Michel van Eeten

Measuring the Cost of Cybercrime

This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around

The Resilient Organization

2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.

Empirical Findings on Critical Infrastructure Dependencies in Europe

Both academics and practitioners have recently discovered resilience as a core topic of interest. Resilience is widely viewed as a potential solution to the challenges posed by crises and disasters. The promise of resilience is an organization or society that absorbs shocks and ‘bounces back’ after a disturbance. While the idea of resilience is increasingly popular, empirical research on resilient organizations is actually quite rare. This article explores whether a relation exists between organizational characteristics, processes and resilience. Building on the insights of high reliability theory and crisis research, it probes this relation in two organizations that experienced deep crises: the California Independent System Operator (CAISO) and National Aeronautics and Space Agency (NASA).

Reconciling ecosystem rehabilitation and service reliability mandates in large technical systems: Findings and implications of three major US ecosystem management initiatives for managing human-dominated aquatic-terrestrial ecosystems

One type of threat consistently identified as a key challenge for Critical Infrastructure Protection (CIP) is that of cascading effects caused by dependencies and interdependencies across different critical infrastructures (CI) and their services. This paper draws on a hitherto untapped data source on infrastructure dependencies: a daily maintained database containing over 2375 serious incidents in different CI all over the world as reported by news media. In this paper we analyse this data to discover patterns in CI failures in Europe like cascades, dependencies, and interdependencies. Some analysis results indicate that less sectors than many dependency models suggest drive cascading outages and that cascading effects due to interdependencies are hardly reported.

Where is the governance in Internet governance

How can decision makers reconcile the demand for increasingly reliable services drawn from the environment (including water and power) with the desire for both a better environment and more environmental amenities? In this paper, which is based on US case studies of ecosystem rehabilitation initiatives in the San Francisco Bay-Delta, the Columbia River Basin in the Pacific Northwest, and the Florida Everglades, we focus on several notable problems in current management practice. We assess the role of adaptive management and identify five areas of major innovation by which ecologists and the authorities that operate large water and hydropower systems attempt to reconcile the tension between maintaining service reliability and promoting ecological rehabilitation. The implications of the findings for a wider framework within which ecosystems can be matched to the most appropriate management regime are related specifically to aquatic-terrestrial ecosystems. Finally, we emphasize the importance of redefining ecosystem functions and services so that the inherent conflict between high-reliability services and ecosystem rehabilitation can be reconciled.

Invisible Trade-Offs of Public Values: Inside Dutch Railways

The governance of the Internet provides one of the most important arenas in which new ideas regarding Internet studies can be applied and tested. This paper critiques the prevailing conceptualization of Internet governance. The label is routinely applied to the study of a few formal global institutions with limited or no impact on governance, but not to studies of the many activities that actually shape and regulate the use and evolution of the Internet, such as Internet service provider interconnection, security incident response or content filtering. Consequently, current conceptualizations of Internet governance inflate the presence and influence of state actors. Furthermore, they undermine efforts to understand how large-scale distributed systems in the global economy can be governed in the absence of formalized international regimes. We conclude by discussing how concepts of networked governance can be applied and extended to illuminate the study of Internet governance.

When Fiction Conveys Truth and Authority

Dutch Railways (NS), a deregulated organization with many stakeholders, deal with multiple, potentially conflicting public values in the operation of a critical infrastructure. This article explains how this organization copes with value-conflicts without making trade-offs. The article has important lessons on safeguarding public values in infrastructure operations.

Economics of Malware

Abstract Spatial planners give us fiction, while at the same time asking us to take them seriously. Perhaps even more surprising, they get much of the authority they claim. In the case of the Netherlands Green Heart planning concept, the tension between fictionality and authority has become the focal point of a public controversy about the value of the concept for making major policy decisions. The Green Heart concept has been fiercely criticized for its fictional nature. According to these critics, since the Green Heart does not exist, it cannot be used to justify far-reaching policy measures. Surprisingly, the concept seems to remain immune to this criticism. Advocates of the concept admit its fictionality, but still maintain that it is the most appropriate basis for policymaking. Thus, the two sides in this controversy have become deadlocked. We propose a framework and undertake an analysis that shows a way out of the impasse. We do this by showing how fiction conveys truth, and how truth and authority are welded to fiction, most importantly through maps.

The challenge ahead for deliberative democracy: In reply to Weale

In many cases, an economic perspective on cybersecurity – and malware in particular – provides us with more powerful analysis and a fruitful starting point for new governmental policies: incentive structures and market externalities. This report sets out to develop this perspective, building on the innovative research efforts of the past six years. More work is needed, however. As we will see, most of the research so far has been based on the methods of neoclassical and new institutional economics. While powerful, these methods are based on rather stringent assumptions about how actors behave – such as their rationality, their security tradeoffs and the kind of information they have – and how they interact with their institutional environment. We discuss the implications of these neoclassical and new institutional approaches in more detail in the next chapter. For now, we briefly key mention three limitations: (1) they provide limited insight into how actors actually perceive the cost, benefits and incentives they face; (2) they have difficulties taking into account dynamic and learning effects, such as how a loss of reputation changes the incentives an actor experiences; and (3) they treat issues of institutional design as somewhat trivial. That is to say, the literature assumes that its models can indicate what market design is optimal, that this design brought into existence at will and that actors will behave as the model predicts. If the past decade of economic reforms – such as privatization, liberalization and deregulation – have taught us anything, it is that designing markets is highly complicated and sensitive to context. It cannot be based on formal theoretical models alone. Institutional design requires an in-depth empirical understanding of current institutional structures.To provide the basis for new policies, we propose to complement the state-of-the-art understanding of the economics of malware with qualitative field research that provides empirical evidence on the way in which actors actually make security tradeoffs, how they perceive their institutional environment, the incentives they face and how these have changed, as well as the externalities that arise from these incentive structures.

Patterns of Coping With Inconsistent Demands in Public Service Delivery

If new democratic practices are more important for increasing the deliberative capacity of a political system, rather than the level of political participation, as Weale argues, then proponents of deliberative democracy have to address a critical missing link in their thinking. Rather than blaming vested power interests for the lack of influence of the new democratic practices, the proponents themselves have to answer how the outcomes of these practices can be understood, captured and transferred into wider political processes. In the absence of such an answer, blaming vested power interests is little more than an admission of weakness of an intrinsically flawed school of thought. Copyright , Beech Tree Publishing.