Hui, Kai-Lung and Zhou, Jiali (2020): The Economics of Hacking. Forthcoming in: Oxford Research Encyclopedia of Business and Management (2020)
Preview |
PDF
MPRA_paper_102706.pdf Download (545kB) | Preview |
Abstract
Hacking is becoming more common and dangerous. The challenge of dealing with hacking often comes from the fact that much of our wisdom about conventional crime cannot be directly applied to understand hacking behavior. Against this backdrop, this essay reviews hacking studies, with a focus on discussing the new features of cybercrime and how they affect the application of classical economic theory of crime in the cyberspace. Most findings of hacking studies can be interpreted with a parsimonious demand and supply framework. Hackers decide whether and how much to “supply” hacking by calculating the return on hacking over other opportunities. Defenders optimally tolerate some level of hacking risks because defense is costly. This tolerance can be interpreted as an indirect “demand” for hacking. Variations in law enforcement, hacking benefits, hacking costs, legal alternatives, private defense, and the dual use problem can variously affect the supply or demand for hacking, and in turn the equilibrium observation of hacking in the market. Overall, this essay suggests that the classical economic theory of crime remains a powerful framework to explain hacking behaviors. However, the application of this theory calls for considerations of different assumptions and driving forces, such as psychological motives and economies of scale in offenses, that are often less prevalent in conventional (offline) criminal behaviors, but that tend to underscore hacking in the cyberspace.
| Item Type: | MPRA Paper |
|---|---|
| Original Title: | The Economics of Hacking |
| English Title: | The Economics of Hacking |
| Language: | English |
| Keywords: | hacker, hacking, cybercrime, supply, demand, law enforcement |
| Subjects: | K - Law and Economics > K4 - Legal Procedure, the Legal System, and Illegal Behavior > K42 - Illegal Behavior and the Enforcement of Law |
| Item ID: | 102706 |
| Depositing User: | Jiali ZHOU |
| Date Deposited: | 20 Sep 2020 13:33 |
| Last Modified: | 20 Sep 2020 13:33 |
| References: | Akerlof, G. A. (1970). Quality Uncertainty and the Market Mechanism. The Quarterly Journal of Economics, 84(3), 488-500. Allodi, L. (2015, March). The heavy tails of vulnerability exploitation. In International Symposium on Engineering Secure Software and Systems (pp. 133-148). Springer, Cham. Allodi, L., Massacci, F., & Williams, J. M. (2017). The work-averse cyber attacker model: Theory and evidence from two million attack signatures. Available at SSRN 2862299. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610-613. Arora, A., Nandkumar, A., & Telang, R. (2006). Does information security attack frequency increase with vulnerability disclosure? An empirical analysis. Information Systems Frontiers, 8(5), 350-362. Ayres, I., & Levitt, S. D. (1998). Measuring positive externalities from unobservable victim precaution: an empirical analysis of Lojack. The Quarterly Journal of Economics, 113(1), 43-77. Bandyopadhyay, T., & Mookerjee, V. (2019). A model to analyze the challenge of using cyber insurance. Information systems frontiers, 1-25. Barber, R. (2001). Hackers profiled—who are they and what are their motivations?. Computer Fraud & Security, 2001(2), 14-17. Becker, G. S. (1968). Crime and punishment: An economic approach. In The economic dimensions of crime (pp. 13-68). Palgrave Macmillan, London. Böhme, R., & Schwartz, G. (2010, June). Modeling Cyber-Insurance: Towards a Unifying Framework. In Workshop on the Economics of Information Security. Brunt, R., Pandey, P., & McCoy, D. (2017, June). Booted: An analysis of a payment intervention on a ddos-for-hire service. In Workshop on the Economics of Information Security. Cartwright, E., Castro, J.H., & Cartwright, A. (2019). To pay or not: game theoretic models of ransomware. Journal of Cybersecurity, 5(1), tyz009. Cárdenas, A., Radosavac, S., Grossklags, J., Chuang, J., & Hoofnagle, C. J. (2009, August). An economic map of cybercrime. TPRC.Chalfin, A., & McCrary, J. (2017). Criminal deterrence: A review of the literature. Journal of Economic Literature, 55(1), 5-48. Coleman, E. G. (2012). Coding freedom: The ethics and aesthetics of hacking. Princeton University