The Economics of Cybersecurity

Terrence August

University of California, San Diego

Academic Position

Associate Professor, Rady School of Management
University of California, San Diego
2007-current

Education

Ph.D. in Graduate School of Business 2007
Stanford University

M.S. in Financial Mathematics 2005
Stanford University

M.S. in Chemical Engineering 1998
Vanderbilt University

B.E. in Chemical Engineering 1998
Vanderbilt University

How to Contribute

Your contributions will be used to acquire, train, and employ human resources, including Ph.D. students, postdocs, and undergraduate students, and fund Dr. August’s lab so that he can continue to research year-round. Due to the nature of his work, there is not much material overhead, and the funding will go directly toward the development of economic models that improve the state of cybersecurity. Dr. August's work is mathematical, so the acquisition of advanced computational equipment is critical for simulation and accuracy.

(858) 215-1136

REQUEST INFO

Understanding the role of incentives to improve cybersecurity decisions

As both public and private entities increasingly rely on the Internet, communications systems, and electronically-transmitted data to perform business functions, vast amounts of data are stored online and are becoming vulnerable to hackers and other cyber threats. Governments must assume an active role in maintaining the reliability and security of the global cyber infrastructure. However, securing the cyber infrastructure presents difficult challenges since it requires coordinating the efforts of government, the private sector, and society. Dr. Terrence August, Associate Professor at the Rady School of Management at the University of California, San Diego, is tackling cybersecurity from a microeconomics approach, evaluating the different incentives offered to different parties in providing security for networks. When misaligned incentives lead to outcomes with destructive social consequences, there is a natural call for government involvement. Currently though, the government's strategy has been mostly suggestive. However, in the face of increasing security attacks and associated economic losses, the government may need to adopt a more hands-on approach to securing the Internet. Dr. August is developing models to gauge the equilibrium level of security and determine the ideal level of government involvement. To strategically craft policies aimed at the protection of the Internet, we must develop a better understanding of how the decisions of individual parties affect aggregate measures of security and social welfare. This is precisely where Dr. August’s research lies. He has built some of the foundational economic models that rigorously study how the level of cybersecurity is the result of economic agents making self-interested decisions. Protecting our Internet and communication systems is one of the highest priorities, for both the public and private industry, especially in the face of recent cyber attacks that exposed the vulnerability of networks.

People within the field now approach cybersecurity from many different perspectives and at many different levels, but historically they have focused on a technical perspective. Dr. Terrence August, Associate Professor at the Rady School of Management, housed at the University of California, San Diego, is studying cybersecurity from a microeconomic perspective, trying to understand the incentives of different parties in applying protection of computer systems in order to determine how security arises in equilibrium. For example, does it make economic sense for a company to download and install a security patch update for their system? He is asking what goes into making the patching decision, which parties are involved, what are the incentives for each party, and how much effort is reasonable to invest to protect a product? He is also exploring the government’s role in applying legislation surrounding security, and whether a producer of software should have any liability on users’ economic losses should an attack occur. What should the standards for security be, both for the government and for a company, based on all of the varying interests of involved parties, and how do incentives come into play when those decisions are being made? Dr. August is researching the components that go into making cybersecurity decisions in order to better understand the role for economic incentives, and to be able to adjust those incentives to reach “better” equilibria that helps protects systems and electronically-stored data. A basic understanding of this complex system is critical for developing policy decisions.

Current research projects are motivated by three major research questions:

Does imposing liability on software vendors improve information security risk, and what is the appropriate role for government policy?

a. This project is directed at identifying what role government should be responsible for in regulating cybersecurity. Should there be minimum standards imposed, and if so what are those standards? Dr. August is approaching this from an economic perspective, considering both government, vendor, and user interests. Absurdly high standards would ultimately lead to economic inefficiency.
How do various software deployment models (e.g., SaaS (software hosted by a vendor network) versus on-premises (software installed on user hardware)) impact security with distinct risk profiles?

