The Economics of Cybersecurity: Boomerang Effects
from Misaligned Incentives
Jose J. Gonzalez*** and Konstantin Lenchik*
*Norwegian Information Security Laboratory, NTNU Gjovik, Norway
*“Centre for Integrated Emergency Management, University of Agder, Norway
Abstract
Externalities, like misaligned incentives that charge to third parties the costs for
bad information security, are tough barriers to overcome. A number of
proposals for regulatory options have been suggested. However, the claim that
misaligned incentives have their impact on third parties is not the whole truth.
Security systems are complex not only in the sense of being composed of many
interdependent parts. The most challenging part of their complexity resides in
the propagation of effects, resulting in highly unexpected, counterintuitive
dynamic behaviour. In particular, unintended side effects can act as
boomerangs that impact hardest on the owner of the security defences who
intends to push the costs of bad security to third parties. Using system
archetypes and concept models we explain how misaligned incentives in the
security of ATM systems acted against banks imposing the burden of proof of
fraud claims on their customers. We argue that an analysis of unintended side
effects arising from the misalignment of incentives is likely to benefit both
agents responsible for information security and third parties.
1 Introduction
Misaligned incentives are responsible for bad cybersecurity to the extent that
“security failures is caused at least as often by bad incentives as by bad design”
[1, p. 610]. Misaligned incentives occur, e.g., when the organization responsible
for the security of system does not bear the full costs of its failure [1, p. 610ff, 2,
p- 105ff]. A number of regulatory principles have been proposed to overcome
misaligned incentives hindering good cybersecurity [2, p. 107ff]. However, the
way to apply those proposals in practice is long and in the meantime security
continues to suffer.
This papers suggests an additional path to mitigate the occurrence of
misaligned incentives: Those responsible for security, from now on called
1
“defenders”, can be hit, albeit with a time delay, quite severely themselves by
when pushing significant costs to third parties. The perceived incentive on the
side of the defender is doubly misaligned: 1) because third parties, by design,
suffer from the resulting externality; and 2) since ultimately the chosen security
strategy hits the defender as a boomerang with a revenge owing to
unanticipated side effects of the bad security solution.
This contribution continues with a section on counterintuitive behaviour
resulting from feedback and time delays in complex systems (§2). Next, in §3
lessons from the experiences with ATM security designs in European and US
banks illustrate that a security solution with misaligned incentives, as were
possible in some European countries in the 1980’ies, hit the banks with a time
delay. In contrast, in the US where legal regulations forced the banks to pursue
well aligned incentives, the ATM security designs proved ultimately more
profitable for the banks and the banks’ customers. In §4 we use simple causal
loop diagrams (“system archetypes”) to provide intuitive qualitative models of
the ATM security cases in Europe and USA. In §5 we sketch simple concept
simulation models for ATM security that can be used to test the behaviour of
the two alternative approaches to AMT security, viz. putting the burden of
proof on customers or the bank assuming the burden of proof in case of ATM
fraud. Section 6 provides concluding remarks.
2 Counterintuitive dynamic behaviour
Information security is an extremely complex field involving technology,
organization, legislation and standards with physical, logical and social layers
[3, p. 1-12]. Disciplines as different as information and communication
technology, information systems, management science, microeconomics,
psychology, sociology and law are involved in the design, management and
maintaining of information security. Time delays, non-linearity and feedback
are rampant in security management. It can safely be concluded that
information security management belongs to the class of dynamical complex
systems.
There are two types of complexity, combinatorial and dynamic. Combinatorial
complexity is the aggregate impact of high number of system components;
combinatorial complexity can be efficiently dealt with by decomposing the
system in subsystems, each small enough to be easily handled. Dynamic
complexity refers to the behaviour over time caused by non-linear relations and
2
feedback among the system components. Dynamic over time behaviour driven
by nonlinear relations tends to be difficult to predict, even when the system is
small. In addition, more often than not, interdependencies in real systems
propagate from node to node with time delays, so that the distance between
interventions affecting the system and the results caused by the interventions
can be large both in terms of where and when the results show up [4].
