BOSTON—Profit motivated fraudsters can breach systems in unexpected ways. Defenders, however, may leave systems insecure because they lack any incentive to fix them.

Both attackers and defenders operate strategically, said Tyler Moore, Tandy assistant professor of cybersecurity and information assurance at the University of Tulsa, speaking at the Privacy and Security Forum.

The traditional engineering approach to cybersecurity involved thinking the internet was insecure because they weren’t enough features such as encryption and authentication. So, engineers working on providing better, cheaper security features but eventually realized that wasn’t enough.

Market failures occur when the free market outcome is inefficient and then justify regulatory intervention and information on how public policy should be designed. They help explain why privacy cybersecurity investment is often suboptimal.

The economy of IT includes a very important role for network effects, Moore said. The value of a system depends on how many people also are using the system. For example, the value of the telephone grew as more and more people gained access. That led to more value and eventually a dominant position of the phone for communication.

We see the same thing in operating systems and networks. “Because you have this network effect in place, there is a strong incentive to be the first ones there. There are several implications for security, however, because successful firms push products out quickly, ignoring security until a dominant position is reached.” Those dominant platforms have a correlated risk.

EHR platforms exhibit significant network effects, Moore said. They are more valuable to patients when more providers use the same format and are more valuable to prospective providers when more patients use the same platform. Yet there are huge benefits to the platform that “wins” so competing incompatible platforms are being pushed.

Most people are better at appreciating a hospital’s new building over an increased IT security budget. “As a result, it’s not surprising for organizations to spend their money on things consumers can observe. He cited a study that found that more competitive healthcare markets suffered more data breaches. The researchers’ hypothesis was that organizations in these more competitive markets invest in areas more easily observed by patients and less in areas that are harder to observe.

Vendors may believe their software is secure but buyers have no reason to believe that. They then refuse to pay a premium for secure software and vendors have no incentive to invest in developing more secure software.

The U.S. healthcare system also lacks robust cybersecurity incident data. Unless required by law, most companies choose not to disclose incidents which means they can’t calculate an accurate estimate of the likelihood of incidents or their costs. That then means they can’t allocate their defensive resources appropriately.

Policy measures can correct market failures. HIPAA, for one, requires healthcare providers to take precautions to protect patient data. And the HITECH breach notification requirement reduces the information asymmetry on data security practices, Moore explained. The breach notification rule also has increased focus on preventing breaches and gives providers an incentive to do so.

However, Moore said the focus on data breaches could come at the expense of other threats. Threats to availability and fraud don’t receive the same level of attention so “we’re not learning enough about the true threat landscape.”