Applying Public Health Systematic Approaches to Cybersecurity: The Economics of Collective Defense

TL;DR

This paper explores how applying public health organizational principles to cybersecurity can address market failures, improve coordination, and enhance collective defense through systematic data collection and government-led infrastructure.

Contribution

It proposes a national Cyber Public Health System modeled after public health, emphasizing government coordination, standardized measurement, and infrastructure development for cybersecurity.

Findings

Both domains exhibit public good characteristics leading to market failure.

Current cybersecurity infrastructure is lacking in standardization and coordination.

Government intervention is economically justified to improve cybersecurity outcomes.

Abstract

The U.S. public health system increased life expectancy by more than 30 years since 1900 through systematic data collection, evidence-based intervention, and coordinated response. This paper examines whether cybersecurity can benefit from similar organizational principles. We find that both domains exhibit public good characteristics: security improvements create positive externalities that individual actors cannot fully capture, leading to systematic market failure and underinvestment. Current cybersecurity lacks fundamental infrastructure including standardized population definitions, reliable outcome measurements, understanding of transmission mechanisms, and coordinated intervention testing. Drawing on public health's transformation from fragmented local responses to coordinated evidence-based discipline, we propose a national Cyber Public Health System for systematic data collection, standardized measurement, and coordinated response. We argue government coordination is economically necessary rather than merely beneficial, and outline specific federal roles in establishing standards, funding research, coordinating response, and addressing information asymmetries that markets cannot resolve.