A main consequence of the above is that interventions in dynamically complex
systems always have side effects.
In the spirit of reference [5], consider first the outcome intended by the decision
maker. The intervention must be applied over some period of time and the
outcome will be some time-dependent result that in turn will influence the
dosage of the intervention (expressed by the
influence arrows in Figure 1). The closed loop of intervention
causes and effects describes a pattern of feedback
occurring over some time interval. The feedback Intended
: : | | consequence |
is shown symbolically by the loop labelled feedback loop
“Intended consequence feedback loop’.
. . ‘outcome
Owing to the interdependent system
components the outcome will cause side effects. _ Figure 1 The outcome is
achieved gradually during some
time interval. The intervention
job of modelling the system so as to anticipate changes over time as itis
administered in relation to the
Unless the decision maker has done an excellent
the side effects, the system evolving outcome.
reaction will be unintended
intervention
and, more often than not,
unexpected. Again, one has
feedback acting over some intended A
consequence
period of time (labelled on feedback loop
Figure 2 as ‘Unintended
consequences feedback loop’).
The line labelled “system
boundary” indicates that the
unintended consequences are
hidden from the view of the
decision maker. In dynamically
complex real systems the system reaction
Figure 2 The system reaction arises with significant time delays and
is hidden from the view of the decision makers
effects of interventions tend to show up far away from the origin of the
intervention. Also, the unintended consequences can appear with significant
time delays as side effects, so that the causal connection between the
intervention and the system reaction is not apparent. The significant time delay
is shown on Figure 2 by the || on the influence arrow going from ‘outcome’ to
‘system reaction’.
Another important aspect is that, quite often, the dynamic complexity of the
system makes the unintended consequences highly counterintuitive.
Initially, in dynamic complex systems the intervention mostly achieves the
intended outcome, but as the system reaction evolves the unintended
consequence often compromises the intended outcome. This phenomenon is
known as policy resistance [4].
3. The security of ATMs in Europe and USA
In a survey of fraud against Automatic Telling Machines (ATMs) [6], Anderson
found that patterns of fraud depended on whether the bank’s customer or the
bank itself was liable for them. In some countries, including the USA, if a
customer disputed a transaction, the bank had the burden of proof that the
customer was mistaken or lying; this gave the banks a motive to protect their
systems properly. But in several European countries (including Britain, Norway
and the Netherlands), the customer had the burden of proof: the bank was right
unless the customer could prove it wrong — an almost impossible task. The
“lucky” banks in these countries became complacent and careless. Eventually,
avalanches of fraud demolished their complacency. In contrast, the banks in the
USA and other countries having the burden of proof suffered much less fraud.
Most remarkably they spent less money on security than their European
counterparts. Thus, better aligned incentives, whereby the defender suffered
most if security was bad, turned out to be the best investment for the banks and
for the banks’ customers as well [1, p. 611, 6].
4 Qualitative model of ATM security
Consider first the European ATM case. The banks acted by setting up the ATM
system so that if the customer disputed the transaction, the burden of proof was
on the customer. Thus, the bank’s intervention is ‘Burden of proof on
customers’, see Figure 3. The intended outcome was to reduce the number of
4
fraudulent transactions by the customer (represented by the variable
‘Fraudulent transactions’) to some acceptable target. Thus, one has as intended
consequence a control strategy, expressed by the balancing feedback loop
labelled ‘B: Customer is liable’ on Figure 3. The influence arrow from ‘Burden of
proof on customers’ to ‘Fraudulent transactions’ has a minus sign — a negative
polarity — expressing that the two variables move in opposite direction. That is,
if the burden of proof on customers is increased, the outcome - fraudulent
transactions — gets reduced (and vice versa).
