Security Economics and Critical National Infrastructure

Ross Anderson, Shailendra Fuloria

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

There has been considerable effort and expenditure since 9/11 on the protection of `Critical National Infrastructure' against online attack. This is commonly interpreted to mean preventing online sabotage against utilities such as electricity,oil and gas, water, and sewage - including pipelines, refineries, generators, storage depots and transport facilities such as tankers and terminals. A consensus is emerging that the protection of such assets is more a matter of business models and regulation - in short, of security economics - than of technology. We describe the problems, and the state of play, in this paper. Industrial control systems operate in a different world from systems previously studied by security economists; we find the same issues (lock-in, externalities, asymmetric information and so on) but in different forms. Lock-in is physical, rather than based on network effects, while the most serious externalities result from correlated failure, whether from cascade failures, common-mode failures or simultaneous attacks. There is also an interesting natural experiment happening, in that the USA is regulating cyber security in the electric power industry, but not in oil and gas, while the UK is not regulating at all but rather encouraging industry's own efforts. Some European governments are intervening, while others are leaving cybersecurity entirely to plant owners to worry about. We already note some perverse effects of the U.S. regulation regime as companies game the system, to the detriment of overall dependability.
Original languageEnglish
Title of host publicationEconomics of Information Security and Privacy
EditorsTyler Moore, David Pym, Christos Ioannidis
Place of PublicationBoston, MA
PublisherSpringer US
Number of pages12
ISBN (Electronic)978-1-4419-6967-5
ISBN (Print)978-1-4419-6967-5, 978-1-4419-6966-8
Publication statusPublished - 10 Jul 2010
EventThe Eighth Workshop on the Economics of Information Security (WEIS 2009) - London, United Kingdom
Duration: 24 Jun 200925 Jun 2009
Conference number: 8


WorkshopThe Eighth Workshop on the Economics of Information Security (WEIS 2009)
Abbreviated titleWEIS 2009
Country/TerritoryUnited Kingdom
Internet address


Dive into the research topics of 'Security Economics and Critical National Infrastructure'. Together they form a unique fingerprint.

Cite this