An Overview of the Economics of Cybersecurity and
Cybersecurity Policy
Joseph J. Cordes
Professor of Economics, Public Policy and Public Administration, and International Affairs
Trachtenberg School of Public Policy and Public Administration and Dept. of Economics
The George Washington University
Report GW-CSPRI-2011-6
June 1, 2011
Abstract
The design of effective policies to enhance and maintain cyber security must take into account a
complex set of incentives facing not only the providers and users of the internet and computer
software, but also those of potential attackers. Measures undertaken to defend against attacks
must take into account that, like other forms of criminal and terrorist activity, the attackers are
not passive agents (unlike nature in the case of natural hazards), and the design of effective
policies must recognize, to the extent possible, that the defensive measures will elicit strategic
responses from the attacker. There also are potentially serious incentive issues arising from
classical problems of externalities and public good problems that encourage underinvestment in
cyber security by private parties (e.g. businesses and software developers). Lastly, reducing the
probability of cyber attacks and/or the consequences of cyber attacks is not costless. In principle,
well-designed policies should balance benefits from defensive measures against their costs
(which include important concerns about privacy). The paper examines how these questions can
be addressed using fairly standard principles and tools from economic policy analysis and
potential policy research questions.
Work supported by the Office of the Vice President for Academic Affairs and the
School of Engineering and Applied Science of The George Washington University