The unintended consequence of the bank putting the burden of proof on the
customer is an increase in the bank’s complacency [1, p. 611, 6], - shown on
Figure 3 by the influence arrow
Burden of proof
from ‘Burden of proof in on customers
customers’ to ‘Bank’s
complacency’. Note that this ( Suse 4
arrow has positive polarity, (sve) 7 aw \
expressing that the variables anaes % Freuduent \ oti }
move in the same direction. That a -_ a 4
is, an increase in the burden of compnceney
proof exerted on customers
increases the bank’s complacency,
whereas if the bank exerted less ATM securty.
pressure on making the customer
Figure 3 Archetype for the European ATM case
liable, the bank’ | ‘ ~ ‘
iable, the bank’s complacency
would decrease.
In turn, the variable ‘Bank’s complacency’ influences ‘ATM security’ with
negative polarity: an increase in the bank’s carelessness decreases the ATM
security over time — with some time delay, indicated by | |, as too little is done
to analyse the causes of fraud, discover vulnerabilities and exploits, and remedy
them. Over time, again with some delay, ‘ATM security’ influences ‘Fraudulent
transactions’ with negative polarity — expressing that a decrease in ‘ATM
security’ increases the rate of fraudulent transactions — as more and more
crooks discover the poor security in the ATMs along with the bank barking up
the wrong tree.
Note that the influence arrow from fraudulent transactions to burden of proof
on the customer closes a second feedback loop. Walking along the influence
links and considering their polarities it can be recognized that this feedback
5
look is reinforcing (R): if, e.g., the bank increases the burden of proof on
customers, the chain of influences along the feedback loop ‘R: ATM fraud
epidemic’, ultimately forces the bank to a further increase of the burden of
proof on the customers.
The archetype on Figure 3 is an out-of-control archetype in the terminology of
Wolstenholme [5]. The balancing feedback loop ‘B: Customer is liable’ expresses
the intended consequence of the bank’s its strategy, viz. to control fraud. The
unintended consequence is expressed by the reinforcing feedback loop ‘R: ATM
fraud epidemic’. Reinforcing feedback loops can act viciously or virtuously,
depending on whether they are triggered to increase or decrease unpleasant
effects. In this case, the reinforcing feedback loop is vicious indeed. Owing to
the banks’ refusal to recognize their prominent part in the bad ATM security [6]
— expressed symbolically by the boundary line on Figure 3 — and the time delays
in the chain of influences, crooks exploited the numerous vulnerabilities in the
ATMs, producing an avalanche of fraud that at long last caused major customer
dissatisfaction, loss of reputation and ultimately forced the banks to improve
the neglected ATM security — at much higher costs than a well-designed
proactive security would have required [1, 6].
Consider now the US ATM case. Here, the bank’s strategy built on the opposite
principle than in the European case. Burden of proof
on bani
If the customer disputed an ATM
transaction the burden of the proof i fo. ‘:
: { B: Bani
was on the bank. Thus, the bank’s Pee eae)
R: satngon\
> Fraudulent A bank
+ transactions | accepting |
Ny
intervention is ‘Burden of proof on
bank’ on Figure 4. The intended boundary
consequence is to reduce the
number of fraudulent transactions
(represented by the variable
‘Fraudulent transactions’) to some
acceptable target. The bank
assumed the responsibility and ;
Figure 4 Archetype for the US ATM case
spent resources on ATM security as
needed (expressed by ‘Security spending’)[1, 6], which affected fraudulent
transactions with negative polarity. To the extent that fraudulent transactions
occurred, the burden of proof on the bank was exerted, closing the loop. The
intended consequence was controlling, resulting in a balancing feedback loop,
labelled ‘B: Bank is liable’.
Customers and non-customers know that it is difficult and costly for the bank to
prove who did the fraudulent transaction. They know too that the bank will not
act if the fraudulent transactions involve small sums of money. Hence,
dishonest customers and professional crooks speculated on that, and (with
some time delay) they came up with ingenious ‘Fraud schemes’ (positive
polarity), which increased the number of ‘Fraudulent transactions’ (positive
polarity). The unintended outcome was a reinforcing loop (‘R: Betting on the
bank to accept the loss’).
Also for the US case the problem archetype is an out-of-control one, following
the terminology of Wolstenholme [5]. But the impact of the out-of-control
archetypes was quite different for European and American banks.
