In the nearly year and a half since the President issued Executive Order (EO) 13636 on Improving Critical Infrastructure Cybersecurity1 and Presidential Policy Directive (PPD) 21 on Critical Infrastructure Security and Resilience,2 there has been a great deal of policy discussion and analysis of the incentives associated with cybereconomics. Much of this assessment has focused on how incentives might influence adoption of the voluntary framework for reducing cyber risks to critical infrastructure developed by the National Institute of Standards and Technology (NIST). As part of this focus on incentives, the Departments of Homeland Security (DHS), Commerce, and Treasury identified potential incentives for infrastructure owners and operators to adopt the NIST framework.
The initial analysis by the executive branch frames incentives in terms of marginal economic costs and benefits. SRI International provided input to the DHS Science & Technology (S&T) Directorate’s cybersecurity R&D program as it set out to define a long-term research program around the topic of cybereconomic incentives (CEI). In considering the strategic direction of such a research program, SRI proposed taking a broader perspective on the subject of cybereconomic incentives than had been followed to date. Specifically, SRI advocated for a view of incentives that explicitly considers behavioral factors that affect human decision making in the context of cybersecurity, and proposed a set of related activities aimed at bootstrapping a broader, long-term research enterprise focused on these behavioral factors.
The proposed activities included reviews of current cybereconomic incentives research and policy-focused behavioral science research, used to inform a proposed research agenda in CEI, as well as development of a field experiment aimed at demonstrating the utility of the behavioral approach in understanding cybereconomic decisions. In total SRI produced a set of five analyses and documents, collected here in a single source.
The following documents were produced by SRI for DHS S&T and are included in this compendium:
- Concept Paper: Developing a Proof-of-Principle Exercise for Framing &
Investigating Cyber Economic Incentives – A concept paper that outlines a
framework for research in cybereconomic incentives that launches from standard
microeconomic analysis into new opportunities for research emphasizing behavioral
sciences.
- Literature Review: Current Research in Cybereconomics – A review of the current
research in cybereconomics. This review is the first of two research reviews in this work
stream.
- Literature Review: The Application of Behavioral Research in Public Policy – A
review of the applications of behavioral science research in policy and management
areas outside of cybersecurity.
- Proposed Research Agenda for Cybereconomic Incentives – A proposed research
agenda for the field of cybereconomic incentives, focusing on both the near-term and
long-range research needs of DHS’s mission of enhancing the security and resilience of
the nation’s critical information infrastructure.
- Proposed Research Experiment for Cybereconomic Incentives – A proposed
research experiment intended to evaluate how small and medium businesses (SMBs)
involved with the nation’s critical infrastructure respond to incentives to improve their
cybersecurity, including incentives with strong behavioral components.