Economic perspective analysis of protecting big data security and privacy

Accepted Manuscript Economic perspective analysis of protecting big data security and privacy Hai Tao, Md Zakirul Alam Bhuiyan, Md Arafatur Rahman, Guojun Wang, Tian Wang, Md. Manjur Ahmed, Jing Li

PII: DOI: Reference:

S0167-739X(18)31991-5 https://doi.org/10.1016/j.future.2019.03.042 FUTURE 4867

To appear in:

Future Generation Computer Systems

Received date : 18 August 2018 Revised date : 6 January 2019 Accepted date : 18 March 2019 Please cite this article as: H. Tao, Md.Z.A. Bhuiyan, Md.A. Rahman et al., Economic perspective analysis of protecting big data security and privacy, Future Generation Computer Systems (2019), https://doi.org/10.1016/j.future.2019.03.042 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Economic Perspective Analysis of Protecting Big Data Security and Privacy Hai Tao1,a , Md Zakirul Alam Bhuiyan1,b,∗, Md Arafatur Rahmanc , Guojun Wangd , Tian Wange , Md. Manjur Ahmedf , Jing Lig,∗ a

School of Computer Science, Baoji University of Art and Science, China 721007 Department of Computer and Information Sciences, Fordham University, USA 10458 c Faculty of Computer Systems & Software Engineering, University Malaysia Pahang, Malaysia 26600 d The School of Computer Science and Educational Software, Guangzhou University, China 510006 e Department of Computer Science and Technology, Huaqiao University, China 361021 f Department of Computer Science & Engineering, University of Barishal, Bangladesh 8200 g Business School, Lanzhou City University, China 730000 1 Co-first authors (listed in alphabetical order).

b

Abstract This paper investigates the economic perspective analysis of protecting security and privacy of big data. Traditionally, the pressing cyberthreats appear from emailed attachments. Recently, cyberattacks increasingly stealing or compromising data and are the potentials for physical damage to critical infrastructure. The risks of the data breach or compromised data collection are often favored by potential financial benefits (e.g., blackmail, fraud, false information, intellectual property thefts, business competition). That is, an important factor for current and future economical investments is due to the motivation of cybercrime activities. In this paper, we first analyze a question about our effort on security and privacy in terms of economic perspectives. That is, do we need to protect big data in a secure, private, and most effective manner, while the growing amount of security threats, attacks, and data breaches together with the increasing market for security products arises? Secondly, we perform the investigation from several perspectives: the economic perspective of big data security and privacy, ∗

Corresponding author Email addresses: [email protected] (Md Zakirul Alam Bhuiyan), [email protected] (Jing Li)

Preprint submitted to Future Generation Computer Systems

January 6, 2019

investment decisions, fighting cybercrimes through big data, and cyberinsurance for big data. Our objective is to provide economic justification of technical decisions taken to protect the big data and the amount of costs that organizations often spend for it. Keywords: Economic Perspectives, Cost Analysis, Cybersecurity, Cyberinsurance, Big Data, Privacy. 1. Introduction Big data is rapidly changing the face of the global economy. In the fast growing landscape of network-based data analytic processes and services, enterprises and industries with an important real-time presence have faced or will face a data breach which is the result from the data collection and the use of big data [1, 2]. As more consumer and organization information is digitized and collected for data analytics, the potential for cyberthreats and cyberattacks also increases. A large amount of consolidated data can easily be appealing for cybercriminals, especially when such consolidated data may comprise of a consumer and company’s proprietary data or customers’ personal and/or financial data [3, 4, 5, 6, 7, 8]. Traditionally, the most pressing cyberthreats appears from emailed attachments and downloads. Recently, cyberattacks are increasingly stealing or compromising data and are the potentials for physical damage to critical infrastructure. The risks of data breach or compromised data collection is often favored by potential financial benefits (e.g., blackmail, fraud, false information, intellectual property thefts, business competition) [9, 10, 11]. That is, an important factor for current and future economical investments is due to the motivation of cybercrime activities. Big data security breaches can result in serious legal consequences and reputational damage for companies, often more severe than those caused by breaches of traditional data. The impact is far-reaching in industries, including energy, finance and insurance organizations, equipment manufacturing and automobiles that traditionally have not played a big role in the information ecosystem. Big data brings with it tremendous promise in the form of exciting innovations, new revenue generation streams, and even revolutionary treatments for life-threatening diseases. This is why, most organizations go through great lengths to invest and protect themselves and their consumers from privacy concerns, cybersecurity risks, IP registrations, and public-relations risks, the mechanisms/algorithms, and devices used to analyze the big data. To deal with this, national agencies and security specialized companies need 2

to consider new IT risk appraisal methods. The methods may focus on costbenefit compromises based on analytical models describing potential losses and benefits for big data and their users (such as cloud providers, financial sectors, market participants, healthcare providers). For example, in case of market participants, method the methods assume that market participants’ behavior is driven by maximizing profits and minimizing losses. Their decisions are related to the choice of appropriate security and privacy measures to protect their data, wherein such measures are often identified with new software, hardware and/or services. On the basis of analytical models, the potential social and economic costs and benefits related to implementation of security products within the company may be estimated [2]. Big data came from networking, cloud, and different monitoring environments seriously requires data security and privacy concerns addressed before making decision for the high-quality monitoring [12, 13, 14]. To guarantee the highquality data, they require various cybersecurity tools and algorithms that incur significant costs. The statistic demonstrates that the revenue generated from 2014 to 2018 as well as revenue estimated for the nest 20 years, as shown in Fig. 1(a). In 2017, big data and business analytics expected to generate 150.8 billion U.S. This includes the estimation of worldwide big data market revenues for software, services, and data security in the next 20 years. To shed some light on the potential of big data, we present the IDC news report that said the amount of big data in business analytics market may raise to $203 billion over the next several years. The consumer or financial industry is supposed to be a leader of this growth in spending, while IT and businesses take in charge of the technology investments [15, 1]. Though the economic aspect is not particularly identified for big data security, it is assumed to be a big part of it. Because of the rampant adoption of big data in various Industries, it has become necessary that these industries take data security and privacy seriously. The rate of data breach has increased over the years at a rapid rate. No industry is exempted from taking necessary precautions to protect client/customer data. In 2017, Equifax report that data breach that revealed the sensitive privacy information of 143 million Americans [16]. This shows the importance of big data security and privacy aspects and depict that why every industry or organization needs to make investment in data security and privacy a number priority. To deal with this, new IT risk appraisal methods are to be assumed by national agencies and security specialized companies. The methods focus on cost-benefit compromises based on analytical models describing potential losses and benefits for big data and their users (such as cloud providers, 3

Market volume in Billion U.S. dollars

800

Es�mated worldwide Big Data market revenues for business analy�cs in the next 20 years

700 600 500 400 300 200 100 0

2014 2016 2018 2020 2022 2024 2026 2028 2030 2032 2034 2036 2038

Year

Market volume in Billion U.S. dollars

(a)

250

Es�mated worldwide Big Data market revenues for so�ware and services (incluidng data security) in the next 20 years

200 150 100 50 0

2014 2016 2018 2020 2022 2024 2026 2028 2030 2032 2034 2036 2038

Year

(b)

Figure 1: (a) Estimated worldwide big data market revenues for business analytics in the next 20 years; (b) estimated worldwide big data market revenues for software and services (including data security) in the next 20 years.