In the European case the banks did not pay enough attention to the ATM
security. As the unintended consequence showed up, with significant time
delays (Figure 3), the banks were increasingly facing bad publicity and loss of
customers, as well as getting involved in costly court disputes. Sometimes the
customers won, making the banks losing face. In the end, the banks had no
choice but to acknowledge that the original security solution was bad and to
make big investments in security. The investments was very costly, since the
ATM system was neither designed nor maintained with security in mind, and
the solution was less good than if the bank had made security a strong priority
in the first place [6].
In the US case, the banks designed and maintained the ATM system with
security in mind. Figure 4 shows that ATM security is embedded in the
intended outcome feedback loop. Although advances in fraud schemes forced
the banks enhance the ATM security, the fact that the banks were security
aware and that they were not losing face facilitated a quick reaction and the
remedy was less costly than in the European case. This is in accordance with the
facts [1, 6].
5 Simulation model of ATM security
Research on information security is hindered scarcity of data, owing to several
reasons [7]: attackers conceal as many aspects of their attacks as possible;
organizations gather data on attacks for specific purposes that are not
necessarily aligned with scientific data sampling; organizations controlling data
assets are very reluctant to share data on those assets out of fear of bad
publicity. Our case is not different: Unfortunately, all the information available
about the ATM security case in Europe or the US is qualitative and can be
summarised in a few statements — as was done on p. 4. All that can be said
about the reference behaviour is that the ATMs in some European countries
were exposed to an avalanche of fraud while the ATMs in the US were much
safer. Further, that US banks ultimately invested less in ATM security while
their ATMs nevertheless were more secure than their European counterparts.
The archetype analysis of the previous section is part of a course on security
management at the Norwegian University of Science and technology (NTNU),
Campus Gjovik, Norway. After performing the archetype analysis students are
given the challenge to build concept models [8]. To this effect a case is described
for the ATM security in a typical European and a typical US bank at the time of
the introduction of ATMs. The case description includes a qualitative reference
behaviour pattern for each of the cases along with some hints. Basically, it is
required that the simulation reproduces two key observations about patterns of
behaviour (p. 4): 1) that ATMs in some European countries were exposed to an
avalanche of fraud while the ATMs in the US were much safer; 2) that the US
banks invested less in ATM security while their ATMs nevertheless were more
secure than their European counterparts.
In the following we describe concept models for the ATM cases. The model
structure and the equations are kept as simple as possible, partly to avoid going
too far given the scarcity of empirical data, partly for pedagogical reasons.
The core structure of the concept models is shown on Figure 5. So far this
structure applies for both ATM cases (European and US banks).
ATMs have vulnerabilities that can be exploited to commit fraud.
Vulnerabilities exist in two states, represented by the stocks ‘Vulnerabilities
dormant’ and ‘Vulnerabilities active’. Dormant vulnerabilities have not yet been
discovered and, hence, cannot be exploited. By chance or clever schemes
vulnerabilities are discovered and become ‘active — that is, exploitable. The
process rendering dormant to active vulnerabilities is represented by the flow
‘vulnerability activation’ in Figure 5. Active vulnerabilities can be fixed,
represented by the flow ‘vulnerability fixing’. The pressure to fix known
(‘active’) vulnerabilities was significantly higher for US banks — who had the
burden of proof with regards to fraud claims— than for European banks, who
made customers liable and didn’t suffer much when fraud was committed.
vulnerability
removal fixing
Non-customer
fraud
Figure 5 Core structure for a concept model of the ATM case
non-customer
fraud rate
A proactive posture would in addition imply investment in discovery and
removal of as yet unknown dormant vulnerabilities (represented by the flow
‘vulnerability removal’) in Figure 5. Discovery and removal of dormant
vulnerabilities is more demanding and costly than fixing active vulnerabilities —
which manifest themselves by the fact that they are exploited and fraud occurs.
We may safely assume that US banks to a much larger extent did assume such
proactive posture, whereas European banks mainly acted after the
consequences of their neglect of ATM security led to an escalation in angry
customer complaints and bad publicity.
