In this research controlled economics experiments are used to test the predictions of economic theories that hypothesize effective cybersecurity tradeoffs within an organization depends on both worker incentives and the structure of job duties. In these experiments a team of economists and cybersecurity experts are working together to design virtual world experiments that measure the impact of different incentive arrangements and job design on operational cybersecurity risks. This is particularly interesting in computer intensive environments where the mix of competing tasks include easily monitored tasks with easily verified impact on organizational goals, such as tasks performed by application programming teams, and tasks that have a more ambiguous impact on organizational performance such as tasks associated with cybersecurity practices. In the former case high powered incentives often compete against the relatively low powered incentives associated resulting in the inefficient management of cybersecurity risks. The goal of this research is to better understand how management practice interacts with available cybersecurity technologies and cybersecurity threats to enable better risk management strategies within organizations. Such research provides evidence based findings that will make organizations more aware of their cybersecurity/operational-efficiency tradeoffs and thus allow them to improve their organizational practices and consequently their risk management strategies against cybersecurity threats.
This grant is incorrectly categorized as a medium (five year) grant but it was only funded by NSF for one year. After being told we would only get one year of funding we changed our goals to one year. This is explained in detail in the next paragraph. It took a long time to get this grant funded so we only had about nine months to work on it. One major problem in maintaining cybersecurity within an organization is incentivizing employees to comply with security practices. In fact, technical progress will often fail if it does not take into account the human element. A number of theoretical models in economics have been built around the problem of incentives. These models can be applied to cybersecurity. In our year of funding we built a virtual world that simulates important elements of cybersecurity practice in the real world, and allows us to test theoretical models of behavior using cash motivated human subjects. We then designed an experiment around a particular theoretical model that argues for separating the roles of cybersecurity professionals from other professional activities directed towards the primary purpose of the organization. In the experiment we found that this division of the labor force did improve security outcomes, but we also observed a great deal of conflict between the security specialists and other workers resulting in an over investment in cybersecurity practices. This overinvestment resulted in a lower performance of organizations with respect to their primary mission. The results from this first experiment should, make cybersecurity practitioners aware of the potential conflicts that can be created in organizations, and it suggests a need for more research to better understand why these conflicts emerge and how they can be managed.