financial sectors, market participants, healthcare providers) [17, 18, 19, 20, 21, 22, 23]. In this paper, we first analyze a question about our effort on security and privacy in terms of economic perspective. That is, do we need to protect big data in a secure, private, and most effective manner, while the growing amount of security threats, attacks, and data breaches together with the increasing market for security products arises? Secondly, we perform the investigation from several perspectives: the economic perspective of big data security and privacy, investment decisions, fighting cybercrimes through big data, and cyberinsurance for big data. The answer is yet ambiguous but should at least provide guidelines for the big data owners whether to develop new security and privacy mechanisms or to improve the existing ones. This 4

investigation arose on the understanding that the cost-effective privacy and protection controls are equally crucial as much as a security breakdown. The economics perspective of data security and privacy aims to provide economic justification of technical decisions taken to protect the big data. The contributions of the investigation in this paper is carried out regarding several perspectives: • We discuss insight of economic perspective of big data security and privacy and conduct several case studies of economic perspectives throughout the paper. • We discuss economics of investment decisions for protecting security and privacy of big data. • We present economic perspectives of big data to fight cybercrimes and cyberinsurance for big data. • Finally, we analyze the economic perspectives of governmental regulation for big data. The remainder of this paper is organized as follows. Section 2 focuses on the economic perspective of big data security and privacy. Section 3 discusses how to use big data to flight cybercrimes. Section 4 analyzes economic perspective of tools used to protect security and privacy of big data. Section 5 offers economic perspectives of big data to fight cybercrimes. Section 6 provides cybercrimes insurance to protect security and privacy of big data against threats. Finally, we conclude the paper in Section 7. 2. Economic Perspective Analysis In this section, we analysis the economic perspective of cybersecurity, particularly, the data security and privacy. We also discuss economic reasons for insecurity and lack of privacy and economic countermeasure. The economics of cybersecurity has become a contentious topic in the recent past especially in the corporate context [5, 6]. It can be looked at from both the security and privacy perspectives. The economics of security involves the economic considerations that a corporation or individual takes to safeguard their assets [5]. This would include the investment consideration necessary to purchase the security infrastructure, the profitability impact of the assets to the bottom line and availability of the necessary supporting resources such as workforce that is security-aware. 5

The economics of privacy, on the other hand, involve the proper collection, processing and storage of personally identifiable information, online activity of web users and any information not suitable for public access. Online privacy is a sensitive issue in the 21st century. Private information is extremely valuable, especially on the black market. The economic incentive for malicious individuals to steal private information is overwhelming [3]. Medical facilities and government institutions have the most comprehensive data on individuals and this makes them leading targets to cybercriminals who are seeking to benefit from stealing this information [3]. Intellectual property has become a major competitive advantage in the current age of information. A recent research has revealed that at least 80% of the value of Fortune 500 companies is mainly comprised of intellectual property. More and more assets are being digitized as corporations seek to embrace the digital age. However, this has brought with it a new risk front. It is now easier to suffer an attack through digital means than it was in the past when attacks involved physical compromises to company premises [5, 3]. This unfolding revelation has not escaped the corporate C-suite who has now prioritized cybersecurity to safeguard the security of the companies’ cyber-infrastructure. However, security and privacy may not be a priority for other businesses. Some of these institutions have not taken the initiative to secure their assets and this situation put the security and privacy of not just the company’s data but also information of their customers at risk [4]. To fix this unfortunate situation, global forums and institutions focused on the security of cyber-infrastructure have taken to creating rules that every player needs to adhere to so as to uphold the security and privacy of third parties that they interact with. 2.1. Economic Reasons for Insecurity and Lack of Privacy Past victims of cyber insecurity have reported losses in hundreds of billions of dollars in annual costs. Industry research organizations have also concurred with these figures and also project a rising cost due to the rise in digitization and over-reliance on intellectual property [5]. A few of the following reasons have been associated with cyber insecurity and lack of privacy. First is the lack of economic incentives. Deploying better security measures does not necessarily equate to increased revenues for the company [6]. An investment in cyber-security systems does not justify itself in more evident ways. In fact, an investment in a robust security scheme may be costly for most companies and institutions. Therefore, most entities contend with the bare minimum of security infrastructure that complies with the established industry rules and regulations. 6

Second is the greater economic incentives for the cyber attackers as compared to the victims. A credit card entry in the black market is sold for about $3-5 in the black market. Personally identifiable information comprising of social security numbers, full names, addresses, passport numbers and passport images would be sold for as much as $50 per entry [6]. Such information can only be found in government institutions and medical facilities. Malicious cyber users have the incentive to steal and compromise the security of systems because it is a more profitable risk compared to the victims without an easily identifiable economic benefit to them [6, 24]. Malicious actors also have a reason to innovate and employ some ingenious methods to successfully attack. They are unencumbered with institutional bureaucracies and act more swiftly [25]. Similar to this point is the ease of availability of more advanced attack tools. Some of these malicious tools are extremely cheap and are therefore available to a broad user base [6]. The dominant culture within the development community is to freely share information with peers. This situation then affords nefarious individuals with the necessary information to carry out innovative attacks before victims or targets have the time to upgrade their security infrastructure. 2.2. Economic Countermeasures It is erroneous to think that cyber-security is a technical problem that deserves a technical solution. Research has proven that more attacks are propagated successfully by utilizing the human variable, which has been described as the weakest link within the cyber-security strategy [5]. Therefore, to effectively combat insecurity, policies that govern human behavior will be essential. Some of them are discussed below. Policies to educate the entire workforce. It is essential that all the employees and directors of the company or institution understand that cybersecurity is an enterprise-wide challenge. All workers should be educated and required to follow on set guidelines of conduct when dealing with cyberinfrastructure [6]. The institutions need to have a capable team of cybersecurity individuals that should be able to put in place a recovery mechanism, also known as the business continuity plan. This plan should be created to enable quick recovery from a cyberattack [5]. It is essential to recover as soon as possible in case of an attack. It is not just good for the company economically, but it is also legally sound because some of the strategies that will have to be included within the disaster recovery and business continuity plan will take into consideration law enforcement procedures [5].

7

3. Economics of Investment Decisions for Big Data Security and Privacy We carry out two investigative studies of the economics of investment decisions for big data security and privacy. This includes financial industry and pharmaceutical and healthcare [26, 15, 27]. We also give a comparison between financial and pharmaceutical industry. Finally, We show how much a cybersecurity organizations should invest. 3.1. Study 1: Financial Industry Financial Industry is a vital application area and big data security attracts a firm position in numerous financial industries. For financial organization, to manage big data successfully, they should maintain it secure and compliant with regulatory requirements consistently [28].Giving protection to a huge and increasing quantity of important data and having ability to find and do analysis of it to identify possible threats is more significant than ever. The financial organizations require to protect the storage, transit and usage of corporate and personal data through various business applications, including e-banking and e-communications of personal information, files, and documents. While all types of businesses are vulnerable to attacks by criminals, it’s the security breaches at financial organizations that elicit the most media attention, public scrutiny and legislator consternation. For example, HSBC has invested and collaborated with SAS Fraud Management to make use of big data to detect fraudulent behavior in ATM transactions and fraudulent activities. This helps to reduce its global losses from fraudulent transactions and threats, HSBC has started to use SAS Fraud Management as the foundation for its real-time fraud detection and fraud management across its network [29]. The solution is live in the US, Europe and Asia, protecting 100% of credit card transactions in real time. HSBC envisages intensifying the edges to incorporate deception through numerous business and trade networks. Not surprisingly, battling with all forms of fraud payment cards, online contracts, markets, transactions, and even first-party (customer) fraud has jumped to the top of the corporate agenda [18, 20]. According to Derek Wylde, Head of Group Fraud Risk, Global Security and Fraud Risk for HSBC, they have obtained considerably reduced occurrences of fraud, blackmail, and intellectual property thefts across tens of millions of debit and credit card accounts, suggestively exceeding aggressive objectives.