Figure 5 shows the two possible mechanisms for ATM frauds, viz customer
fraud and non-customer (“crook”) fraud. The model has to differentiate
between frauds committed by bank customers and by non-customers because
the European bank exerts pressure on customers (“burden of proof on
customers”). The influence arrows going from the stock ‘Vulnerabilities active’
to the flows ‘customer fraud rate’ and ‘crook fraud rate’ express that the fraud
rates depend on the extent to which there are active vulnerabilities in the
ATMs.
The full concept models for the European and US ATM case are shown on
Figures 6-7 respectively.
normal time for bank's delay to act
vulnerabilities viii org Sa peeseire
Ko
vuln fing time
pressure to improve
normal batty of ae ame
customer fraud” effect of burden of proof
‘on customers on fraud
eo ear revnton
eustomer fraud L—ftaud 1 "a: .
\ (a
\\ |
oa
er |
wera \ at bain
See = — |
ps a =e
R: ae eves
Sek ee ae
pare _
wt fractional WOM
total fraudsters ae probably
Figure 6 Concept model for the European ATM case
total a! of normal time for bank's delay to act,
bank's delay to act Vubsrabiiee vuln fixing
on pressure> + 7
A
ropaine te Saran wails
‘vuln removal ™,
“Se vay wi
pressure to improve
ATM security
va probabilty of
_/ customer fraud oan a
removal
‘normal time for
vuln activation ~
table of effect of deviation fom”
_- ttio rau &
rat Maus fraudsters un Z 4 _-eBePeptable aya rate be
ST eration" noma ine alae vos taud
ff ‘exploit vunerabiltios ta bank's acceptable ‘2
Potential [Non-customer)
customer -
‘raudster favdner | favdste | ; [Nomcustom
ating fraud
regruting ate, at peed ) non-customer
vet tn teen
istors . opt fraud rato on
‘ A or __tecnuting prob
Ne max reciting
total fraudsters ———_ se
Figure 7 Concept model for the US ATM case
Beyond the core structure shown on Fig. 5, the full concept models for the two
ATM cases share some additional features.
Both models assume that the number of bank customers is constant (10 000
people) and that the probability that customers commit fraud is very low. For
the US case, since the ATM security is kept high and the bank does take legal
10
measures unless the fraud committed is high, we assume that this probability
stays constant over time at ‘normal probability of customer fraud’=0.025 %.
In the European case, since the bank’s policy was to put the burden of proof on
customers, people who took money from their own account, but argued that the
transaction was fraudulent (committed by others), experienced that their
strategy does not work.
Hence, for the European case . customer fraud oe ee ol hd sibialiond meee
we assume ‘probability of a C_[casomer] on eutomerson as
customer fraud’= ‘normal | ee ae | (aur ‘
probability of customer \ \ ee , /
fraud”'effect of burden of proof \apiot wineries a pensioner aud
\
on customers on fraud
prevention’. Figure 8 shows
non-customer
the relevant part of the fraud rate
European ATM model in this _ Figure 8 The balancing loop “Customer is liable” expresses that
the bank’s strategy of burden of proof on customers influences
respect. The lookup variable the bank customer's probability of committing fraud.
“effect of burden of proof on
customers on fraud prevention’, with input ‘proportion of non-customer fraud’, is
defined as an S-shape curve monotonously declining from unity to zero. Hence,
the higher the proportion of non-customer fraud is, the lower the probability of
customer fraud becomes.
Both ATM models assume that fraudsters are recruited via a word-of-mouth
process (Figure 9). In the European ATM case the recruiting probability is
re,
computed as ‘max recruiting probability’ proportion of non-customer fraud’, where
‘max recruiting
probability’=1. For the Potential | Nor-customer ne
non-customer ~~ |
US ATM case we set fauisters | traudeter a
recruiting Jere non-customer |
‘recruitin: = Sees
8 rat pot Sorel ~
PrneD fraudsters —
probability’='max A fractional WOM
ape a ‘a recruiting
recruiting total fraudsters mt probabiltye—
probability’*’table for
effect on deviation from _Fieure 9 Common model structure for recruiting of fraudsters
accept fraud rate on
recruiting prob(deviation from acceptable fraud rate)’, which uses a table function
expressing the effect of the US bank’s strategy on recruiting of potential
fraudsters.
