PhD Proposal on Financial Stability, Critical Infrastructure and Cyber Security.

The information security of critical national infrastructure assets (CNI) such as energy grids, telecommunications networks and road transport infrastructure is of significant import to the economic security of the UK and its partners. In most cases private organizations (usually firms) are either contracted or sub-contracted to operate those assets under some form of licence. Those organizations need to make strategic investments in their security and adjust their security posture when an attack occurs. The tension and object of research is driven by the observation that the level of damage that could be inflicted on society may far exceed the losses incurred by the infrastructure provider (e.g, the value of traded assets far exceeds the value of a typical financial exchange like the LSE or NYMEX and the economic output lost to a prolonged power cut is normally significantly higher than the value of the infrastructure provider). In these cases, there is a need for legislative remedies to incentivize appropriate cyber security postures to reflect the risk preferences of society at large. This is not new, the General Data Protection Regulation is a well-known example for firms storing individual information. However, the current design of security regulation is mostly directed at privacy, rather than the secure operation of the infrastructure assets. In this thesis I will focus on the design of regulatory mechanisms needed to incentivize appropriate and well directed investment in cyber security risk management for CNI operators using economic theory and empirical analysis on firm and operational level data.