8

3.2. Study 2: Pharmaceutical and Healthcare Big data in the pharmaceutical and healthcare sector become increasingly apparent, 73% of organizations in the industry are set to begin or increase investment in big data within the next five years, according to business intelligence provider GBI Research [7]. The commercial benefits big data are giving incentives pharmaceutical and healthcare companies to embrace the technology. Mining data in conjunction with predictive modeling, for example, could be used to identify new drug candidates with a greater likelihood of success. Estimates suggest that big data investments in the healthcare and pharmaceutical industry was accounted for nearly $4 Billion in 2017 alone. Led by plethora of business opportunities for healthcare providers, insurers, payers, government agencies, pharmaceutical companies and other stakeholders, these investments are further expected to grow at a CAGR of more than 15% over the next three years. For example, Genentech (a major biotechnology industry with leading data science practice) has been making investments in data managements and analytics tools. Genentech build a big-data platform that is able to examine billions of patient healthcare records in seconds [30]. Genentech has also seriously employed and developed people with the requisite proficiencies, associating with universities and companies such as the Data Incubator to employ and trains data scientists, and it has now becomes a entrepreneurial band. An up to date example of this type of work it performs is the invention of a database on the past cohort of healthcare patients which are formally diagnosed with the cancer. The group has studied their data to identify the results of diverse patient subtypes and treatment procedures. It has assisted the Genentech discover how diverse biomarker modifications and diverse treatment arrangements influence the medical experimental results in the real world. This data has eventually sustained serious medicine growth results. The Genentech has exploited real-world data in further healing areas, such as neuroscience, in which medicine growth is disreputably stimulating, to better recognize the inconsistency of disease patterns, disease symptoms over times, disease progression rates, and treatment responses, and to enumerate the cost dynamics as diseases advance. Traditionally, the pharmacological firm has employed SAS programmers who have performed precise studies of clinical examinations in a consistent, well-organized manner. Financing for these programmers has succeeded satisfactory, given that clinical examinations are devised to respond to queries about the effectiveness and protection with fresh and filtered data sets.

9

3.3. Comparison Between Financial and Pharmaceutical Industry The medical information is worth 10 times more than your credit card number on the black market. The FBI warned healthcare providers to guard against cyberattacks after one of the largest U.S. hospital operators, Community Health Systems Inc, said hackers had broken into its computer network and stolen the personal information of 4.5 million patients. Cyber security specialists express cyber criminals are progressively perusing over $3 trillion U.S. healthcare industry, which has numerous corporations and business still dependent on old computer network systems that are not equipped with the newest cyber security features and tools. As cyberattackers come with innovative approaches to earn money, the healthcare industry is becoming a much attractive victim because of the capability to sell huge sets of private and sensitive data for benefits and incomes. Hospitals have low security, so it’s relatively easy for hackers to get a large amount of personal data for medical fraud due to the notion that the healthcare industry isn’t a target. This is not to say that security in big data is unimportant in other industries, it just goes to show that no industry is exempted from data breaches as long as data is being collected in large amounts in that particular industry and that every industry needs to make investment in data security a number one priority. 3.4. How Much a Cybersecurity Organization Should Invest An increasing quantity of work examines how much an organization should invest in cybersecrity, particualy, in big data security and privacy protection. Gordon and loeb [31] and later, Gordon [7], GordonEtAl1 are the leading investigators of the optimum level of investment in cybersecurity. Their schemes utilize a constraint-less probable profit maximization model. They consider that data security and privacy investments are divisible from other investment activities of the organization. The advantage to the organizations in terms of a data security investment is a security cost cutback and the residual likelihood of data breach, what may be modified being found on investments in cybersecurity. The schemes were firstly perceived to provision Government operation audit tasks in the US. Previous work [7, 31, 32] make simplified norms about the significance of the desired value decision-making on investments, steadiness and derivatives of main functions. We show a summary of the general homeland security investment scheme regarding Farrow scheme [33]. While an organization (such as government) is involved in minimizing overall social costs, the organization may not regard the external effects of its choices,

10

for example, legal liability, which provides incentives to the organization to internalize the costs it makes for others. (1) Let’s ci be the organizational administrative cybersecurity cost on site i and A be the collective cost constraint which is coming from all of sites and possible pathways. (2) P (ci ) is the probability of a possible event. We can have P 0 < 0; we can also have P 00 > 0, here P 0 be the partial derivative and functions that is supposed to be twice consecutively differentiable. This includes few behavioral functions on the part of attackers. This alters the cost leading to take prior to an attack. (3) A(ci ) denote extra costs outcome due to non-organizational activity because of the other cost of investment such as time or additional requirement in the productivity. If an organization considers time as precious thing in security lines or alters in productivity that is not included in the budget. In such a case, S 0 > 0. (4) C(ci ) be the social cost that is assumed for a situation that an event occurs, we have C 0 < 0 and C 00 > 0. This contains C D (ci ) as the basic E as the external cost to the organization. costs to the organization and C(c i) The constrained cost amount ci is often taken to be consumed whether an cyberattack occurs or not. There could be the social cost denoted by C, which is provisional due to the occurrence of an event. As a result, the problem of cybersecurity investment of the organization for data security and privacy can be specified as making the choice level of costs at each of the sites (c∗i ≥ 0) so as to reduce the desired cost: min

N X i=1

P (ci )[C(ci ) + ci + S(ci )][1 − P (ci )](ci + S(ci ))

(1)

Subject to: N X i=1

ci = A//ci ≥ 0

(2)

In addition to this model, the models proposed by [31], [32] are also found as the dual of the Farrow model without assumption of constraints—increasing cost reductions is the double of decreasing costs for an interior solution [7]. 4. Economic Perspectives of Using Tools for Security and Privacy of Big Data against Threats The economic perspective of implementing data security solutions including software tools and policies is complex and costly objective. However, 11

the economic perspective of not implementing a data security solution is a detrimental approach that will allow for more data breaches to take place, but also financially implicate those who are affected. Though big data security is a moving target, it is the responsibility of every organization to make it a top priority. In this section, we discuss some tools used to analyze and secure big data, value of implementing security and a privacy tools of big data, economic perspective of data breaches when not implementing a security tools, and economic cost of not using tools in big data [8]. 4.1. Tools Used to Secure and Analyze Big Data Big data characteristics have developed concerns about the anonymity of the data collected and the security of such data. The importance of big data analytics and security software such as Cybereason and Fortscale (now part of RSA NetWitness) are essential to successfully securing big data (Sullivan). Moreover, the importance of developing and adhering to rules and regulations that protect big data has reached global attention which cannot be ignored without large financial implications. Big data analytics security products must be able to ingest large amounts of data from various devices such as servers, endpoints, and any other networked device that has access to the data. These applications must also provide a unified data management solution, support different types of data, flow and logs, and provide clear compliance reporting. The top two database security and analytic applications are: Cybereason and Fortscale. Each application provides different features and capabilities targeted for a specific solution. For example, Cybereason employs “sensors that run-in user-space of end-point operating systems,” allowing the collection of data while minimizing end-use disruption. A solution like Fortscale employs statistical analysis and machine learning which automatically adapt to changes in the security environment. Fortscale’s machine learning algorithms allow to detect changes and update it sets of rules without human intervention. The increased media coverage of data breaches and the continued number of threats has forced the topic of data protection to be one of the most discussed subjects in technology. Audit committees, shareholders and endusers expect to have their data protected from authorized access. It is important to note that the implementation of data protection which includes the use of specialized software tools as well as the development and enforcement of policies and procedures has been a topic for many years. However, the difference now is value. The value in securing data is at an all-time high. As corporations move to secure their data, more threats become known which create never-ending data protection cycles. All of this creates eco12