11
The US bank’s strategy, burden of
proof on the bank, implies that the
bank will not care to take legal
measures as long as the fraud rate is
lower than some acceptable fraud rate
(‘bank’s acceptable fraud rate’ in the
model). The table function ‘table for
effect on deviation from accept fraud rate
on recruiting prob’ expresses that the
higher the bank’s acceptable fraud rate
is, the higher recruiting probability of
fraudsters will be (Figures 9 and
10).
In both ATM cases the bank will
feel pressure to improve the ATM
PSs
‘customer fraud |_ fraud
-
rate
deviation from
\ acceptable fraud rate
_
~
total fraud rate
bank’s acceptable
fraud rate
Ra N / / 4
* Via / i
a [Non-custor —
re Aina
non-customer
fraud rate
Figure 10 Since the US bank assumes the burden of
proof, it doesn't act legally unless the fraud rate
surpasses the acceptable fraud rate. The higher the
acceptable fraud rate, the higher the probability to
recruit fraudsters.
bank's delay to act
on pressure
normal time for
vuln fixing
Ss
‘~
vuln fixing time
security. Vulnerabilities ‘a se
actve | vulnerability
. / | ~~, fixing ___ pressure to improve
a ATM rit
In the US case, the higher the nk / Hema ieananiet ( sy . ity
i alt 2 Bank is
value of ‘deviation from acceptable mer. yo Sisal } F
fraud rate’, the higher the pressure ereborie( Baad =,
rate “=
. . deviation from ss
to improve the ATM security. 2 __ secon ta ae ~
This translates to shorter times to \ total fraud rate | sanceascopame wal fraud
- A yeas fraud Y
fix active vulnerabilities and to te 52
remove dormant vulnerabilities. -
Figure 11 shows the balancing
loop ‘Bank is liable’ expressing
that the higher the deviation from
the acceptable fraud rate is, the
non-customer
fraud rate
7
Figure 11 The US bank feels higher pressure to fix active
vulnerabilities if the deviation from the acceptable fraud rate
increases
shorter the time to fix active vulnerabilities becomes. A similar structure
connects ‘deviation from acceptable fraud rate’ to the time to remove dormant
vulnerabilities (cf. Figure 7).
42
In the European ATM case the
bank did not react until the normal time for _bank’s delay to act
‘vuln fixing CU PISESES,
avalanche of fraud (reinforcing a Ps
loop “ATM fraud epidemics”, yunesnggme, a S
Figure 6Figure 6), which resulted = Perera ae ‘ %
in innocent customers losing ai a — es 7 ‘oA icae
money, led to massive customer cuppa tid eae ta ~ etext burson of soot |
protests and bad publicity. The See ; “ preverrton |
balancing loop ‘Bank awakes at | \\. bere } } (
last’ expresses that the higher the \ ss, a ag oni a
avalanche of fraud is, the shorter ‘pelt a f ee ar
Xf / ze
the time to fix active “a i
vulnerabilities becomes — albeit Taenmar fraud
fraud rate
with a significant delay. A similar j
Figure 12 The European bank felt increasing pressure to improve
structure connects ‘pressure to ATM security as the avalanche of fraud triggered massive
customer protests and bad publicity (B2: Bank awakes at last).
improve ATM security’ to the time
to remove dormant vulnerabilities (cf. Figure 6).
We mention finally, that fraudsters reacted by devising schemes to activate
dormant vulnerabilities as counterstrategy to the to the fact that US banks
accepted fraud below some threshold while at the same time taken care to
continuously improve ATM security (that is both fixing active vulnerabilities
and taking efforts to remove the dormant vulnerabilities). This is represented in
Figure 7 by the link connecting ‘ratio fraudsters’ to ‘vuln activation time’.
