Cyberattacks on Critical Infrastructure: an Economic Perspective
The aim of this article is to analyze the economic aspects of cybersecurity of critical infrastructure defined as physical or virtual systems and assets that are vital to a country's functioning and whose incapacitation or destruction would have a debilitating impact on national, economic, military and public security. The functioning of modern states, firms and individuals increasingly relies on digital or cyber technologies and this trend has also materialized in various facets of critical infrastructure. Critical infrastructure presents a new cybersecurity area of attacks and threats that requires the attention of regulators and service providers. Deploying critical infrastructure systems without suitable cybersecurity might make them vulnerable to intrinsic failures or malicious attacks and result in serious negative consequences. In this article a fuller view of costs and losses associated with cyberattacks that includes both private and external (social) costs is proposed. An application of the cost-benefit analysis or the Return on Security Investment (ROSI) indicator is presented to evaluate the worthiness of cybersecurity efforts and analyze the costs associated with some major cyberattacks in recent years. The "Identify, Protect, Detect, Respond and Recover" (IPDRR) framework of organizing cybersecurity efforts is also proposed as well as an illustration as to how the blockchain technology could be utilized to improve security and efficiency within a critical infrastructure.(original abstract)
- Bank of America Merrill Lynch. (2015). Global cybersecurity primer.
- Beasley, C., Venayagamoorthy, G. K., & Brooks, R. (2014). Cyber security evaluation of synchrophasors in a power system. IEEE Computer Society, 1-5.
- Bernik, I., & Prislan, K. (2016). Measuring information security performance with 10 by 10 model for holistic state evaluation. PLOS ONE, 11(9), 1-33.
- Bojanc, R., & Jerman-Blažič, B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5), 413-422.
- Conti, M., Kumar, E. S., Lal, C., & Ruj, S. (2017). A survey on security and privacy issues of Bitcoin. IEEE Communications Surveys & Tutorials, 20(4), 3416-3452.
- Council of Economic Advisers. (2018). The cost of malicious cyber activity to the U.S. economy. Washington, DC: The White House. Retrieved from https://www.whitehouse. gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activityto- the-U.S.-Economy.pdf.
- ENISA (2012). Introduction to return on security investment. Athens: European Union Agency for Network and Information Security.
- Evans, G. L. (2017). Disruptive technology and the board: The tip of the iceberg. Economics and Business Review, 3(1), 205-223.
- FireEye. (2013). The advanced cyber attack landscape. Milpitas, CA: FireEye, Inc.
- Flick, T., & Morehouse, J. (2010). Securing the smart grid: next generation power grid security. Burlington, MA: Elsevier.
- Fung, C. C., Roumani, M. A., & Wong, K. P. (2013). A proposed study on economic impacts due to cyber attacks in smart grid: A risk based assessment. IEEE Power and Energy Society General Meeting, 1-5.
- Gintis, H. (2005). Behavioral game theory and contemporary economic theory. Analyse & Kritik, 27(1), 48-72.
- Goodin, D. (2011). PlayStation Network breach will cost Sony $171m. Retrieved from https://www.theregister.co.uk/2011/05/24/sony_playstation_breach_costs/.
- Jentzsch, N. (2016). State-of-the-art of the economics of cyber-security and privacy. IPACSO Deliverable D, 4.
- Klahr, R., Shah, J., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017. Main report. Retrieved from http://www.ipsosmori. com/terms.
- Kowalski, T. (2013). Globalization and transformation in Central European countries: the case of Poland. Poznan: University of Economics Press.
- Kshetri, N. (2017). Blockchain's roles in strengthening cybersecurity and protecting privacy. Telecommunications Policy, 41(10), 1027-1038.
- Lloyd's. (2015). Business blackout. Lloyd's Emerging Risk Report-2015. Cambridge: University of Cambridge Judge Business School.
- Lockstep Consulting. (2004). A guide for government agencies calculating return on security investment. Version 2.0. New South Wales Department of Commerce, Government Chief Information Office, Sydney, Australia. Retrieved from http:// nla.gov.au/nla.arc-111462.
