national consensus on which of these, if any, should be implemented as policy, and legislation has not been passed on any of these approaches.
• Use of existing market mechanisms but with improved flow of information.
—One type of information is more and better information about threats and vulnerabilities, which could enable individual organizations to take appropriate action to strengthen their cybersecurity postures. For example, an organization may be driven to action if it hears that a large number of other organizations have already fallen victim to a given threat.
—A second type of information is information about an individual organization’s cybersecurity posture. For example, individual organizations in particular sectors of the economy can determine and adopt appropriate best-practice cybersecurity measures for those sectors. Another party, such as a government regulatory agency in the case of already-regulated industries, an insurance company for organizations carrying cybersecurity insurance, or the Securities and Exchange Commission for publicly held companies, would audit the adequacy of the organization’s adoption of best practices and publicize the results of such audits.1 Publicity about such results would in principle incentivize these organizations to improve their cybersecurity postures.
• Insurance. The insurance industry may have a role in incentivizing better cybersecurity. Consumers that buy insurance to compensate losses incurred because of cybercrime will have lower premiums if they have stronger cybersecurity postures, and thus market forces will help to drive improvements in cybersecurity. A variety of reasons stand in the way of establishing a viable cyber-insurance market: the unavailability of actuarial data to set premiums appropriately; the highly correlated nature of losses from outbreaks (e.g., from viruses) in a largely homogeneous monoculture environment, the difficulty in substantiating claims, the intangible nature of losses and assets, and unclear legal grounds.
• Standards setting and certification. This approach is based on three ideas: that good cybersecurity practices can be codified in standards, that such practices actually improve security, and that organizations publicly recognized as conforming to such standards can improve their competitive position in the marketplace. Relevant standards-setting bodies include the National Institute of Standards and Technology for the U.S.
1 President’s Council of Advisors on Science and Technology, Immediate Opportunities for Strengthening the Nation’s Cybersecurity, November 2013, available at http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_cybersecurity_nov-2013.pdf.