Figure 13 displays the simulated total fraud for both ATM cases. In (qualitative)
agreement with the facts, the typical European bank was for quite long time a
passive observer of an avalanche of fraud while the typical US bank did not
face the rising wave of dissatisfaction and complaints that ultimately forced the
European banks to change the rules of the game: they had to invest much more
to fix the deplorable security of their ATMs in addition to losing face and have
ultimately to compensate angry customers who to begin with were suspected of
having effected the fraud transactions.
Figures 15-19 provide insight in the processes going on in the two cases.
13
Total fraud
6,000
4,500
E 3,000
q
1,500
0
20 40 60 80 100 120 140
Time (Week)
total fraud : Base US_bank --—2—1—_1—__ 114.1. 4.12. 1._14
total fraud : Base_ EU_bank
Figure 13 Simulated total fraud for the European and the US ATM case
Total fraud rate
60
45
i
4
15
0
0 20 40 60 80 100 120 140
Time (Week)
total fraud rate : Base US_bank —-—-?—2—_4+—_ 14-12. 14._ 14. 1._14
total fraud rate : Base_European_bank 2
Figure 14Simulated total fraud rate for the European and the US ATM case
14
Pressure to improve ATM security
2
1.5
4 ot qty 4 3
0.5
0
0 20 40 60 80 100 120 140
Time (Week)
pressure to improve ATM security : Base US_bankt + + + + +
pressure to improve ATM security : Base European bank 2 2 2 2
Figure 15 Pressure to improve ATM security for the European and the US ATM case
Vulnerabilities active
90
67.5
a)
2 45
22.5
0 z
0 20 40 60 80 100 120 140
Time (Week)
3
Vulnerabilities active : Base_US_bank +—1
Vulnerabilities active : Base European_bank
Figure 16 Active vulnerabilities for the European and the US ATM case
15
Vulnerability fixing
0 20 40 60 80 100 120 140
Time (Week)
vulnerability fixing : Base_US_bank —~>—+—+—4+—_+—_ 4. 4.94.4
vulnerability fixing : Base European_bank —2—2—2—2 —_
Figure 17 Rate of fixing active vulnerabilities for the European and the US ATM case
Vulnerabilities dormant
300
225
2 150
75
0
0 20 40 60 80 100 120 140
Time (Week)
Vulnerabilities dormant : Base_US_bank—+ + 4 + + 4 + 4 4 4
Vulnerabilities dormant : Base_European_banle- 2 2 2 2 2 2 2
Figure 18 Dormnt vulnerabilities for the European and the US ATM case
16
Vulnerability removal
0 20 40 60 80 100 120 140
Time (Week)
vulnerability removal : Base_US_bank 4+—_1_1—_1—_1—__1—_1_4
vulnerability removal : Base_European_bank os 2—2
Figure 19 Removal of dormant vulnerabilities for the European and the US ATM case
6 Concluding remarks
Archetypes like those shown on Figures 3-4 and concept simulation models like
those shown on Figures 6-7 have low cost and take short time to develop. In
particular, expert modellers with expertise in system dynamics are quick in
identifying feedback that is likely to compromise the intended outcome of
interventions.
Assume that the European banks, instead of trying a costly strategy without
analysing its unintended consequences, had invested some thousand euros in
developing such archetypes and a concept model so as to understand the
impact of different strategic choices. Presumably, the European banks would
have got second thoughts and rather opted for a better security solution?
In several application areas it has been shown that investing in simulation
models for strategy analysis cost very little compared to the cost of failures
done by bad decisions. There is still a long way to go concerning the availability
of quality data in information security. Regrettably, organizations making their
data available for analysis and simulation are very scarce. By teaching system
archetypes and system dynamics in courses of security management we are
hoping to increase the awareness of the benefit of systems thinking to anticipate
17
and prevent the impact of misaligned incentives in information security. Their
long term effects can act as boomerangs upon the party who tries to pass the
consequences of bad security on their parties.
