We all take risks; but do we consider how those risks impact others? Should we include the cost to others when we make risk based decisions not to address certain information security issues?

Some time ago I met an investment banker that told me that all risk, regulatory and compliance issues are externalities. They proposed that good investments managed that externality to generate an effective long term return. They went on to reframe companies as a function of their externalities: oil companies were there to manage the impact of environmental disasters, fast food companies to mitigate against obesity, credit score companies existed to minimize data breaches and consumer goods to minimize pollution. It’s a different lens in that is assumes that bad thing ™ will happen and that a well managed company is setup to minimize the likelihood or impact of such an event. Their thesis was, that in the long term, companies that are well governed to minimize the cost of compliance as well as minimize the cost of such events will more effectively allocate their resources to produce a higher rate of return to investors. My mind was blown and I spent days researching alternative market data feeds on how to determine if a company managed its technology well. Specifically, was technology governance observable from the outside? There was plenty of data about environmental practices, litigation, social media status and so on but I didn’t find anything that easily accessible; perhaps there is something out there with a sufficiently expensive bloomberg or equivalent subscription.

An externality is the cost or benefit that affects a third party who did not choose to incur that cost or benefit - quote via Wikipedia

While I won’t make billions by identifying and investing in well governed companies, the concept of an externality remains intriguing to me. When we build our threat models or describe our risk scenarios, do we account for externality if the risk event occurs? I think the answer is somewhat but not really. I say somewhat because some risk models will include secondary or indirect impacts such as litigation costs and regulatory fines. In some jurisdictions that’s likely a good analogue; specifically jurisdictions that allow for litigation on the basis of potential future harm or for regulators that have the legal means to impose meaningful penalties for non-compliance and for breaches. However, that raises the question of how does one value harm? Do the payouts from class action lawsuits address that harm sufficiently? An old lawyer friend of mine used to say that “damages will never make you whole” and so I think the default answer to my question is no. Looking at the Equifax breach in the USA, while the settlement was significant, it was quickly depleted and many members of the class did not get compensated.

I want to stress that I’m not saying that companies are uncaring entities; companies are not emotional and the people that run them generally care about their customers. Companies do what they are obligated to do by law and what the market expects of them (via share price movement and revenue pressures). Everything else they may do is at the expense of profit seeking. Imagine Exxon investing in double hulled oil tankers in 1988, a year before the Exxon Valdez oil spill; investors would likely have found that strange behaviour and possibly an unnecessary expense. Perfect hindsight tells us otherwise. It was only in 1992 that International Conventions were updated to require double hulled oil tankers be the norm; construction and maintenance expense increased accordingly.

In all likelihood, the externalities of a risk decision are probably not considered by companies beyond some superficial level. The big question is, do companies have an obligation to consider such things? I think ultimately that’s a question for the government and courts to decide on. In Europe, GDPR imposes significant penalties along with providing strong rights for data subjects and so companies (and other data processors) must consider the risk and its externalities. In other jurisdictions, the answer is probably limited to figuring out how much cyber loss insurance to carry.

Except where legislated, the cost of a cyber security breach will have an externality that will be transferred to data subjects. The cost transfer mechanisms to offset that risk will likely not be as efficient as the data subjects would like. Part of that inefficiency is due to challenges in pricing future harm. I wonder if data subjects understand those risk scenarios that they are signing up for? In today’s age of weekly data breaches (examples: HIBP & VDBIR) should data subjects expect that their data will be exposed through a breach?

The inverse should be considered too, perhaps data subjects, already understand that their data may be exposed but are willing to do so in exchange for a more cost effective (read cheaper), product delivery. In a 2018 Pew survey of social media platform users, the gap between the feeling of control and the desire for control over personal data is telling.

“Just 9% believe they have “a lot of control” over the information that is collected about them, even as the vast majority (74%) say it is very important to them to be in control of who can get information about them” - Pew Research

Social media platforms are free to billions of users but in exchange for access these users are comprehensively profiled and that data is provided to advertisers (and others). Social media networks collect data at a massive scale and that means the potential impact of breaches is significant. That social media platforms themselves are complex pieces of technology operated by thousands of people means it it almost a certainty that breaches will occur again. Perhaps users understand this and are will to carry the externality of a data breach in exchange for free access to a complex and powerful communication tool. Maybe “free” is the way to transfer the benefit of externality to society. Then again, Equifax was free.

I’ll close with questions that I don’t have ready answers for:

1. How should the externalized cost be considered in modeling information security risk?
2. How should data subjects be informed of the risk such that they can make informed decisions?
3. What effective means exist to price and transfer costs associated with the externality of information security or privacy risk?