Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Moral hazard – what can it teach about information security

October 4th, 2007 · No Comments ·

Recently we posted:

3 ENISA – awareness raising study – better prevention thanks to data crunching

moral hazard (Please click on the link, Login as guest – click on this link again and voila free access) – does it apply to information security?
Do people take unnecessary risks when surfing the internet? What has history taught us?
get some isnights and answers why the concept of moral hazard should be taken into consideration when making corporate and public policy regarding information security.

The problem of moral hazard (Please click on the link, Login as guest – click on this link again and voila free access) has existed for as long as there have been markets. It refers to the danger that market participants take excessive risks, as we have shown here:- SAS risk management – after 2 crashes we get damage control

This can be especially dangerous if end-users or managers believe someone will bail them out if things go wrong.

2 Banking bail-out – Northern Rock – A salutary tale of how confidence, once lost, is hard to restore

Where does all of this leave policy? It certainly suggests that moral hazard ( is not always a negative with respect to policy responses to availability of networks, information and their security. In particular, the idea put forward by some that a govenrment regulator should act only once it is clear that information security problems have become serious enough to threaten a breakdown of the critical infrastructure or a sharp downturn in availability of information cannot be right.

Instead, these considerations suggest that prudent policy makers will make judgments during malware attack crises not on the basis of -avoiding moral hazard- but rather by asking themselves three questions:

1) are there substantial contagion effects?

2A) is the problem an availability of resources problem where a contribution to stability and security of the infrastructure can be provided with high probability, and /or
2B) is the problem such that it involves problems of coordinating defense against attacks?

3) is it reasonable to expect that the action in question will not impose costs on taxpayers?

If the answers to all three questions are affirmative, there is a strong case for public action.


Home users could risk their privacy and may lose the ownership of their machines. Unfortunately, this will not get them to resist the temptation for opening an e-mail attachment. As well, corporate users are sometimes even less careful. Reasoning may be such that since it is not one’s own machin and if it is not broken, it is not their problem and, ultimately, the IT department will have to fix it anyway.

The moral hazard issue as outlined above is a real one and this requires certain steps that help users to better protect themselves. The Cyber Clean Center’s – JP-CERT initiative in Japan is one whereb government has taken action and provides a service that helps users . Most importantly, it also informs users in case – based on their IP address – that their computer has become part of a botnet. Accordingly, once a home-user’s system has become part of a botnet, contagion comes into play, whereby others will be affected negatively. This combination of help, reminder and official request to do something about it (partially social control) can empower users and make them more accountable at the same time.

In turn, reducing the making of risky choices (e.g., visiting suspicious web sites) and the chances for moral hazard can be assured in the above example from the Cyber Clean Center, since the user knows that if he does wrong, somebody will remind him or her about it (more info about Cyber Clean Center can and empowerment can also be found here) and request action. Else user risks being cut off from internet access:

1 – 2007 conference – user empowerment and information security


Christina Öberg and Johan Holtström (November 2006). Are mergers and acquisitions contagious? Jounal of Business Research, Vol. 59, Nr. 12, pp. 1267-1275).

The above case study focuses on merger and acquisitions (M&As) as a driving force for other M&As. It uses a Swedish data sample. The study reveals that dependence and keepin a power balance (amongst suppliers of a firm that did an M&A) are found as key explanations for parallel M&As = contagion effects exist i.e. mergers and acquisitions are contagious.

See also:

1 empowerment for end-users


To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.


→ No CommentsTags: availability · downturn · hazard · liquidity · moral · prudent · sharp · taxpayers