Role of economic policies in the security of critical infrastructures

Date

2018-05

ORCID

Journal Title

Journal ISSN

Volume Title

Publisher

item.page.doi

Abstract

In the last few years we have witnessed the development of sophisticated attacks that target critical infrastructures. Such attacks can cause catastrophic damage; for instance, attacks on the electricity system can impact a variety of industrial, commercial, and residential customers. Protecting critical infrastructures remains a challenge, because the cyber threats evolve in time and these systems have both correlated risks and information asymmetries. Moreover, many security problems arise due to improper economic incentives, rather than technical difficulties. In this research we investigate how economic policies affect the security of critical infrastructures.

First, we illustrate the importance of economic incentives showing how policies designed to protect systems have the opposite effect. In particular, we analyze how a company exploited flaws in contractual policies (asymmetric information) to profit by sponsoring attacks. We also show how to redesign the policies to prevent these situations.

Second, we analyze attacks that leverage the market’s infrastructure to manipulate the demand of users. We find that an attacker with enough influence can either increase his profit (protecting his anonymity) or cause blackouts. The attacker can succeed in markets with both centralized and distributed structures; however, attacks on distributed systems produce less profit, but also make it more difficult to detect and penalize attacks.

Third, we investigate the optimal allocation of resources to protect systems against cyber threats that evolve in time. We model the evolution of threats with a Markov process and contemplate three protection schemes: prevention (e.g., secure code development), detection (intrusion detection systems), and risk transfer (e.g., cyber insurance). We find that uncertain-ties in the system’s state make insurance more attractive as a risk management tool, but still, the defenders need incentives to purchase cyber insurance. Moreover, insurance can improve the investment in either prevention or detection, however, policies with indemnity subsidies and unlimited coverage can introduce perverse incentives that degrade the investments in security.

Description

Keywords

Computer networks—Security measures, Dynamic programming, Game theory, Electric power systems—Security measures, Infrastructure (Economics), Information asymmetry

item.page.sponsorship

Rights

Copyright ©2018 is held by the author. Digital access to this material is made possible by the Eugene McDermott Library. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.

Citation