nomic implications that affect corporations, individuals and shareholders. Corporations are affected by the increasing cost of applications that assist in protecting data and by the increasing need to hire skilled personnel to manage and support such applications. That said, this is a small price to pay when comparing the alternative and the millions of dollars spent in the aftermath of a data breach. Similarly, end users are affected by losing control of their data which most of the time includes personal identifiable information (PII) including social security numbers. This translates to an increase in personal spending trying to mitigate the damage created by the lack of proper data security (“maximizing the value of a data protection program”). 4.2. Economic Perspectives of Data Breaches When No Security Program Implemented Implementing an effective security program can cost an organization a hefty price as the cost includes more than the price of installation. Corporations and small businesses must consider the price of training, updates, repairs, and much more, along with the cost of the security tool itself which results in a large price tag. It is essential to note that data protection is not one size fits all and must be tailored to fit each organization. The size of the organization heavily influences the price tag of the security program, which may be why many large organizations choose not to invest in a proper tool to protect its data. While implementing the “best” system is costly, it must be recognized that the lack of an adequate security structure can heavily outweigh these costs. The Target data breach of 2013 serves as a great example of a company who choose not to implement an effective program to protect its data. The breach, which affected over 40 million customers, resulted in stolen credit information and over 11 GB of stolen data. It was discovered that attackers were able to infiltrate “Targets Point of Sale system (POS)”, which is where customer transactions take place (Target is one of largest department store retailer in the US). Research shows that the company only implemented enough protection to pass the compliance audits for the Payment Card Industry (PCI), which in all actuality was simply the bare minimum. This not only brings into question Targets lack of effective security, but it also brings into question why such an inadequate level of protection meets industry standards. It is clear that the standards need to be raised in order to force large corporation such as Target to invest in security that not only protects its data but its customers as well [15].

13

Figure 2: Depicts the total losses of Target 2013 security breach up until 2017. The losses are a combination of factors which came about because of the cybersecurity breach blue.

On the opposite side of the issue of lack of implantation are those who feel as if the lost from the breach is minimum compared to the actual revenue of the company. Target has revealed that the total initial cost of the breach was about $252 million before insurance. After insurance, the total cost of the breaches after math was roughly $105 million, which is stated to be only one % of Targets revenue for the year of 2014. While the figure seems minuscule to a large organization such as a Target, it does not consider the full effect of the breach. Not only did high ranking employees such as the CEO and CIO lose their jobs, but a vast number of banks were heavily affected as they were required to refund money stolen from customer credit cards. Diagram 1.0 depicts the total loss as of 2017 since the breach. While Target has claimed to decide to pay victims of the breach up to $10,000.00 in damages, this arrangement does not provide a solid solution for the individuals who now have to deal with identity theft. Lastly, the total cost of the breach does not reflect the damage on the brands reputation, consumer trust, and loss of customers as visits dropped after the breaches 14

reveal. It is safe to conclude that if Target underwent another incident such as its 2014 breach, the company losses could be permanently damaging and resulting in a loss in which its revenue cannot make up for. In all cases, it is much safer, effective, and financially smarter to implement security structures to avoid such losses. 4.3. Economic Cost of Not Using Tools in Big data With all these real costs of using these tools comes one of the biggest costs associated with big data, the cost of not using any tools at all for protection of their big data. There can be many “what ifs” for this type of cost but recently Facebook was at the center of this type of cost [34]. Facebook has recently been involved with a scandal with Cambridge Analytica. Supposedly, Cambridge Analytica used data of Facebook users to build personality profiles and targeted them with specific ads. From this scandal, Facebook has lost numerous economic factors from client base to market value [35]. From the perspective of client base, about 87 million users were affected. This causes a major disruption in users that would continue to use the product and give a second thought to new users. In a company that’s based on people using your product, this is detrimental to the lively hood of the company. Following the scandal, a survey was completed with 1000 Americans. This survey had the following take away 9% of survey had deleted their accounts and 35% has decreased their usage. This would equate to about 1 in 10 Americans deleting their Facebook which would be a substantial user base decline [34]. From the market value perspective, Facebook had lost approximate $80+ billion in market value about 18% of its value in about a time. That alone is enough to cause shareholders to begin a mass sell off of their holdings. Something like this would not necessarily cause them to go under but this line of events would begin the process of governments starting to look to regulate and cause operations to become harder and costlier. Following the Facebook scandal, one regulation did come to life the General Data Protection Regulation (GDPR) in the EU. This regulation basically holding tech companies liable for their users’ data and supports the members of whose data been compromised (“GDPR Key Changes”).

15

5. Economic Perspectives of Big Data to Fight Cybercrimes 5.1. Background Advances in technology and infrastructure have caused global cybercrime to increase at a rapid rate. The healthcare industry is one of many vulnerable industries that must change the way it evaluates cybersecurity. In order to prevent data security and privacy breaches as well as prevent economic loss, these industries must move towards predicting and preventing cyberattacks. If equipped with real time big data intelligence and analytics, healthcare providers can detect unusual patterns of activity within their own information, as well as learn from others’ mistakes, and detect and prevent cyber-crimes more effectively. By using big data, healthcare providers can stay one step ahead of malicious actors [9]. The healthcare industry has many risks that it must counteract. Primarily, it is the economic value of healthcare data that makes it a prime target. Additionally, there are technical and organizational weak spots to consider and improve. • The technical weak spots are that attack surface is huge, that many healthcare organizations use legacy hardware and software (outdated and vulnerable), and that there are too many small organizations that cannot afford to keep pace. • The organizational weak spots within companies are that cyber issues are often not of concern until after an attack has already happened, that companies allocate limited resources for cyber, and that cyber professionals are rare in medical environments (along with a lack of user training in cybersecurity). These issues make the industry vulnerable and an ideal candidate for a breach. Outlined below are two cyber threats that have economic impacts on the healthcare industry [36] With the move to Electronic Health Records (EHR), healthcare providers are processing and storing huge amounts of data, presenting a greater risk of loss of data to cyber criminals [37]. There are two types of common cyber threats the healthcare industry faces: data breaches and ransomware. Compared to any other industry, the healthcare industry has very high-risk factors when it comes to experiencing both data breaches and ransomware attacks. Healthcare records are considered highly valuable to cyber-attackers due to the richness of personal, medical, financial information contained within each electronic health record 16

$9.00

Average organiza�on cost of data breach over 12 years.

Average Total Cost ($ Billion)

$8.00 $7.00 $6.00 $5.00 $4.00 $3.00 $2.00 $1.00 $0.00

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Year

Figure 3: Average organization cost of data breach over 12 years.

(EHR). With access to this information, identity theft, insurance fraud, and financial fraud is committed for financial gain by criminal elements. Statistics show 88% of all ransomware attacks in 2017 targeted the healthcare industry. When a ransomware attack occurs, the attacker demands a ransom fee in exchange for the safe return of the data. If the victim chooses not to pay the ransom, the threat is that they will permanently lose access to all of their data and it may later be resold on the “dark web.” The healthcare industry is the largest target of ransomware attacks. They are more willing to comply with the demands of the attacker and pay in exchange for the health records, as it is a matter of safety more than a matter of security: without access to patient records when necessary, patients will die. Health data breaches are costing the U.S. healthcare industry an estimated $6.2 billion, according to the Ponemon Institute. These breaches are costly for the healthcare industry as it is among the most heavily regulated industries that usually have a higher per capital cost of a data breach than the overall mean ($221). 5.2. Economic Perspectives of Cybercrimes Cybercrime costs to the healthcare industry will continue to rise as one of the fastest-growing threats, ransomware, successfully wreaks havoc in the industry [37, 38].

