Macro-Economic Cyber Security Models

This paper quantitatively addresses two issues concerning cyber security economics that prior efforts have not. The first involves cyber security and its effect on a company´s reputation. In this case, we focus on the levels of investment companies make related to reputation and how they implicitly reveal their views on cyber security risks. The second involves cyber security regulations. This analysis compares different strategies for choosing companies to regulate and the corresponding levels of risk reduction. This analysis can be used by companies and government policy makers to address cyber security investments decisions. A company´s reputation is fundamental to their economic future. An advertisement, or article containing a security breach, can effect their reputation. This paper assumes the rate of advertising is indicative of the value they place on their reputation; hence, this is related to the value they place on cyber security. Comparing spending practices will provide insight into the value a company places on cyber security in regard to preserving their reputation. Early results show some difference in spending among banks, as well as sharper differences between banks and retail sectors in evaluating cyber security. In addition, an expected consequence analysis is performed to compare alternative investment strategies for cyber security components focused on reputation, as measured by the likelihood of a possible cyber attack resulting in media coverage. Historical data provides the basis for results that reveal the consequences implicitly being avoided by companies as a function of their level of investment and other economic variables. The second part of our analysis involves the macroeconomic effects of cyber attacks and their relationship to government regulations. Since cyber attacks have the potential for large indirect economic effects, the need for regulation is apparent. Although cyber security regulations requiring reporting of events cur- - rently exist, most security measures are the result of private industry decision-making rather than government influence. This analysis will determine the firms that provide the most economic influence from a risk reduction viewpoint. This analysis explores alternative methods to select firms for possible regulation and compares the level of risk reduction for these choices by using input-output modeling