Assessing Home Internet Users’ Demand for Security Brent Rowe, RTI International Dallas Wood, RTI International

Study Sponsor The Institute for Homeland Security Solutions (IHSS) – a research consortium funded by the U.S. Department of Homeland Security ( IHSS was established to conduct applied research in the social and behavioral sciences to address a wide range of homeland security challenges

ISP-based Security Solutions ISPs are in prime position to observe internet traffic and quarantine infected users (van Eeten, 2010) but Few ISPs actually respond to signs of infection or misbehavior (Arbor Networks, 2009). Many policies have been proposed to encourage ISPs to pursue more active roles in security (Lightman & Posner, 2004; Moore, 2010; Clayton, 2010).

Costs to Home Internet Users ISP-led security solutions have the potential to impose at least three kinds of costs on home internet users: 1.Increases in the cost of internet access; 2.time spent complying with ISP-determined security requirements; and 3.limits on their internet access.

Research Questions 1.Quantify Home Internet User preferences using discrete choice experiments (n=3,635); 2.Explore Home Internet User WTP for changes in individual ISP security package features; 3.Explore Home Internet User WTP for hypothetical security packages.

Methodology: Discrete Choice Experiments A stated preference survey method that uses “choice experiments” to assess individuals’ preferences for specific goods, services, or polices. Experiments ask individuals to choose between two or more hypothetical goods/services/polices. Each differing along several characteristics or “attributes”.

Attributes: ISP Security Strategies 1.Pay Additional Monthly Fee – $4 per month – $7 per month – $12 per month 2.Spend Time Complying with ISP security requirements – 0.5 hours per month – 1 hour per month – 3 hours per month 3.Allow ISPs to Restrict Subscriber Access to the Internet – Never – Restrict usage to certain functions/websites if user is infected w/malware – Entirely cut-off internet access if infected user is infected w/malware

Attributes: Cyber Security Outcomes 1.Reduced risk of your computer slowing down or crashing – Not Reduced – Somewhat Reduced – Greatly Reduced 2.Reduced risk of your identity being stolen – Not Reduced – Somewhat Reduced – Greatly Reduced 3.Reduced risk to other individuals and business from your insecurity – Not Reduced – Somewhat Reduced – Greatly Reduced

Example Choice Experiment Option AOption B ISP Strategies to Improve Security Adding a fee to your bill to provide security services to Internet subscribers $4 per month$7 per month Requiring you and other Internet subscribers to comply with security requirements and training 0 hours per month Limiting Internet access for you or other subscribers who show signs of malicious or illegal activity ISP can never limit your access to the Internet Cyber Security Outcomes Reduced risk of your computer slowing down or crashing Greatly Reduced Reduced risk of your identity being stolen Not Reduced Reduced risk to other individuals and business from your insecurity Not ReducedGreatly Reduced

Random Utility Model We only observe the choices respondents make. To quantify preferences, we need to make assumptions about respondent utility function. u jt = v jt (X jt ) + ε jt, j = 0, 1, 2, t = 1,….,7 Where v is deterministic component of utility that depends on vector of attribute levels X jt and ε jt is a random error.

Regression Model to Quantify Preferences

Research Question 1: Quantified Preferences

Home Internet Users prefer: – Smaller monthly fees – Less time complying with security requirements – Not having their internet connection interrupted – Great reductions in cyber security risks

Research Question 2: WTP for ISP Security Features Estimated WTP ($/month) 95% Confidence Interval Time Spent Complying with ISP Security Requirements: WTP to avoid 1 hour of time complying with security requirements 0.73[0.57 to 0.92] Limiting Internet Access: WTP to avoid ISPs being able to entirely cut-off internet access 4.32[3.72 to 4.92] Risk of Computer Slowing Down or Crashing: WTP to greatly reduce risk 4.40[3.83 to 4.97] Risk of Identity Theft: WTP to greatly reduce risk 6.51[5.86 to 7.16] Risk to Other Individuals and Businesses: WTP to greatly reduce risk relative 2.94[2.44 to 3.45]

Research Question 3: WTP for Hypothetical ISP Packages Hypothetical ISP Package 1 (Most Preferred): fee = $0, time = 0 hours, ISP can never limit Internet access, and all security risks are “greatly reduced.” Hypothetical ISP Package 2 (Quarantine): fee = $0, time = 1 hour, ISP can entirely cut off Internet access, and only security risks to others “greatly reduced.”

Research Question 3: WTP for Hypothetical ISP Packages Estimated WTP ($/month) 95% Confidence Interval Most Preferred Package7.24[6.51 to 7.97] Quarantine Package1.22[1.03 to 1.41]

Future Research Questions We have seen U.S. Home Internet Users are willing to pay for ISP security packages, but that they can also be ill informed wrt cyber security. If users were better aware of cyber security threats, would they pay more for security? We investigate this question in a forthcoming paper using 7 information treatments

Additional Information If you would like additional information please contact: Dallas Wood dwood at rti.org Brent Rowe browe at rti.org