Skip to main content

Research Repository

Advanced Search

Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers

Massacci, F.; Ruprai, R.; Collinson, M.; Williams, J.

Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers Thumbnail


Authors

F. Massacci

R. Ruprai

M. Collinson



Abstract

What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

Citation

Massacci, F., Ruprai, R., Collinson, M., & Williams, J. (2016). Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers. IEEE Security and Privacy, 14(3), 52-60. https://doi.org/10.1109/msp.2016.48

Journal Article Type Article
Acceptance Date Jun 10, 2015
Online Publication Date May 25, 2016
Publication Date May 25, 2016
Deposit Date Jun 30, 2015
Publicly Available Date Mar 29, 2024
Journal IEEE Security and Privacy
Print ISSN 1540-7993
Publisher Institute of Electrical and Electronics Engineers
Peer Reviewed Peer Reviewed
Volume 14
Issue 3
Pages 52-60
DOI https://doi.org/10.1109/msp.2016.48
Public URL https://durham-repository.worktribe.com/output/1435245

Files

Accepted Journal Article (717 Kb)
PDF

Copyright Statement
© 2015 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.





You might also like



Downloadable Citations