Affiliation:
1. School of Science and Technology Policy, Ajou University, Yeongtong-gu, Suwon, Republic of Korea
2. Department of e-business, Ajou University, Yeongtong-gu, Suwon, Republic of Korea
Abstract
The small and medium-sized enterprises (SMEs) with limited investment capacity are likely to be lax in enhancing their cybersecurity. Therefore, to strengthen cybersecurity at a national level, governments must intervene in the market by using support or regulatory policies to overcome market failures and address weaknesses. This study reviewed the efficiency of policy options to improve corporate cybersecurity resilience for SMEs that require government support, unlike large companies that can invest in security on their own. To achieve this, a causal loop diagram was created and analyzed from the perspective of system dynamics. The model incorporated government support variables and the decline in capabilities over time into the existing corporate security investment model reflecting the standard framework for cybersecurity from NIST. The simulation scenarios were constructed based on policy options considered by the Korean government. These include 1) pre-incident or post incident support services, and 2) management through tax credits and regulation. The results indicated that incentives, specifically tax credits, rather than regulation, were more effective in strengthening cyber resilience. This study describes the investment and internal capability development of a company affected by government policy, which is an external factor, and changes in profits can be observed by adding the company's profits and costs as variables. This profit variable allows for the comparison of a company's cyber resilience across scenarios. Additionally, if the government provides direct support immediately after a hacking incident, the company can recover more quickly. If these benefits are known and if the reporting of hacking damage is activated, cyber threat visibility will be secured by revealing hacking attacks that have been secretly conducted. Governments can use cyber threat visibility to strengthen national cybersecurity.
Funder
Ministry of Education of the Republic of Korea
Reference48 articles.
1. A dynamic simulation approach to support the evaluation of cyber risks and security investments in SMEs
2. Armenia S, Cardazzone A, Carlini C (2014) Understanding security policies in the cyber warfare domain through system dynamics. In Proceedings of the 4th International Defense and Homeland Security Simulation Workshop (DHSS 2014), International Multidisciplinary Modeling and Simulation Multi-conference (I3 M 2014), Bordeaux, France (pp. 10-12).
3. Cybersecurity: Stakeholder incentives, externalities, and policy options
4. Behara R, Huang CD, Hu Q (2007) A system dynamics model of information security investments. in: Ecis. Paper 177.
5. Brangetto P, Aubyn MKS (2015) Economic aspects of national cyber security strategies. Brangetto P., Aubyn MK-S. Economic Aspects of National Cyber Security Strategies: project report. Annex 1:9-16.