Trade secrets in the wild (Part 1): some economics of cybersecurity investment

Former Katonomist, Dr. Nicola Searle, has for several years engaged in research on the economics of trade secrets, cybersecurity and cybercrime. She shares some of her most recent thoughts with IPKat readers.

“Ah”, the internet. So fascinating. So wonderful. Here, we see the world of cybercrime, teaming with life. Home to one of my favourite creatures, trade secrets, in its unnatural habitat. Little is known about the trade secret environment, as compared with IP cousins, yet their existence forms the base for many an IP food chain.

While the link between cyber security and trade secrets should, prima facie, be obvious, it has been given little attention both in practice and research. On a practical level, IT departments, innovators and legal departments rarely communicate with each other on the protection of trade secrets.

Discussion of IP by cyber security researchers, and vice-versa, is limited; the relationship is usually reduced to “trade secrets are one thing we protect” or “trade secrets need to be reasonably protected,” respectively.

The next sentence will surprise no one – economists have done an even poorer job of linking the economics of cybersecurity to IP protection.

Restricting access to trade secrets is largely enforced by cybersecurity systems. In defending against the dark arts of malicious cyberactors, tracking downloads, limiting employee access and the like, cybersecurity plays a big role in both providing actual protection and meeting the ‘reasonably protected’ threshold for trade secrecy. Yet, matching investments and risks in cybersecurity and trade secret protection is difficult.

Economic analysis of cybersecurity focuses on two key areas: firm decision making and government policies. For the firm, deciding the optimal level of investment can be tricky. Cybersecurity is a cost, rather than a revenue-producing investment. It requires repeat monetary outlays as the effectiveness of security decreases over time, while technology continues to develop.

Not knowing either the risks or the value of the trade secrets that are protected, firms struggle to gauge an optimal level of investment. More cynically, if personal data breaches are anything to go by, it is clear that firms are not as worried about the consequences of breaches as you might expect.

A key component of cybersecurity for the economy and the individual firm is the unfortunately topical concept of herd immunity – the better protected all firms are, the better protected an individual firm is. The flipside is that an individual firm can reduce their cybersecurity costs, but still benefit from the spend by other firms (free ride). This chronic disincentive to invest in cybersecurity leads to weaker cyber security for everyone.

Assuming the goal is to maximise social welfare, i.e., maximise the net benefit of cybersecurity, then government policy needs to balance public sector expenditures with incentivising individual firms to invest in their cybersecurity. Ideally, firms spend optimally to create herd immunity.

How to determine the level of ‘optimal’ investment and to encourage firms to reach it is more of an art than a science. Shifting liability to firms suffering breaches, such as data breach reporting requirements, can incentivise cybersecurity expenditures, as long as the cost of post-breach liability is more than preventative, cybersecurity costs.

A common policy option, popular with the American FBI and the UK’s National Cyber Security Centre, is education and awareness campaigns to encourage investment in cybersecurity. The European Commission has been particularly good about picking up the link between cybercrime and trade secrets, but has limited power on criminal aspects as those sit outside its competencies.

Courts also play a key role in determining shaping the public policy environment for IP and cybersecurity. Civil litigation involves both private and public expenditures, whereas the criminal system is largely publicly funded. Determining the level of reasonable protection is ultimately down to the courts, and adds another layer to the interaction between policy and a firm’s cybersecurity spending decisions.

Public expenditure is relatively higher in criminal than in civil cases, as the government leads the investigation and prosecution. This can be useful when the victim is resource-poor or the defendant has limited financial resources, which often render a civil, financial penalty a moot point [aka, judgement proof]. Criminal prosecution can also be useful when pursuing a civil action is not good strategy, for example, when a company risks upsetting a foreign state where it does business.

Criminal approaches also send strong signals to would-be criminals, but it is well established that the deterrence factor is most successful when the probability of discovery of the criminal act and its prosecution is higher. More prosecutions mean more public expenditures, whereas higher penalties are relatively cheap to implement, but less effective at increasing the costs to criminals.

Think of the economics behind this lock

Social impact

The social welfare impact of criminal prosecutions of cybercrime and trade secret theft is ambiguous. Shifting the cost of white collar crime from the firm to the public means that taxpayers underwrite risks to firms and foot some of the bill. Yet, undermining trade secret protection may affect long-term innovation and the benefits it conveys to society.

This argument is not clear-cut, as, like all IP, there is a balance between IP rights that incentivise innovation and those that restrict it. Prevention is a better strategy, but that brings us back full circle the problems of encouraging investment in cybersecurity.

Unlike other IPR, trade secrets rely on a reasonable protection within the control of the rightsholder. Years ago, aerial photography was a risk, here, these days the threat is largely cyber. As trade secret use and cybersecurity both become more sophisticated, expect to see more interest in their connections.

Part II of this post looks at problems with reporting crime (longer version of this series with bonus squiggly lines, here.)

Picture on the right is by Johan-commonswiki and is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported license.

Picture on the left is by Jaydeep and is mmade available under a Creative Commons CC0 1.0 Universal Public Domain Dedication.