Economics of Industrial Cyberespionage
Lead Research Organisation:
University of Oxford
Abstract
This project falls within the EPSRC Digital Economy and Global Uncertainties research areas.
Industrial cyberespionage is a widespread phenomenon that costs the global economy up to \$6 trillion annually. It influences how we invest in innovation, store data, and create laws, and ultimately the welfare of society. Yet, it has received limited attention from the economics community. My research contributes to the emerging interdisciplinary field of economics of information security, bringing an economic perspective to the matter and considering industrial cyberespionage from three different angles.
The first project examines a dynamic R\&D race in which competitors can conduct cyberespionage against each other. We develop a framework that analyses the influence of cyberespionage on innovative incentives, companies' payoffs and the quality of the end product. We demonstrate that industrial espionage has an ambiguous influence on the overall investments exerted in the race and companies' expected payoffs and might even be beneficial for the quality of innovative end-products under certain circumstances.
The second project provides new empirical evidence that research-intensive industries are particularly susceptible to information leakage attacks. Based on Eurostat aggregated data on enterprises' innovative and digital activity, we construct a tailored data set that allows us to achieve robust statistical inference and study the relationship between information leakage attack rate, research-intensity, and companies' data reliance. The study uses multivariate fractional regression analysis to distinguish two industry-specific associations: high-tech manufacturing industries are prone to experience targeted attacks, while knowledge-intensive service companies are more likely to fall victim to opportunistic attacks.
The third project aims to understand efficient network formation and optimal defensive resource distribution in the presence of an intelligent attacker. We present a two-player dynamic framework in which the Defender and the Attacker compete in a network formation and defence game with heterogeneous vertices' values. Such a model allows for studying the trade-off between network efficiency and security. Contrary to the literature, we find that a centrally protected star network does not yield the maximum payoff for the defending side in most circumstances, even being the most secure network formation. Additionally, it reveals a new type of network that often arises in an equilibrium of the games with limited defensive resources---a maxi-core network.
Industrial cyberespionage is a widespread phenomenon that costs the global economy up to \$6 trillion annually. It influences how we invest in innovation, store data, and create laws, and ultimately the welfare of society. Yet, it has received limited attention from the economics community. My research contributes to the emerging interdisciplinary field of economics of information security, bringing an economic perspective to the matter and considering industrial cyberespionage from three different angles.
The first project examines a dynamic R\&D race in which competitors can conduct cyberespionage against each other. We develop a framework that analyses the influence of cyberespionage on innovative incentives, companies' payoffs and the quality of the end product. We demonstrate that industrial espionage has an ambiguous influence on the overall investments exerted in the race and companies' expected payoffs and might even be beneficial for the quality of innovative end-products under certain circumstances.
The second project provides new empirical evidence that research-intensive industries are particularly susceptible to information leakage attacks. Based on Eurostat aggregated data on enterprises' innovative and digital activity, we construct a tailored data set that allows us to achieve robust statistical inference and study the relationship between information leakage attack rate, research-intensity, and companies' data reliance. The study uses multivariate fractional regression analysis to distinguish two industry-specific associations: high-tech manufacturing industries are prone to experience targeted attacks, while knowledge-intensive service companies are more likely to fall victim to opportunistic attacks.
The third project aims to understand efficient network formation and optimal defensive resource distribution in the presence of an intelligent attacker. We present a two-player dynamic framework in which the Defender and the Attacker compete in a network formation and defence game with heterogeneous vertices' values. Such a model allows for studying the trade-off between network efficiency and security. Contrary to the literature, we find that a centrally protected star network does not yield the maximum payoff for the defending side in most circumstances, even being the most secure network formation. Additionally, it reveals a new type of network that often arises in an equilibrium of the games with limited defensive resources---a maxi-core network.
Planned Impact
It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
Organisations
People |
ORCID iD |
| Greg Taylor (Primary Supervisor) | |
| Oleh Stupak (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/P00881X/1 | 01/10/2016 | 31/03/2023 | |||
| 2377496 | Studentship | EP/P00881X/1 | 09/10/2016 | 23/04/2021 | Oleh Stupak |