In the last eight years, every significant public policy initiative to address the safety and security of U.S. national information infrastructure has recommended a significant, largely voluntary, role for the private sector, owing in large part to the dominant ownership stake of private entities in the infrastructure. Notably absent from much of the policy discourse and underlying research has been a careful examination of the stakeholder incentives to adopt and to spur the development of security technologies and processes. We believe that the lack of progress to date in achieving a secure and robust cyber infrastructure is in large part the direct result of a failure by public policy to recognize and to address those incentives and the technological, economic, social and legal factors underlying them.
We advocate a new approach for the analysis and development of coherent policy in which the interaction of economic incentives among stakeholders is explicitly considered. By economic incentives, we mean the full array of economic and technological factors that shape infrastructure decision-making, not merely government subsidies or tax credits. We provide an initial framework for understanding the technology dependencies and economic incentives associated with cyber security, along with illustrative examples of the key players and their motivations. We argue that the successful development of a secure cyber infrastructure will require more than improved technology and that it could be accelerated by careful consideration of the evolving economic and legal issues that shape stakeholder incentives.