SOCIETÀ ITALIANA DI DIRITTO ED ECONOMIA
Ugo Finardi (CNR-IRCrES, National Research Council of Italy, Research Institute on Sustainable Economic Growth)
Graziano Abrate (Università degli Studi del Piemonte Orientale “Amedeo Avogadro”)
Clementina Bruno (Università degli Studi del Piemonte Orientale “Amedeo Avogadro”)
Fabrizio Erbetta (Università degli Studi del Piemonte Orientale “Amedeo Avogadro”)
Jeanne Vallette (CNR-IRCrES, National Research Council of Italy, Research Institute on Sustainable Economic Growth)
Elena Ragazzi (CNR-IRCrES, National Research Council of Italy, Research Institute on Sustainable Economic Growth)
Abstract
Aim of the present work is to present a methodology for the cost-benefit analysis of the cybersecurity of electric supply and data breach.
Cybersecurity is a continuously changing problem, since menaces are quickly evolving. Cyber attackers update constantly their attacking methodologies, and this in turn asks for new defenses and generate the need for investments in cybersecurity.
On the other side, the nature of public good of security in general, and of cybersecurity in specific for critical infrastructures, generates a situation of market failure, where the perfect allocation of expenses is not necessarily market driven. More in specific, the value for households to be protected from blackouts or brownouts caused by a cyberattack or from a violation and exposure of personal data are difficult to evaluate on a market basis.
This paper presents a methodology aiming at solving these problems. Cost Benefit Analysis (CBA) in fact, includes methodologies able to provide an assessment of the economic value of non-commercial goods that cannot be directly monetized such as safety and security. This assessment is fundamental before introducing regulations which include obligations for the firms to invest in prevention countermeasures, above all, as in the case of electricity services, where the investment costs are going to be covered by public funding (directly or through tariff surcharges as it happens in Italy).
The value of non market goods can be derived thanks to surveys to a representative sample with ad hoc techniques In particular, the most important concepts exploited in CBA methodologies to understand the monetary value of a non-tradeable good are the Willingness to pay (WTP) an amount of money in order to be able to use a non-commercial good or the Willingness to accept (WTA) an economic compensation in case a good cannot be enjoyed. WTP and WTA can be evaluated through two main types of survey methodologies: the Contingent evaluation, in which direct questions are asked about the WTP and/or WTA for a non-commercial good, or the Choice experiments, in which the respondent is asked to choose between specific scenarios, always involving the good in question. In the specific case of this project, the work involves the use of a choice experiment method to evaluate the value assigned by users of the electricity network to a blackout caused by a cyberattack, through the acceptance of monetary compensation in terms of a discount on the electricity bill, therefore using the WTA as an evaluation tool. The monetary value is assessed through the answer to specific questions related to different scenarios involving the studied problem.
In specific this experiment involves evaluating the value attached by users to the possibility of incurring in electric power blackouts caused by a cyberattack and the possibility of incurring in a breach of personal data, again due to the activity of cyber hackers.
The presented methodology involves as a first step the preparation of a survey to be subsequently administered to a balanced sample of users. Then, once the results are collected, an econometric model is set to calculate the economic value of cybersecurity. The answer respondents give to the survey will be exploited in order to build the variables of the model.
In the survey an introductory section briefly describes the project and its purpose, also recalling the possible impact of a blackout – caused by a cyber-attack – on the daily lives of families and individuals. Then a first section of the questionnaire involves questions on the characteristics of the electricity service user: number of people, the standard of living, the average value of the bill, the presence or absence of electrical equipment for which a blackout could be critical. The answers to these questions are used in the econometric treatment of the data to form a vector of explanatory variables, capable of influencing the value attributed to protection from blackouts.
The second section of the questionnaire introduces the interviewee to the specific problem of blackouts, seeking to explore his specific knowledge of the problem. Besides generic questions (e.g., “Have you ever experienced an interruption of the power supply in the past?”; “Do you know the meaning of the term electrical blackout?”), the interviewee is asked to indicate what they consider to be the most serious effects caused by a blackout: events such as security and alarm systems not working; suddenly being left in the dark; interrupted telecommunications; spoiled food in the refrigerator etc. The answers to these questions can also be used in the econometric treatment as manifestations of the user's level of awareness, but they also play a preparatory role at the heart of the questionnaire, highlighting and focusing attention on the main possible direct consequences.
Then, in the main section of the questionnaire, the choice experiment takes place. Each interviewee is presented with a selection of scenarios relating to a blackout hypothesis that corresponds to a possible economic compensation in the electricity bill. The scenarios can vary by combining the duration, time and level of compensation differently. The experimental design involves combining the use of both the within-subject approach (each individual is asked to respond to multiple scenarios) and the between-subject approach (different groups of individuals are proposed different scenarios). In this way it is possible to obtain answers to a wide variety of scenarios without making the questionnaire too long and repetitive (each individual gives his opinion on a limited number of scenarios). The variety of scenarios, with many combinations of duration, time and compensation, is functional to obtain the information to estimate the value attributed to the protection from the cyber-attack that prevents the blackout and modulate this value with respect to the characteristics of the blackout itself.
The fourth and final section of the questionnaire will collect data on the personal characteristics of the interviewee: gender, age, residence, marital status, educational qualifications, occupation. These characteristics are also collected in a vector of control variables.
Aim of the experimental activity is to carry out an analysis on a large and stratified sample. The instrument will introduce a wide variety of scenarios in the submitted questionnaires. In this way, it will be possible to better define the economic value assigned by the population to the security of the electricity supply and data protection and, therefore, to a high level of cybersecurity.
In our contribution we will present the implementation of this methodology to a wide representative Italian sample, the main take-aways, and some preliminary results.