Strategic philanthropy for cyber security : an extended cost-benefit analysis framework to study cybersecurity
An extended cost-benefit analysis framework is developed and applied to an in-depth case study of a Korean security agency, its Computer Emergency Response Team (CERT), and can be used for assessing international programs and activities aimed at improving cyber security, where the costs and benefits are not restricted by traditional boundaries.
Abstract
The international climate of cyber security is dramatically changing and thus unpredictable. As such, agile yet sustainable solutions are needed, along with an effective and a pragmatic evaluation framework to assess and demonstrate the value and efficacy of international development collaboration. Currently, no mature frameworks are available for evaluating such non-conventional, new, and complex international activities as they exist today, and thus this study aims to provide an innovative and pragmatic approach to study cybersecurity. This study recognizes the lack of institutionalized solutions, and aims to provide a novel framework with which to evaluate emerging solutions. In particular, this study evaluates the effectiveness of international development activities and public-private partnerships as a way to improve cyber security. Guided by literature on strategic philanthropy and international development, this study develops an extended cost-benefit analysis framework and applies it to an in-depth case study of a Korean security agency, its Computer Emergency Response Team (CERT.) This newly extended framework can be used for assessing international programs and activities aimed at improving cyber security, where the costs and benefits are not restricted by traditional boundaries. Unlike conventional approaches, this study explicitly includes three additional critical aspects, which are neglected in the conventional costbenefit analysis framework: 1) synergic effect (such as public-private partnership), 2) indirect impact, and 3) shared value. An in-depth case study with field interviews and technology reviews was conducted to test the applicability of this extended framework. Based on the application to the case of the international development activities of the Korean CERT, this study presents two findings. First, private companies can benefit from participating in government-led international development programs. Second, international development activities are effective solutions to improving global and local cyber security. Repeated applications of this framework to other cases will further assess the generalizability of the framework. Cumulated evidence from evaluating the effectiveness of international development activities will also inform the development of future activities for establishing partnerships of strategic philanthropy to improve cyber security. Thesis Supervisor: Stuart Madnick Title: John Norris Maguire Professor of Information Technologies, MIT Sloan School of Management & Professor of Engineering Systems, MIT School of Engineering (THIS PAGE INTENTIALLY LEFT BLANK)