In the domain of Global Warming and Pollution Control an innovative idea that has been used to incentivize good players and disincentivise bad players is the system of Carbon Credits. The system basically puts a cap on carbon emissions by nations and industries and in order not to be harsh on those who need time to change, a system has been developed that those who are above certain norms should buy Carbon Credits from the market. Those who have acquired Carbon Credits by their own green initiatives, will be rewarded with Carbon Credits which can be encashed by sale to those who need through appropriate exchanges. As a result farmers and plantation owners who absorb carbon dioxide from the atmosphere are given credits which can be sold to others who release carbon to the atmosphere. The philosophy behind this idea appears to hold promise to the development of an Information Security Eco System and we need to try the system in India at least as an experimental measure.
I propose to place some thoughts in this regard thorough this forum.
One of the problems in Cyber Security is that Cyber Space cannot be guarded like physical space by an army being placed at the border. Cyber invaders descend on any computer or mobile and spread across. Hence each individual device connected to internet can be considered as a Cyber Border and needs to be protected. If not, malware will get entry into the country.
Once malware is into the country it will get into critical IT infrastructure as well as the not so critical. All the corporate information security measures are aimed at creating pockets of secure zones which not only secure entry of malware and cyber criminals into their system and also in the process secure the cyber borders to which their own systems are exposed. If therefore a company has 1000 systems connected to internet and their information security is satisfactory, 1000 cyber border entry points are secured. At the same time another company which does not have similar security establishments will pose a threat to the nation by having a porous cyber borders.
What is therefore required in the overall context of securing the Cyber Space within the country is to encourage companies to improve their own security measures and discourage those who ignore the cyber security practices.
If therefore a company wants to introduce cyber security and is prepared to incur costs which its competitors are avoiding, there is a need to build incentive and disincentive schemes to even out the competitive pressures which make companies not implement available information security standard practices.
It is in this context that I propose that we introduce a system where by we define a norm say for each industry and also define performance measuring parameters so that we can identify those who do better than the norm or worse than the norm, keep a ledger of their performance and develop a system where the under performers pay an extra tax while the over performers get a subsidy. The effort is to encourage every body move to a given normative stage. Periodically the normative level can be redefined to ensure that the cyber security eco system keeps pace with the global requirements.
The Government has to obviously step in to define the normative levels and the measurement of performance. If possible industry regulators say RBI for Banks can also initiate similar measures. Once the system is in place, Info sec credits can be given to the over performers and infosec debits can be placed on the under performers. Then the under performers will have to buy credits and show a nil balance say whenever their financial balance sheets are drawn. Government can provide tax incentives and disincentives based on the info sec credit balances declared in the balance sheets.
Simultaneously, recognizing that “Cyber Security Awareness” is an important input to the development of a Cyber Security Eco System and whom so ever acquires cyber security knowledge in the form of certifications and whom so ever contributes to education of Cyber security knowledge should also be provided with appropriate credit points which can be traded in the secondary market for info sec credits or exchanged for tax credits.
It is envisaged that under equilibrium conditions, the market will pay for itself to upgrade the cyber security status of the eco system and the Government need not incur expenses on its own. However until a proper secondary market develops, the Government may provide “Tax Credits” in exchange of “Info-Sec Credits” so that those who earn such credits can encash the benefits.