17

Ransomware attacks occurred in healthcare industry or organizations are predicted to quadruple by 2020 reported by the Herjavec Group. Cybersecurity Ventures predicts the healthcare organization or industry will devote more than $65 billion cumulatively on the cybersecurity tools, products, and services between 2017 to 2021. As the healthcare industry stays digitizing all of its data, it stays to attract more attentiveness from cybercriminals. This dynamic may be an important contributor to the growth of the healthcare cybersecurity value and market over the coming decade. It is anticipated that 12-15% year-by-year cybersecurity value and market growth through 2021, making them comparable with other organization and industries. However, healthcare industries and organizations still have lagged the value and market in cyber defense spending, and they have suffered for it as well. Hospitals and many other healthcare facilities spend way more than they should. Cyberecurity has just important, if not more important, than digitizing patient records. The key difference between the healthcare industry and other industries is that it’s not just about money. It’s about lives [39]. In 2016, healthcare professionals and providers are averaging less than 6% of their data technology budget expenses on cybersecurity and privacy according to the survey from HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society, and security firm Symantec. In contrast to that, the federal US government consumes 16% of its IT budget on security, while financial and banking organization and institutions consume 12% to 15%. Using big data intelligence, healthcare providers can learn from hacks, breaches and related activity that occurred in 2017 and cost the healthcare industry multi-millions of dollars. 5.3. Comparative Study 1: Is the Healthcare Industry truly at risk for Cyberattacks? Many healthcare providers are unsure if it’s truly worth allocating funds to use big data to fight cybercrimes. Companies do not increase expenses unless they can prove necessity. In order to increase security and privacy measures within companies, researchers and cybersecurity professionals would have to find evidence that more money should be put toward increasing cybersecurity. Statistics and surveys would need to be formulated in order to generate a preview of the true risk healthcare providers face from cyberattacks. In this section, the data found from a survey done by HIMSS Analytics will be discussed to show the severity of cyber risks the healthcare industry faces [11].

18

The statistic provided by [40] shows that 78% of healthcare providers experienced ransomware or malware attacks in 2017. This number should be alarming for healthcare providers, as they are more likely to be subject to an attack than not. Such an analysis provides a bigger picture of the issues of cybersecurity in the Healthcare Industry. Hackers target the healthcare industry because the likelihood of compliance with demands is high. They know hospitals will likely pay the ransom because when access to healthcare data is disrupted, the lives of patients are threatened. The reputational, legal, and economic repercussions that would result from deaths would be very costly. The phase “death by hacking” has been used to describe the physical injury and death that can result from the hijacking of patient data and devices [40]. New medical technology adopted by hospitals is often connected to the network of the hospital. Connected technology is used in healthcare because it simplifies and speeds up data extraction (it used to be that hospitals had to print and physically hand information out). While it simplifies many processes, connected technology also increases risks to cyberattacks attacks because many devices have little to no security features embedded in them. 5.4. Comparative Study 2 The healthcare industry is not the only vulnerable industry. Recently, the financial industry has been under heavy scrutiny. In February of 2016, the Bank of Bangladesh was the victim of a cyber-attack that that netted approximately $101 million. It is said that many elements contributed to this attack: there were most likely insiders who knew the intricacies of the SWIFT system. It is believed that those involved were a team of highly skilled, possibly nation state actors with the ability to take down a major banking system such as SWIFT [36, 41]. Swift, the Society for Worldwide Interbank Financial Telecommunication, is a conglomerate group that operated a trusted and closed computer network between member banks around the world. The conglomerate of banks dates back to the 1970’s and is based out of Belgium and overseen by its national bank. There is representation from the U.S. Federal Reserve Bank in New York, The Bank of England, The European Central Bank, The Bank of Japan and many others. Swift has over 11,000 users and processes millions of transactions a day. Institutions are identified by assigned codes and they also have unique authentication codes [37, 41, 42]. Hackers have used malware and SWIFT credentials from the Bank of Bangladesh to send more than twenty-four fraudulent transfer requests to the federal reserve bank in New York City requesting millions of dollars be 19

transferred to a handful of foreign banks. The transactions are discovered due to a spotted typo found on a transaction slip, allowing the bank of Bangladesh, to stop further progress in the attack. Hackers do not directly compromise SWIFT; they use available credentials and posed as employees of the bank conducting legitimate transactions [43]. How the attack is made in Bangladesh reserve can be simplified by the following procedures: • The hacker team enter into the bank system several times before they transfer the money • They learn the system how it works and where is the weakness • They learn the inter-bank communication system for transactions (such as communication between the Federal reserve bank of New York and Bangladesh Central Bank) • They learn the secrete advice/message/password used for confirming a transaction from the source organization • They look for a good day for transferring money to different countries. Therefore, they find a suitable date, which was a holiday among all the fours country (US ∩ Bangladesh ∩ Philippine ∩ Sri Lanka). Fig. 4(a) describes example of normal process of SWIFT malware threat and Fig. 4(b) describe the custom made malware attack in the SWIFT process in the case of the attack in Bangladesh bank. What is at stake here? It’s the security of our financial systems, which serve as the backbone of many industrialized economies. Businesses must not think of security as an afterthought. Instead, they should be asking themselves: What is the cost of a breach of our security? Of a breach of data? Of a breach of networks, etc.? Considering security only after an attack occurs is a mistake. Attacks should be anticipated and prevented. The economic repercussions are too high for security to continue being neglected. 6. Cybercrime Insurance for Security and Privacy of Big Data This section discusses the economic perspectives of cybercrime insurance for security and privacy of big data.

20

(a) Normal process of SWIFT malware threat

(b) Custom Malware designed to alter SWIFT transactions that targeted Bangladesh Bank, also to hide their alterations,

Figure 4: (a) Normal swift data hacking process [44]; (b) hacking process using custom malware for Bangladesh Bank’s SWIFT software hacking [43] (Source: BAE Systems Applied Intelligence.).

6.1. Background Cybersecurity liability insurance is rapidly benefiting businesses where customer data security and privacy are associated. Now most businesses get assistance from computers that are linked to the internet are at data security and privacy risk of cyberattacks by hackers. Potential financial benefits are a frequent driver of cyberattackers or malicious actors committing data breaches and data exfiltration. As the number of threats (security, attacks, breaches) increases, the risks to businesses is increasing. While some of the negative impacts of a data breach cannot be completely mitigated (i.e. loss of goodwill) some can be (i.e. financial loss). Using cybercrime insurance, 21

enterprises can protect themselves from the financial impact of data exfiltration. This paper overviews the economic perspectives of how cybercrime insurance can address today’s risks around security and privacy protection of big data needs [11, 45, 46]. A 2016 report stated that in the United States people lost $30 billion to cybercrime. Worldwide that figure is $158 billion. It also estimated that those loses were spread over 594 million victims. On average, to deal with the situation, each of those victims lost an average of 21 hours and about $358 as a result of the breach [47, 48]. While the labor portion of data breaches is not easily mitigated or recouped, the financial losses can be recovered (at least partially) through the risk-transfer benefits offered by cybercrime insurance. Cybercrime insurance is becoming more popular as business and personal losses grow. 6.2. Cybercrime Insurance Coverage The exact terms of cybercrime insurance coverage vary depending on the insurance provider. Many providers offer similarly structured policies. The insurers are taking a broad, forward-thinking approach to cover clients as cyberattacks continue to become more advanced [49, 45, 50]. Two essential components of cyber insurance policies are security and privacy liability, and breach event cost coverage. In the USA, some businesses take the firstparty insurance liability or third-party insurance liability. The first-party insurance liability protects the business for forensic analysis expense of deciding how the data breach happened and status needed notice to consumers. Third-party insurance permits safety for lawsuits and fines for revelation of consumers’ privacy data. It appears that conventional liability insurance often omits cybersecurity liability insurance, therefore, distinct insurance protection is essential to safeguard the businesses in the case of cyberattacks. Security and privacy liability cover third parties for damages that resulted from security or privacy breaches. These events include: • The third party’s failure to protect an individual’s information and specifically focuses on the loss, theft, or unauthorized disclosure of the information. • The destruction of the individual’s data by the third party. • The transmission of malicious code or DoS attacks by the third party. • The third party’s failure to disclose a breach in timely manner. 22

