Trade secrets in the wild (Part 1): some economics of cybersecurity investment

The sea sponge soaking up IP

While the link between cyber security and trade secrets should, prima facie, be obvious, it has been given little attention both in practice and research. On a practical level, IT departments, innovators and legal departments rarely communicate with each other on the protection of trade secrets.

Discussion of IP by cyber security researchers, and vice-versa, is limited; the relationship is usually reduced to “trade secrets are one thing we protect” or “trade secrets need to be reasonably protected,” respectively.

The next sentence will surprise no one – economists have done an even poorer job of linking the economics of cybersecurity to IP protection.

Restricting access to trade secrets is largely enforced by cybersecurity systems. In defending against the dark arts of malicious cyberactors, tracking downloads, limiting employee access and the like, cybersecurity plays a big role in both providing actual protection and meeting the ‘reasonably protected’ threshold for trade secrecy. Yet, matching investments and risks in cybersecurity and trade secret protection is difficult.

Economic analysis of cybersecurity focuses on two key areas: firm decision making and government policies. For the firm, deciding the optimal level of investment can be tricky. Cybersecurity is a cost, rather than a revenue-producing investment. It requires repeat monetary outlays as the effectiveness of security decreases over time, while technology continues to develop.

Not knowing either the risks or the value of the trade secrets that are protected, firms struggle to gauge an optimal level of investment. More cynically, if personal data breaches are anything to go by, it is clear that firms are not as worried about the consequences of breaches as you might expect.

A key component of cybersecurity for the economy and the individual firm is the unfortunately topical concept of herd immunity – the better protected all firms are, the better protected an individual firm is. The flipside is that an individual firm can reduce their cybersecurity costs, but still benefit from the spend by other firms (free ride). This chronic disincentive to invest in cybersecurity leads to weaker cyber security for everyone.

Government Policy

Assuming the goal is to maximise social welfare, i.e., maximise the net benefit of cybersecurity, then government policy needs to balance public sector expenditures with incentivising individual firms to invest in their cybersecurity. Ideally, firms spend optimally to create herd immunity.

How to determine the level of ‘optimal’ investment and to encourage firms to reach it is more of an art than a science. Shifting liability to firms suffering breaches, such as data breach reporting requirements, can incentivise cybersecurity expenditures, as long as the cost of post-breach liability is more than preventative, cybersecurity costs.

Courts also play a key role in determining shaping the public policy environment for IP and cybersecurity. Civil litigation involves both private and public expenditures, whereas the criminal system is largely publicly funded. Determining the level of reasonable protection is ultimately down to the courts, and adds another layer to the interaction between policy and a firm’s cybersecurity spending decisions.

Public expenditure is relatively higher in criminal than in civil cases, as the government leads the investigation and prosecution. This can be useful when the victim is resource-poor or the defendant has limited financial resources, which often render a civil, financial penalty a moot point [aka, judgement proof]. Criminal prosecution can also be useful when pursuing a civil action is not good strategy, for example, when a company risks upsetting a foreign state where it does business.

Criminal approaches also send strong signals to would-be criminals, but it is well established that the deterrence factor is most successful when the probability of discovery of the criminal act and its prosecution is higher. More prosecutions mean more public expenditures, whereas higher penalties are relatively cheap to implement, but less effective at increasing the costs to criminals.
Think of the economics behind this lock

Social impact

The social welfare impact of criminal prosecutions of cybercrime and trade secret theft is ambiguous. Shifting the cost of white collar crime from the firm to the public means that taxpayers underwrite risks to firms and foot some of the bill. Yet, undermining trade secret protection may affect long-term innovation and the benefits it conveys to society.

This argument is not clear-cut, as, like all IP, there is a balance between IP rights that incentivise innovation and those that restrict it. Prevention is a better strategy, but that brings us back full circle the problems of encouraging investment in cybersecurity.

Unlike other IPR, trade secrets rely on a reasonable protection within the control of the rightsholder. Years ago, aerial photography was a risk, here, these days the threat is largely cyber. As trade secret use and cybersecurity both become more sophisticated, expect to see more interest in their connections.

Part II of this post looks at problems with reporting crime (longer version of this series with bonus squiggly lines, here.)

Picture on the right is by Johan-commonswiki and is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported license.
Picture on the left is by Jaydeep and is mmade available under a Creative Commons CC0 1.0 Universal Public Domain Dedication.

Trade secrets in the wild (Part 1): some economics of cybersecurity investment Trade secrets in the wild (Part 1): some economics of cybersecurity investment Reviewed by Neil Wilkof on Wednesday, March 03, 2021 Rating: 5

No comments:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here:

Powered by Blogger.