Making the Best Use of Cybersecurity Economic Models

An analysis of several representative cyber security economic models that shows many assumptions are the same across disparate models and far from realistic is presented. The five models share common categories of assumptions and inputs. the (Honeyman, Schwartz, and van Assche) HSA model explores the consequences of limited information and it assumes that information about the cause of system failures is too expensive for most users to obtain. HSA also shows how the result differs if the amounts are fixed by a social engineer trying to maximize total profit over all manufacturers. The (Clark and Konrad) CK model explores resource allocation for defending multiple fronts. The Cavusoglu, Mishra, and Raghunathan (CMR) differs from other models by treating as a variable the amount of human monitoring each security package requires.