• The failure of the third party to comply with its own privacy policy. • The third party’s failure to administer government mandated identity theft programs or take other actions to prevent identity theft. Data breach event cost coverage covers expenses needed to mitigate the breach. These events may include expenses related to public relations, advertising, IT forensics, credit monitoring, identity theft assistance, customer service call centers, as well as legal fees incurred [49, 50]. As cyber criminals conduct more sophisticated hacks against an increasing number of targets, insurers will be forced to enhance their insurance policies. Like the above-mentioned coverage, these additional terms will likely cover a broad spectrum; however, they will fall outside of the normal scope of coverage which focuses on data loss. Business interruption coverage is one example of a new enhancement many insurance companies are including in its policies [49, 47, 50, 51]. The need for policy innovation will be crucial for insurers, as it will enable them the be leaders in the cyber insurance industry. It will also be critical for businesses who are targets of the attacks to mitigate any damages they may incur. 6.3. Individual Risk Transfer In April of 2017, the insurance company AIG began offering cybersecurity insurance to individuals. The program, called Family CyberEdge, offers a broad array of services to individual victims of many types of cybercrime, from cyberbullying to extortion. Some of the services offered to Family CyberEdge policyholders include: a holistic assessment of the policy holders devices and systems; online monitoring that tracks personal information being distributed online; data restoration; public relations; and access to experts and cyber security tools [52]. AIG has also worked with cyberdefense teams at K2, a business intelligence and risk analysis firm, to provide policy holders with assessments of their risk and help them understand and manage the risks they face in cyberspace [11, 47, 52]. Beyond these technical services, the insurance plan also promises to cover the cost of the fallout that can occur from a cyberattack. This includes up to a year of psychiatric services for any family member who becomes a victim of cyberbullying; lost wages if the victim loses their job because of the cyberattack; and costs of PR and crisis management services. The plan will even cover the ransom paid by a policyholder being blackmailed or extorted by a cybercriminal [53]. The policy is a supplemental to homeowner’s insurance and is being designed for the wealthier policy holders. For $50,000 worth of coverage, the 23

costs is $597 added to home insurance premiums. For $100,000 worth of coverage, the premiums increase to $972, and at the maximum coverage of $250,000 premiums are $1,723. The plan includes no deductible beyond a flat rate of $1,000 for data restoration. This cost must be weighed against the potential cost of a cyber-attack usually incurred on an individual. Some of these costs are easily quantifiable, such as the payments made to “ransomware” attackers to release data that has been frozen. In 2017 alone, it is estimated that the costs of ransomware exceeded $5 billion [49, 53]. 6.4. Case Study: Veteran’s Affairs Breach In 2006, the Department of Veterans Affairs (VA) reported that a laptop containing Personal Identifiable Information (PII) of approximately 2.6 million veteran active duty military personnel were stolen from the home of a VA employee [54]. This breach caused many concerns due to the lack of security safeguards put in place by the Department of Veterans Affairs. This incident caused a complete restructuring of top-level officials at the VA to include operations and security features and maintenance activities. Although the laptop was eventually recovered, the incident caused the VA to re-assess their security practices and policies not just at the VA level but government wide. This incident cost them $500 Million in damages while there was no insurance coverage in place during the time of this incident. However, the costs of other cyberattacks can be harder to quantify, such as the cost incurred by a celebrity who has had their personal, often times illicit, photographs hacked and publicly released. The lost wages and emotional toll of these incidents, especially for high earners in the movie industry, could easily meet the coverage cap of the Family CyberEdge plan [52]. There are five lessons to be addressed from the VA data breach: • There should be a primary focus on encrypting government mobile devices i.e. laptops, mobile phones. At bare minimum any government mobile device should adhere to an encryption format to protect the data at rest. The costs for encrypting a mobile device range from 0−189 dollars per mobile device which you can then multiply by the number of mobile devices you have in your enterprise [46]. • Guidelines should be put into place creating a more aggressive notification process within agencies. When a breach occurred in the past there was no formal internal process for disseminating information to the proper response teams and administrators; this incident garnered 24

a great deal of attention not only within the VA but all government entities as well [55]. • A focus on data retention, classification and minimization. Organizations in general should assess what is being retained quarterly; classify the information contained and minimize or move data that has been at rest and unused for a period of 1 year or more [55]. • Robust remote access policies should be implemented such as two factor authentications to access resources remotely should be ideal so as to provide a further layer of security. The Office of Management and Budget specifically instructed agencies to implement two factor authentications as well as requiring re-authentication after 30 minutes of inactivity. • More Authority for Agency CIOs should be provided. The CIO at the VA at the time of the incident did not have full authority to enforce changes within the VA. 7. Conclusion Corporations and individuals continue to rely on digital technology and big data security and privacy, as attacks on those surfaces become more prevalent and more sophisticated. This paper has conducted an investigation of the economic perspectives of the big data security and privacy to protect the big data in a secure, private, and most effective manner. It has also analyzed economic aspects in several perspectives: economic perspective of big data security and privacy, investment decisions, fighting cybercrimes through big data, and cyberinsurance for big data. This paper will help to understand the importance and the cost spent for data security and privacy in practice. Exploring each of the areas presented in this paper needs further detailed analytical results and tools, which will be our future work. Acknowledgment The work is supported in part by the doctoral scientific research initial funding project of Baoji University of Arts and Sciences (ZK2018062), in part by Fordham University Faculty startup Grant, in part by Malaysian Ministry of Higher Education Fundamental Research Grant Scheme (FRGS) grant no. RDU190165, in part by Gansu social science planning program

25

in 2017 (YB111), and in part by Strategic Project of Colleges and Universities in Gansu Province in 2018 [Study on the Urbanization of Agricultural Transfer Population in Lanzhou New District (2018F-33)]. References [1] Worldwide big data market revenues for software and services in the next 20 years (Aug. 2018). URL https://www.informationweek.com/big-data/ big-data-analytics-market-to-hit-\$203-billion-in-2020-/ d/d-id/1327092 [2] H. Tao, M. Z. A. Bhuiyan, A. Abdalla, M. Hassan, J. Jain, T. Hayajneh, Secured data collection with hardware-based ciphers for iotbased healthcare, IEEE Internet of Things Journal (IEEE IoT-J) (2018, https://doi.org/10.1109/JIOT.2018.2854714) 1–10. [3] R. Anderson, T. Moore, Information security: where computer science, economics, and psychology meet, Physical and Engineering Science 367 (1898) (2009) 2717–2727. [4] J. Cordes, An overview of the economics of cybersecurity and cybersecurity policy, CSPRI Report (2011) 1–18. [5] T. Moore, The economics of cybersecurity: Principles and policy options, International Journal of Critical Infrastructure Protection 3 (3) (2010) 103–117. [6] N. Shetty, G. Schwartz, M. Felegyhazi, J. Walrand, Economics of information security and privacy, in: T. Moore, D. Pym, C. Ioannidis (Eds.), The Oxford Handbook of Innovation, Springer, Boston, MA, 2010, Ch. 1, pp. 229–247. [7] L. Gordon, M. Loeb, W. Lucyshyn, Sharing information on computer systems security: An economic analysis, Journal of Accounting and Public Policy 22 (1) (2003) 461–485. [8] Big data analytics: What it is and why it matters (Jun. Accessed 9 June 2018). URL https://www.sas.com/en_us/insights/analytics/ big-data-analytics.html