Press. Coleman, E. G., & Golub, A. (2008). Hacker practice: Moral genres and the cultural articulation of liberalism. Anthropological Theory, 8(3), 255-277. Cook, P. J., & MacDonald, J. (2011). Public safety through private action: an economic assessment of BIDS. The Economic Journal, 121(552), 445-462. Ehrlich, I. (1996). Crime, punishment, and the market for offenses. Journal of Economic Perspectives, 10(1), 43-67. Florêncio, D., & Herley, C. (2013). Where do all the attacks go?. In Economics of information security and privacy III (pp. 13-33). Springer, New York, NY. Freeman, R. B. (1999). The economics of crime. Handbook of labor economics, 3, 3529-3571. Fultz, N., & Grossklags, J. (2009, February). Blue versus red: Towards a model of distributed security attacks. In International Conference on Financial Cryptography and Data Security (pp. 167-183). Springer, Berlin, Heidelberg. Garg, V., Camp, L. J., & Kanich, C. (2013). Analysis of ecrime in crowd-sourced labor markets: Mechanical turk vs. freelancer. In The economics of information security and privacy (pp. 301-321). Springer, Berlin, Heidelberg.Grimes, G. A. (2007). Compliance with the CAN-SPAM Act of 2003. Communications of the ACM, 50(2), 56-62. Hui, K. L., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29(3), 117-156. Hui, K. L., Kim, S. H., & Wang, Q. H. (2017). Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks. MIS Quarterly, 41(2), 497. Hui, K. L., Ke, P. F., Yao, Y., & Yue, W. T. (2019). Bilateral Liability-Based Contracts in Information Security Outsourcing. Information Systems Research, 30(2), 411-429. Jordan, T., & Taylor, P. (1998). A sociology of hackers. The Sociological Review, 46(4), 757-780. Jordan, T., & Taylor, P. (2004). Hacktivism and cyberwars: Rebels with a cause?. Routledge. Katyal, N. K. (2001). Criminal law in cyberspace. University of Pennsylvania Law Review, 149(4), 1003-1114. Kigerl, A. C. (2016). Deterring spammers: impact assessment of the CAN SPAM act on email spam rates. Criminal Justice Policy Review, 27(8), 791-811. Kshetri, N. (2006). The simple economics of cybercrimes. IEEE Security & Privacy, 4(1), 33-39. Kunreuther, H., & Heal, G. (2003). Interdependent security. Journal of risk and uncertainty, 26(2-3), 231-249. Kwon, J., & Johnson, M. E. (2011, June). An Organizational Learning Perspective on Proactive vs. Reactive investment in Information Security. In WEIS. Kwon, J., & Johnson, M. E. (2018). Meaningful Healthcare Security:: Does Meaningful-Use Attestation Improve Information Security Performance?. MIS Quarterly, 42(4), 1043-1067. Lee, C. H., Geng, X., & Raghunathan, S. (2013). Contracting information security in the presence of double moral hazard. Information Systems Research, 24(2), 295-311. Lee, Y. (2005). The CAN-SPAM Act: a silver bullet solution?. Communications of the ACM, 48(6), 131-132. Leeson, P. T., & Coyne, C. J. (2005). The economics of computer hacking. JL Econ. & Pol'y, 1, 511. Leontiadis, N., Moore, T., & Christin, N. (2014, November). A nearly four-year longitudinal study of search-engine poisoning. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 930-941). ACM. Lott, J. R. (2013). More guns, less crime: Understanding crime and gun control laws. University of Chicago Press. Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., & Raghu, T. S. (2010). Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS quarterly, 34(3), 431-433. Majoras, D. P., Leary, T. B., Harbour, P. J., & Leibowitz, J. (2005). Effectiveness and enforcement of the CAN-SPAM Act: A report to Congress. Federal Trade Commission. McCoy, D., Dharmdasani, H., Kreibich, C., Voelker, G. M., & Savage, S. (2012, October). Priceless: The role of payments in abuse-advertised goods. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 845-856). ACM. Miller, A. R., & Tucker, C. E. (2011). Encryption and the loss of patient data. Journal of Policy Analysis and Management, 30(3), 534-556. Mitra, S., & Ransbotham, S. (2015). Information disclosure and the diffusion of information security attacks. Information Systems Research, 26(3), 565-584. Moore, T., & Anderson, R. (2012). Internet security. The Oxford Handbook of the Digital Economy’(Oxford University Press 2011). Moore, T., Clayton, R., & Anderson, R. (2009). The economics of online crime. Journal of Economic Perspectives, 23(3), 3-20. Moore, T., Friedman, A., & Procaccia, A. D. (2010, September). Would a'cyber warrior'protect us: exploring trade-offs between attack and defense of information systems. In Proceedings of the 2010 New Security Paradigms Workshop (pp. 85-94). ACM. Mukhopadhyay, A., Chatterjee, S., Bagchi, K. K., Kirs, P. J., & Shukla, G. K. (2019). Cyber risk assessment and mitigation (CRAM) framework using logit and probit models for cyber insurance. Information Systems Frontiers, 21(5), 997-1018. Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. K. (2013). Cyber-risk decision models: To insure IT or not?. Decision Support Systems, 56, 11-26. Nagle, F., Ransbotham, S., & Westerman, G. (2017). The effects of security management on security events. In Annual Workshop on the Economics of Information Security. Ooi, K. W., Kim, S. H., Wang, Q. H., & Hui, K. L. (2012). Do hackers seek variety? an empirical analysis of website defacements. AIS. Png, I. P., Wang, C. Y., & Wang, Q. H. (2008). The deterrent and displacement effects of information security enforcement: International evidence. Journal of Management Information Systems, 25(2), 125-144. Png, I. P., & Wang, Q. H. (2009). Information security: Facilitating user precautions vis-à-vis enforcement against attackers. Journal of Management Information Systems, 26(2), 97-121. Police Executive Research Forum. 2014. “The Role of Local Law Enforcement Agencies in Preventing and Investigating Cybercrime.” In. Police Executive Research Forum Washington, DC. Police Executive Research Forum. 2018. “The Changing Nature of Crime And Criminal Investigations.” In. Police Executive Research Forum Washington, DC. Polinsky, A. M., & Shavell, S. (2007). The theory of public enforcement of law. Handbook of law and economics, 1, 403-454. Posner, R. A. (1979). Optimal sentences for white-collar criminals. Am. Crim. L. Rev., 17, 409. Ramzan, Z. (2010). Phishing attacks and countermeasures. In Handbook of information and communication security (pp. 433-448). Springer, Berlin, Heidelberg. Ransbotham, S. (2010, June). An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software. In WEIS. Ransbotham, S., & Mitra, S. (2009). Choice and chance: A conceptual model of paths to information security compromise. Information Systems Research, 20(1), 121-139. Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are Markets for Vulnerabilities Effective?. MIS Quarterly, 43-64. Rao, J. M., & Reiley, D. H. (2012). The economics of spam. Journal of Economic Perspectives, 26(3), 87-110. Raphael, S., & Winter-Ebmer, R. (2001). Identifying the effect of unemployment on crime. The Journal of Law and Economics, 44(1), 259-283. Romanosky, S., Telang, R., & Acquisti, A. (2011). Do data breach disclosure laws reduce identity theft?. Journal of Policy Analysis and Management, 30(2), 256-286. Schell, B. H., & Dodge, J. L. (2002). The hacking of America: Who's doing it, why, and how. Greenwood Publishing Group Inc.. Stigler, G. J. (1970). The optimum enforcement of laws. Journal of Political Economy, 78(3), 526-536. Taylor, P. (2012). Hackers: Crime and the digital sublime. Routledge. Thomas, D. (2002). Hacker culture. U of Minnesota Press. Turgeman-Goldschmidt, O. (2005). Hackers' accounts: Hacking as a social entertainment. Social Science Computer Review, 23(1), 8-23. Varian, H. (2004). System reliability and free riding. In Economics of information security (pp. 1-15). Springer, Boston, MA. Vasek, M., Wadleigh, J., & Moore, T. (2015). Hacking is not random: a case-control study of webserver-compromise risk. IEEE Transactions on Dependable and Secure Computing, 13(2), 206-219. Warner, S. L. (1965). Randomized response: A survey technique for eliminating evasive answer bias. Journal of the American Statistical Association, 60(309), 63-69. Xu, Z., Hu, Q., & Zhang, C. (2013). Why computer talents become computer hackers. Communications of the ACM, 56(4), 64-74. Yue, W.T., Wang, Q. H., & Hui, K. L. (2019). See no evil, hear no evil? Dissecting the impact of online hacker forums. MIS Quarterly, 43(1), 73. Zhou, J., & Hui, K. L. (2019). Bug Bounty Programs, Security Investment and Law Enforcement: A Security Game Perspective. |
| URI: | https://mpra.ub.uni-muenchen.de/id/eprint/102706 |
Available Versions of this Item
- The Economics of Hacking. (deposited 20 Sep 2020 13:33) [Currently Displayed]
All papers reproduced by permission. Reproduction and distribution subject to the approval of the copyright owners.
 |
View Item |
