F. Massacci
Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers
Massacci, F.; Ruprai, R.; Collinson, M.; Williams, J.
Authors
Abstract
What's the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.
Citation
Massacci, F., Ruprai, R., Collinson, M., & Williams, J. (2016). Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers. IEEE Security and Privacy, 14(3), 52-60. https://doi.org/10.1109/msp.2016.48
| Journal Article Type | Article |
|---|---|
| Acceptance Date | Jun 10, 2015 |
| Online Publication Date | May 25, 2016 |
| Publication Date | May 25, 2016 |
| Deposit Date | Jun 30, 2015 |
| Publicly Available Date | Jul 8, 2015 |
| Journal | IEEE Security and Privacy |
| Print ISSN | 1540-7993 |
| Electronic ISSN | 1558-4046 |
| Publisher | Institute of Electrical and Electronics Engineers |
| Peer Reviewed | Peer Reviewed |
| Volume | 14 |
| Issue | 3 |
| Pages | 52-60 |
| DOI | https://doi.org/10.1109/msp.2016.48 |
| Public URL | https://durham-repository.worktribe.com/output/1435245 |
Files
Accepted Journal Article
(717 Kb)
PDF
Copyright Statement
© 2015 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
You might also like
JUNE: open-source individual-based epidemiology simulation
(2021)
Journal Article
The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures
(2021)
Journal Article
Testing the Eigenvalue Structure of Spot and Integrated Covariance
(2021)
Journal Article
Downloadable Citations
About Durham Research Online (DRO)
Administrator e-mail: dro.admin@durham.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search