In the nearly year and a half since the President issued Executive Order (EO) 13636 on
Improving Critical Infrastructure Cybersecurity1 and Presidential Policy Directive (PPD) 21 on
Critical Infrastructure Security and Resilience,2 there has been a great deal of policy discussion
and analysis of the incentives associated with cybereconomics. Much of this assessment has
focused on how incentives might influence adoption of the voluntary framework for reducing
cyber risks to critical infrastructure developed by the National Institute of Standards and
Technology (NIST). As part of this focus on incentives, the Departments of Homeland Security
(DHS), Commerce, and Treasury identified potential incentives for infrastructure owners and
operators to adopt the NIST framework.
The initial analysis by the executive branch frames incentives in terms of marginal economic
costs and benefits. SRI International provided input to the DHS Science & Technology (S&T)
Directorate’s Cybersecurity Division (CSD) as CSD set out to define a long-term research
program around the topic of cybereconomic incentives (CEI). In considering the strategic
direction of such a research program, SRI proposed taking a broader perspective on the subject
of cybereconomic incentives than had been followed to date. Specifically, SRI advocated for a
view of incentives that explicitly considers behavioral factors that affect human decision making
in the context of cybersecurity, and proposed a set of related activities aimed at bootstrapping a
broader, long-term research enterprise focused on these behavioral factors.
The proposed activities included reviews of current cybereconomic incentives research and
policy-focused behavioral science research, used to inform a proposed research agenda in CEI,
as well as development of a field experiment aimed at demonstrating the utility of the behavioral
approach in understanding cybereconomic decisions. In total SRI produced a set of five
analyses and documents, collected here in a single source.
The following documents were produced by SRI for DHS CSD and are included in this
- Concept Paper: Developing a Proof-of-Principle Exercise for Framing &
Investigating Cyber Economic Incentives – A concept paper that outlines a
framework for research in cybereconomic incentives that launches from standard
microeconomic analysis into new opportunities for research emphasizing behavioral
- Literature Review: Current Research in Cybereconomics – A review of the current
research in cybereconomics. This review is the first of two research reviews in this work
- Literature Review: The Application of Behavioral Research in Public Policy – A
review of the applications of behavioral science research in policy and management
areas outside of cybersecurity.
- Proposed Research Agenda for Cybereconomic Incentives – A proposed research
agenda for the field of cybereconomic incentives, focusing on both the near-term and
long-range research needs of DHS’s mission of enhancing the security and resilience of
the nation’s critical information infrastructure.
- Proposed Research Experiment for Cybereconomic Incentives – A proposed
research experiment intended to evaluate how small and medium businesses (SMBs)
involved with the nation’s critical infrastructure respond to incentives to improve their
cybersecurity, including incentives with strong behavioral components.