a. Hackers or Internet users with malicious intent have different incentives based on which interface or software systems their targets use. Would it make sense to develop malicious programs that attack the most common software platform to increase spread, or the most vulnerable platform to ensure ease of infection? The incentive to attack Windows, for example, which is an operating system run on the majority of computers around the world, is different from incentives to attack the Sony playstation network, which is hosted on Sony servers. Dr. August is researching how these different malicious objectives interact with the security strengths and weaknesses of each software model.
When accounting for underlying economic incentives, can open-source business models lead to heightened security, and under which specific market conditions do they have greatest efficacy?

a. In typical downloaded application, the computers running the software install a program and run the binary code executed on that system. In open-source software, not only can a user run the software, but they also have access to the source code, which enables modification. The Apache HTTP Server, for example, is an open-source web server that employs a large community of users who contribute to improving the software by helping to maintain it. Because you can see the actual code, it is easier to detect bugs / flaws. This lies in stark contrast to Salesforce whose CRM solution is only offered as a SaaS option. Not only is the source code not available, but even the binaries themselves are only run on Salesforce servers. Notably, such a model permits far less piracy. Considering the continuum from openness to closedness, Dr. August is examining the interaction between the levels of (code) accessibility and security. If the model of a product is changed, the economic impacts are also changed, such as the relationship between profitability and security, making it important to understand the mechanics.

Bio

Dr. August had an early interest in basic science, understanding the value of information technology and being able to see the implications it would have in the coming future. He graduated from Vanderbilt University in 1998 with B.E. and M.S. degrees in chemical engineering, and followed his completion of initial higher education by working professionally for Clorox, and then for a startup software company in New Jersey. After four years in industry, Dr. August returned to school, and received his Ph.D. in Business, with a focus in operations, information, and technology, from the Stanford University Graduate School of Business. Upon completion of his doctorate in 2007, Dr. August accepted a tenure track position as an Assistant Professor in the Rady School of Management at the University of California, San Diego. In 2014, he became a tenured, Associate Professor in the Rady School.

While working at Clorox, Dr. August spent the majority of his time visiting manufacturing plants (both those belonging to Clorox and those belonging to suppliers) to diagnose quality problems and determine process improvements. At the start-up software company, he was a software engineer, project manager, sales technician, system administrator, etc., which is to say that he did anything and everything, due to the nature of the start-up environment. While he was working at this company, they were hit by the Code Red worm, because they had not properly maintained that their web server to be updated with the latest security patches. Technically, as a system administrator, Dr. August was responsible for patching the machine, and therefore the vulnerability of the system to the worm. But was he really at fault? Clearly, patching was not a priority for them because the opportunity cost associated with increased development and sales was much higher. There was a low risk of that event occurring, and so valuable resources were directed to higher-priority work. This event triggered Dr. August’s thinking: What are the actual incentives to protect a computer system? What are the benefits versus costs (both direct and opportunity costs)? This was an experience that allowed Dr. August to begin thinking about creating models for those systems.

After working at both Clorox and the startup company, Dr. August had many intriguing questions and research ideas that he wanted to pursue. Moreover, he began to feel a strong desire for control over his own projects, to decide how he would spend his time. It was far easier to follow his passions and direct his time and efforts towards projects he was genuinely interested in. He realized that there were two options for this: become an entrepreneur or pursue a career in academia. The latter seemed like a more appealing choice, so Dr. August returned to academia. He was surprised to see that economic models in the literature would generally assume that once a patch was released, the user population immediately deployed it. Such models would have limited use in understanding how equilibrium risk arises on a network. However, the cybersecurity landscape is much more complex than models depicted because technology producers (such as Microsoft) invest in security and set prices for their products, and attackers make strategic decisions on how to direct their efforts. Dr. August feels that our understanding of cybersecurity could be greatly enhanced by improving models, and that the insights from these models would be extremely useful to policy makers who are required to make extremely difficult yet impactful decisions in the wake of all the cybersecurity incidents that seem to only be scaling upward.

When Dr. August is not investigating cyber networks, he spends ample time on the green as an avid golfer, playing any of the courses around San Diego, but namely Torrey Pines, Barona, Rancho Bernardo, and Santaluz. He has had a lifelong passion for basketball, but as knees deteriorate with age, he has has begun to allocate more of his sports enthusiasm to golf. To relax, he spends time with his wife, enjoying varieties of coffees in coffee shops, and with his dog.