- Louis, M., Adrian, B., & Evangelos, R. (2016). Threat landscape 2015. Athens: European Union Agency for Network and Information Security (ENISA).
- Marotta, A., Martinelli, F., Nanni, S., Orlando, A., & Yautsiukhin, A. (2017). Cyberinsurance survey. Computer Science Review, 24, 35-61.
- Mendel, J. (2018). The economic perspective on smart grid cyber security. (Unpublished doctoral dissertation). Poznań: Wydawnictwo Uniwersytetu Ekonomicznego.
- NIST. (2017). Proposed updates to the framework for improving critical infrastructure cybersecurity. Gaithesburg, MD: National Institute of Standards and Technology.
- O'Dell, J. (2011, January 29). How much does identity theft cost?. Mashable. Retrieved from https://mashable.com/2011/01/28/identity-theft-infographic/.
- OECD. (2009a). Computer viruses and other malicious software. a threat to the internet economy. Paris: OECD Publishing. Retrieved from https://doi.org/ 10.1787/9789264056510-en.
- OECD. (2009b). Malware: why should we be concerned?. In Computer viruses and other malicious software: A threat to the Internet economy. Paris: OECD Publishing. Retrieved from https://doi.org/10.1787/9789264056510-5-en.
- OECD. (2013). Exploring the economics of personal data. OECD Digital Economy Papers, (220), 40.
- OECD. (2015). OECD digital economy outlook 2015. Paris: OECD Publishing. Retrieved from https://www.oecd.org/internet/oecd-digital-economy-outlook- 2015-9789264232440-en.htm.
- Ponemon Institute LLC. (2015). The cost of malware containment. Traverse City, MI: Ponemon Institute Research Report.
- Ponemon Institute LLC. (2019). Cybersecurity in operational technology: 7 insights you need to know. Traverse City, MI: Ponemon Institute Research Report.
- Rebecca, S., & Rob, B. (2019, January 10). America's electric grid has a vulnerable back door and Russia walked through it. The Wall Street Journal. Retrieved from https:// www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia- walked-through-it-11547137112.
- Rogers, M., & Henderson, K. (2019, April 10). How blockchain can help the utility industry develop clean power. Sustainability blog. McKinsey & Company. Retrieved from https://www.mckinsey.com/business-functions/sustainability/our-insights/sustainability- blog/how-blockchain-can-help-the-utility-industry-develop-clean-power.
- Sikorski, J. J., Haughton, J., & Kraft, M. (2017). Blockchain technology in the chemical industry: Machine-to-machine electricity market. Applied Energy, (195), 234-246.
- Singer, P. W., & Friedman, A. (2014). Cybersecurity: What everyone needs to know. New York, NY: Oxford University Press.
- Sobers, R. (2019). 60 must-know cybersecurity statistics for 2019. Inside Out Security Blog. New York, NY: Varonis. Retrieved from https://www.varonis.com/blog/cybersecurity- statistics/.
- Smith, B. (2018, Novemebr 18). Government and business must fight the cyber threat. The Financial Times.
- Su, X. (2006). An overview of economic approaches to information security management. Technical Report TR-CTIT-06-30. Retrieved from http://www.ub.utwente.nl/webdocs/ ctit/1/00000177.pdf.
- US Homeland Security NCCIC. (2015). Seven strategies to defend ICSs. Washington, DC: US Department of Homeland Security. Retrieved from https://ics-cert.us-cert.gov/ sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20 Industrial%20Control%20Systems_S508C.pdf.
- Vijay, S., Hoikka, H., & Kenneth, B. (2015). Ukraine 2015 power grid cyberattack. ELEC-E7470 Cybersecurity L-Case Study. Aalto: Aalto University. Retrieved from https://mycourses.aalto.fi/pluginfile.php/457047/mod_folder/content/0/Cyber%20 Warriors.pdf?forcedownload=1.
- Wakefield, M. (2012). Guidebook for cost/benefit analysis of smart grid demonstration projects. Palo Alto, CA: Electric Power Research Institute. Retrieved from https://www.smartgrid.gov/files/Guidebook-Cost-Benefit-Analysis-Smart-Grid- Demonstration-Projects.pdf.