SRI Logo
About Us|R and D Divisions|Careers|Newsroom|Contact Us|SRI Home
  SRI Logo

SRI International Work on Cybereconomic Incentives for the Department of Homeland Security Science and Technology Directorate Cyber Security Division
 by Bincy Ninan-Moses, Dr. Roland Stephen, Dr. Lucien Randazzese, & Dr. Jeffrey Alexander -- Center for Science, Technology & Economic Development; and David Balenson, Dr. Ulf Lindqvist & Zachary Tudor -- Computer Science Laboratory.

In the nearly year and a half since the President issued Executive Order (EO) 13636 on Improving Critical Infrastructure Cybersecurity1 and Presidential Policy Directive (PPD) 21 on Critical Infrastructure Security and Resilience,2 there has been a great deal of policy discussion and analysis of the incentives associated with cybereconomics. Much of this assessment has focused on how incentives might influence adoption of the voluntary framework for reducing cyber risks to critical infrastructure developed by the National Institute of Standards and Technology (NIST). As part of this focus on incentives, the Departments of Homeland Security (DHS), Commerce, and Treasury identified potential incentives for infrastructure owners and operators to adopt the NIST framework.

The initial analysis by the executive branch frames incentives in terms of marginal economic costs and benefits. SRI International provided input to the DHS Science & Technology (S&T) Directorate’s cybersecurity R&D program as it set out to define a long-term research program around the topic of cybereconomic incentives (CEI). In considering the strategic direction of such a research program, SRI proposed taking a broader perspective on the subject of cybereconomic incentives than had been followed to date. Specifically, SRI advocated for a view of incentives that explicitly considers behavioral factors that affect human decision making in the context of cybersecurity, and proposed a set of related activities aimed at bootstrapping a broader, long-term research enterprise focused on these behavioral factors.

The proposed activities included reviews of current cybereconomic incentives research and policy-focused behavioral science research, used to inform a proposed research agenda in CEI, as well as development of a field experiment aimed at demonstrating the utility of the behavioral approach in understanding cybereconomic decisions. In total SRI produced a set of five analyses and documents, collected here in a single source.

The following documents were produced by SRI for DHS S&T and are included in this compendium:

  1. Concept Paper: Developing a Proof-of-Principle Exercise for Framing & Investigating Cyber Economic Incentives – A concept paper that outlines a framework for research in cybereconomic incentives that launches from standard microeconomic analysis into new opportunities for research emphasizing behavioral sciences.
  2. Literature Review: Current Research in Cybereconomics – A review of the current research in cybereconomics. This review is the first of two research reviews in this work stream.
  3. Literature Review: The Application of Behavioral Research in Public Policy – A review of the applications of behavioral science research in policy and management areas outside of cybersecurity.
  4. Proposed Research Agenda for Cybereconomic Incentives – A proposed research agenda for the field of cybereconomic incentives, focusing on both the near-term and long-range research needs of DHS’s mission of enhancing the security and resilience of the nation’s critical information infrastructure.
  5. Proposed Research Experiment for Cybereconomic Incentives – A proposed research experiment intended to evaluate how small and medium businesses (SMBs) involved with the nation’s critical infrastructure respond to incentives to improve their cybersecurity, including incentives with strong behavioral components.


About Us  |  R&D Divisions  |  Careers  |  Newsroom  |  Contact Us
© 2024 SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025-3493
SRI International is an independent, nonprofit corporation. Privacy policy