (intrusion detection systems), and risk transfer (e.g., cyber insurance). We ﬁnd that uncertain-ties in the system’s state make insurance more attractive as a risk management tool, but still, the defenders need incentives to purchase cyber insurance. Moreover, insurance can improve the investment in either prevention or detection, however, policies with indemnity subsidies and unlimited coverage can introduce perverse incentives that degrade the investments in security.