We use cookies to ensure that we give you the best experience on our website. By continuing to browse this repository, you give consent for essential cookies to be used. You can read more about our Privacy and Cookie Policy.

Durham Research Online
You are in:

Action, inaction, trust, and cybersecurity’s common property problem.

Elliott, K. and Massacci, F. and Williams, J. (2016) 'Action, inaction, trust, and cybersecurity’s common property problem.', IEEE security and privacy., 14 (1). pp. 82-86.


Cybersecurity tends to be viewed as a highly dynamic, continually evolving technology race between attacker and defender. However, economic theory suggests that in many cases doing "nothing" is the optimal strategy when substantial fixed adjustment costs are present. Indeed, the authors' anecdotal experience as chief information security officers indicates that uncertain costs that might be incurred by rapid adoption of security updates substantially delay the application of recommended security controls, so the industry does appear to understand this economic aspect quite well. From a policy perspective, the inherently discontinuous adjustment path taken by firms can cause difficulties in determining the most effective public policy remit and the effectiveness of any enacted policies ex post. This article summarizes this type of policy issue in relation to the contemporary cybersecurity agenda.

Item Type:Article
Full text:Publisher-imposed embargo
(AM) Accepted Manuscript
File format - PDF
Full text:(AM) Accepted Manuscript
Download PDF (Revised version)
Publisher Web site:
Publisher statement:© 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Date accepted:01 January 2016
Date deposited:19 January 2016
Date of first online publication:03 February 2016
Date first made open access:No date available

Save or Share this output

Look up in GoogleScholar