26

[9] N. Jentzsch, State-of-the-art of the economics of cyber-security and privacy, IPACSO - Innovation Framework for ICT Security Deliverable, Waterford Institute of Technology (WIT) 4 (1) (2016) 1–79. [10] B. Mohd, T. Hayajneh, K. Yousef, Z. Khalaf, M. Bhuiyan, Hardware design and modeling of lightweight block ciphers for secure communications, Future Generation Computer Systems (http://doi.org/10.1016/j.future.2017.03.025) 1–12. [11] M. Eling, J. Wirfs, What are the actual costs of cyber risk events?, European Journal of Operational Research 272 (3) (2019) 1109 – 1119. [12] E. Luo, M. Z. A. Bhuiyan, G. Wang, M. A. Rahman, J. Wu, M. Atiquzzaman, Privacyprotector: Privacy-protected patient data collection in IoT-based healthcare systems, IEEE Communication Magazine (COMMAG) 56 (2) (2018) 163–168. [13] T. Wang, M. Z. A. Bhuiyan, G. Wang, M. A. Rahman, J. Wu, J. Cao, Big data reduction for smart city’s critical infrastructural health monitoring, IEEE Communication Magazine (COMMAG) 56 (3) (2018) 128–133. [14] S. Zhang, G. Wang, M. Z. A. Bhuiyan, , Q. Liu, A dual privacypreserving scheme in continuous location-based services, IEEE Internet of Things Journal (IEEE IoT-J) (2018) 1–10. [15] S. J. Shackelford, Should your firm invest in cyber risk insurance?, Business Horizons 55 (4) (2012) 349 – 356. [16] 2017 cybersecurity incident & important consumer information (Accessed Jan 2019). URL https://www.equifaxsecurity2017.com/ [17] S. Zhang, X. Li, Z. Tan, T. Peng, G. Wang, A caching and spatial kanonymity driven privacy enhancement scheme in continuous locationbased services, Future Generation Computer Systems 94 (2019) 40–50. [18] T. Wang, G. Zhang, A. Liu, M. Z. A. Bhuiyan, Q. Jin, A secure iot service architecture with an efficient balance dynamics based on cloud and edge computing, IEEE Internet of Things Journal (2018, doi.org/10.1109/JIOT.2018.2870288,2018) 1–10.

27

[19] S. Zhang, K.-K. R. Choo, Q. Liu, G. Wang, Enhancing privacy through uniform grid and caching in location-based services, Future Generation Computer Systems 86 (2018) 881–892. [20] T. Wang, G. Zhang, M. Z. A. Bhuiyan, A. Liu, W. Jia, M. Xie, A novel trust mechanism based on fog computing in sensor-cloud system, Future Generation Computer Systems (2018, doi.org/10.1016/j.future.2018.05.049) 1–16. [21] T. Wang, J. Zeng, Y. Lai, Y. Cai, H. Tian, Y. Chen, B. Wang, Data collection from wsns to the cloud based on mobile fog elements, Future Generation Computer Systems (2018, doi.org/10.1016/j.future.2017.07.031) 1–15. [22] S. Zhang, G. Wang, M. Z. A. Bhuiyan, Q. Liu, A dual privacy preserving scheme in continuous location-based services, IEEE Internet of Things Journal 5 (5) (2018) 4191–4200. [23] T. Wang, J. Zhou, A. Liu, M. Z. A. Bhuiyan, G. Wang, W. Jia, Fog-based computing and storage offloading for data synchronization in iot, IEEE Internet of Things Journal (2018, Doi: 10.1109/JIOT.2018.2875915, 2018) 1–8. [24] S. Zhang, G. Wang, Q. Liu, J. H.Abawajy, A trajectory privacypreserving scheme based on query exchange in mobile social networks, Soft Computing 22 (18) (2018) 6121–6133. [25] L. Jiang, V. Anantharam, J. Walrand, How bad are selfish investments in network security?, IEEE/ACM Transactions on Networking 19 (2) (2009) 549–560. [26] J. Son, J. Park, H. Oh, M. Z. A. Bhuiyan, J. Hur, K. Kang, Privacypreserving electrocardiogram monitoring for intelligent arrhythmia detection, Sensors 17 (6) (2017) 31–22. [27] A. Mukhopadhyay, S. Chatterjee, D. Saha, A. Mahanti, S. K. Sadhukhan, Cyber-risk decision models: To insure it or not?, Decision Support Systems 56 (2013) 11 – 26. [28] D. Gutierrez, Worldwide big data market revenues for software and services in the next 20 years (Oct. 2014). URL https://insidebigdata.com/2014/10/20/ big-data-finance-security-regulatory-compliance-considerations/ 28

[29] Reduce losses from fraudulent transactions (Jun. Accessed 9 June 2018). URL https://www.sas.com/en_us/customers/hsbc.html [30] R. Copping, M. Li, The promise and challenge of big data for pharma (Nov. 2016, Accessed April 2018). URL https://hbr.org/2016/11/ the-promise-and-challenge-of-big-data-for-pharma [31] L. Gordon, M. Loeb, The economics of information security investment, ACM Transactions on Information 5 (4) (2002) 438–457. [32] L. Gordon, M. Loeb, W. Lucyshyn, L. Zhou, Externalities and the magnitude of cyber security underinvestment by private sector firms: A modification of the gordon-loeb model, Journal of Information Security 6 (1) (2015) 4. [33] S. Farrow, The economics of homeland security expenditures: Foundational expected cost-effectiveness approaches, Contemporary Economic Policy, 25 (1) (2008) 14–26. [34] K. Leswing”, Nearly one in 10 americans surveyed say they deleted their facebook account over privacy concerns (Jun. Accessed 9 June 2018). URL https://www.businessinsider.com/delete-facebookstatistics-nearly-10-percent-americans-deleted-facebookaccount-study-2018-4 [35] M. La, R. Paula, Nearly one in 10 americans surveyed say they deleted their facebook account over privacy concerns (Jun. Accessed 9 June 2018). URL https://www.businessinsider.com/delete-facebook -statistics-nearly-10-percent-americans-deleted-facebookaccount-study-2018-4 [36] That insane, $81m bangladesh bank heist? here’s what we know (Aug. Accessed 01 Aug 2018). URL https://www.wired.com/2016/05/ insane-81m-bangladesh-bank-heist-heres-know/ [37] Use big data to fight cybercrime (Aug. Accessed 10 Aug 2018). URL https://www.techrepublic.com/blog/tech-decision-maker/ use-big-data-to-fight-cybercrime/ [38] Charts: Must-know healthcare cybersecurity statistics (Aug. Accessed 10 Aug 2018). URL https://www.healthcaredive.com/news/ must-know-healthcare-cybersecurity-statistics/435983/ 29

