Abstract for: The Economics of Cybersecurity: Boomerang Effects from Misaligned Incentives

Externalities, like misaligned incentives that charge to third parties the costs for bad information security, are tough barriers to overcome. A number of proposals for regulatory options have been suggested. However, the claim that misaligned incentives have their impact on third parties is not the whole truth. Security systems are complex not only in the sense of being composed of many interdependent parts. The most challenging part of their complexity resides in the propagation of effects, resulting in highly unexpected, counterintuitive dynamic behaviour. In particular, unintended side effects can act as boomerangs that impact hardest on the owner of the security defences who intends to push the costs of bad security to third parties. Using system archetypes and concept models we explain how misaligned incentives in the security of ATM systems acted against banks imposing the burden of proof of fraud claims on their customers. We argue that an analysis of unintended side effects arising from the misalignment of incentives is likely to benefit both agents responsible for information security and third parties.