[39] Healthcare security $65 billion market,cybersecurity ventures (Aug. Accessed 10 Aug 2018). URL https://cybersecurityventures.com/ healthcare-cybersecurity-report-2017/ [40] E. Snell, 78of providers report healthcare ransomware and malware attacks (Aug. Accessed 10 Aug 2018). URL https://healthitsecurity.com/news/ 78-of-providers-report-healthcare-ransomware-malware-attacks [41] Cybercriminals vs financial institutions (Aug. Accessed 01 Aug 2018). URL Website:https://securelist.com/ cybercriminals-vs-financial-institutions/83370/ [42] Istr financial threats review 2017 (Nov. Accessed 01 Aug 2018). URL https://www.symantec.com/content/dam/ symantec/docs/security-center/white-papers/ istr-financial-threats-review-2017-en.pdf [43] Bangladesh bank attackers hacked swift software (Nov. Accessed Nov 2017). URL https://www.bankinfosecurity.com/ report-swift-hacked-by-bangladesh-bank-attackers-a-9061 [44] Analysis of the swift malware threat (Nov. Accessed Nov 2017). URL https://www.paymentscardsandmobile.com/ analysis-swift-malware-threat/ [45] U. Franke, The cyber insurance market in sweden, Computers & Security 68 (2017) 130–144. doi:https://doi.org/10.1016/j.cose.2017.04.010. [46] S. Morgan, How consumers lost $158 billion to cyber crime in the past year... and what to do about it, forbes (Nov. Accessed Jun 2018). URL https://www.forbes.com/sites/stevemorgan/2016/01/24/ how-consumers-lost-158-billion-to-cyber-crime-in-the-past -year-and-what-to-do-about-it/#1a45b2092b65 [47] A. Marotta, F. Martinelli, S. Nanni, A. Orlando, A. Yautsiukhin, Cyber-insurance survey, Computer Science Review 24 (2017) 35 – 61. [48] R. Laycock, Why it’s great news that cyber insurance is becoming more popular, cso (Nov. Accessed Jun 2018). URL https://www.cso.com.au/article/630704/ why-it-great-news-cyber-insurance-becoming-more-popular/ 30

[49] M. Eling, N. Loperfido, Data breaches: Goodness of fit, pricing, and risk measurement, Insurance: Mathematics and Economics 75 (2017) 126 – 136. [50] J. Rosengarten, The importance of policy enhancements in cyber insurance, insurance business america (Nov. Accessed Jun 2018). URL https://www.insurancebusinessmag.com/us/news/cyber/ the-importance-of-policy-enhancements-in-cyber-insurance-95515. aspx [51] M. Z. A. Bhuiyan, J. Wu, Collusion attack detection in networked systems, in: Proc. of IEEE DASC, 2016, pp. 1–8. [52] Cyberedge video summary, aig (Nov. Accessed Jun 2018). URL http://www.aig.com/ms/sales-tools-cyberedge-home/ sales-tools-cyberedge-tools/sales-tools-cyberedge-white [53] E. Shuman, How one personal cyber insurance policy stacks up, idg (Nov. Accessed April 2018). URL https://www.computerworld.com/ article/3190209/cybercrime-hacking/ how-one-personal-cyber-insurance-policy-stacks-up.html [54] M. H. Bosworth, Va loses data on 26 million veterans (Accessed Dec. 2018). URL https://www.consumeraffairs.com/news04/2006/05/va_ laptop.html [55] S. Morgan, Global ransomware damage costs predicted to hit $11.5 billion by 2019,” cybersecurity ventures (Nov. Accessed April 2018). URL https://cybersecurityventures.com/ ransomware-damage-report-2017-part-2/

31

Hai Tao received B.Sc degree from the Department of Computer and Information Science of Northwest University of Nationalities in 2004. He received his M.S degree from the School of Mathematics and Statistics of Lanzhou University in 2009. He obtained his PhD degree from the Faculty of Computer System and Software Engineering of the University Malaysia Pahang. Currently, he is an Associate Professor in Baoji University of Arts and Sciences. His current research interests include machine learning, Internet of things and optimization computation.

Md Zakirul Alam Bhuiyan, PhD, is currently an Assistant Professor of the Department of Computer and Information Sciences at the Fordham University, NY, USA, and the Founding Director of Fordham Dependable and Secure System Lab (DependSys). He is also a Visiting Professor of Guangzhou University, China. Earlier, he worked as an Assistant Professor at the Temple University. His research focuses on dependability, cybersecurity, big data, and cyber physical systems. His work in these areas published in top-tier venues, including IEEE TC, TPDS, TDSC, TII, COMMAG, IoT-J, ACM TOSN, TAAS, CS, INS, JNCA, and so on. He has served as a guest/associate editor for IEEE TBD, ACM TCPS, IoT-J, INS, FGCS, JNCA, and so on. He has also served as an organizer, general chair, program chair, workshop chair, and TPC member of various international conferences, including IEEE INFOCOM. He is a senior member of IEEE and a member of ACM. Md Arafatur Rahman, PhD, received his Ph.D. degree in Electronic and Telecommunications Engineering from the University of Naples Federico II, Naples, Italy in 2013. Currently, he is a Senior Lecturer (equivalent to Assistant Professor) with the Faculty of Computer Systems & Software Engineering, University Malaysia Pahang. His research interests include Internet-of-Things (IoT), wireless communication networks, cognitive radio network, and vehicular communication. Dr. Rahman has received number of prestigious international research awards, notably the Best Paper Award at ICNS’15 (Italy). Best Masters Student Award, ITEX’17 Awards in International Exhibitions in Malaysia and iENA’17 in Germany. Dr. Rahman has co-authored of over 60 prestigious IEEE and Elsevier journal and conference publications and has served as a Publicity Chair, Session Chair, Programme Committee and Member of Technical Programme Committee (TPC) in numerous leading conferences worldwide. He is a Fellow of IBM Center of Excellence, Malaysia and a Member of IEEE.

Guojun Wang received the B.Sc. degree in geophysics, in 1992, the M.Sc. degree in computer science, in 1996, and the Ph.D. degree in computer science, in 2002, all from Central South

University, Changsha, China. He is a Professor of School of Computer Science and Educational Software, Guangzhou University. He had been a Professor at Central South University, China, an Adjunct Professor at Temple University, USA, a Visiting Scholar at Florida Atlantic University, USA, a Visiting Researcher at the University of Aizu, Japan, and a Research Fellow at the Hong Kong Polytechnic University. His research interests include network and information security, Internet of things, and cloud computing. He is a Senior Member of CCF and a member of IEEE, ACM, and IEICE.

Tian Wang received his BSc and MSc degrees in Computer Science from the Central South

University in 2004 and 2007, respectively. He received his PhD degree in City University of Hong Kong in 2011. Currently, he is a professor in the Huaqiao University of China. His research interests include wireless sensor networks, fog computing and mobile computing.

Md. Manjur Ahmed is a senior lecturer of Universiti Malaysia Pahang (UMP) and received his Ph.D. (2016) in Computational Intelligence from Universiti Sains Malaysia (USM). He completed his B.Sc. (2009) in Computer Science and Engineering from Khulna University of Engineering and Technology, Bangladesh. His current research interests include fuzzy information granule, data science and applications of computational intelligence.

Jing Li obtained Bachelor of Management from Anhui University of Finance and Economics in 1998, Master and Ph.D. in Economics from Lanzhou University in 2004 and 2018. Her research interests include risk management, Internet of Things Economics, urban-rural integration issues, and urban economic theories and methods. She published more than 20 academic papers in international journals and published a book entitled "Study on New Urban and Rural Forms in the Process of Urban and Rural Integration in Ethnic Regions of Gansu Province".

Highlights    

The paper discusses insights of economic perspectives of big data security and privacy and conduct several case studies of economic perspectives throughout the paper. The paper conducts economics of investment decisions for protecting security and privacy of big data. The paper presents economic perspectives of big data to fight cybercrimes and cyberinsurnace for big data. Finally, the paper analyzes the economic perspectives of governmental regulation for big data.