7 References
[1] Anderson, R., and Moore, T., "The Economics of Information Security",
Science, 314(5799), 2006, pp. 610-613.
[2] Moore, T., "The Economics of Cybersecurity: Principles and Policy Options",
International Journal of Critical Infrastructure Protection, 3(3-4), 2010, pp. 103-
117.
[3] Trcek, D., Managing Information Systems Security and Privacy, Springer,
Berlin, Heidelberg, 2006.
[4] Sterman, J.D., Business Dynamics : Systems Thinking and Modeling for a
Complex World, Irwin/McGraw-Hill, Boston, 2000.
[5] Wolstenholme, E.F., "Towards the Definition and Use of a Core Set of
Archetypal Structures in System Dynamics", System Dynamics Review, 19(7),
2003, pp. 7-26.
[6] Anderson, R.J., "Why Cryptosystems Fail", Proceedings of the First ACM
Conference on Computer and Communications Security, 1993, pp. 215-227.
[7] Wiik, J., Gonzalez, J.J., Lipson, H.F., and Shimeall, T.J., "Dynamics of
Vulnerability - Modeling the Life Cycle of Software Vulnerability", The 22nd
International Conference of the System Dynamics Society July 20-24., 2004
[8] Richardson, G.P., "Concept Models in Group Model Building", System
Dynamics Review, 29(1), 2013, pp. 42-55.
18
Sensitivity Analysis and Discussion
In order to investigate the critical assumption reflected by the variable “share of
technology switching”, a simple sensitivity analysis was undertaken. For this purpose, a
Monte-Carlo simulation using Vensim® sensitivity setup was conducted. The critical
parameter was represented using a random uniform distribution [0,1] and, as an
example, the chosen output variable was the stock of gasoline cars in China. The
resulting confidence bounds are shown in Figure 14.
Curent
50% 75% I 95% | 100%
total car stock by tech{China,G]
40M
4000 2008 2015 2023 2030
Time (Y ear)
Figure 14 — Sensitivity of “car stock (G)” to “share of technology switching”
Source: own work using Vensim ®
Only three scenarios out of a potentially long list of plausible scenarios have been
constructed as part of the modeling exercise presented here. Much work remains to be
done concerning the construction of altemative scenarios, policy analysis and sensitivity
analysis. Nevertheless, the benefits of designing and conducting experiments on such a
simulation model can be, at this point, highlighted.
5. CONCLUSIONS AND FURTHER RESEARCH
Summary and Conclusions
For this study, a simulation model based on the SD approach has been developed. The
SD model is capable of generating scenarios for the market penetration of different car
powertrain technologies at the national level until 2030. Furthermore, the model enables
the user to explore a set of 11 policy options. In this paper, the application of the model
to three key car markets (China, Germany and the US) has been illustrated by means of
scenario building.
Based on the modeling exercise and SD simulation results, the authors conclude that the
market scenarios outcomes are highly sensitive to the different assumed input policies.
The simulation output also confirms a reasonable initial hypothesis: given the larger
19
distance from car saturation in the Chinese market, the prospects of a more rapid
penetration of non-conventional cars is more promising than in the mature German and
US markets. This, however, depends greatly on the assumption concerning the lock-in
of mature technologies, represented by the proxy variable “share of technology
switching”.
Perhaps the most insightful result is the one arising from comparing total gasoline use
and lifecycle GHG emissions, in particular for China and the US which have a similar
level of car stock around 2030. This, at first counterintuitive, result can be explained
upon a second thought by three key aspects: (i) emissions are higher for manufacturing
than for scrappage and China’s projected number of sales is unmatched by the other two
mature markets; (ii) manufacturing emissions (but not scrappage) are higher for BEV
than for conventional cars and the former penetrate the Chinese market more rapidly
than in Germany and the US; (iii) the larger number of cars operating in China and the
assumed slow de-carbonization of the electricity grid. This example highlights the need
to strive for the expansion of model boundaries. By “trespassing” the narrow frontier of
on-road transport emissions on those commonly located in the energy system (i.e.
moving from TTW to WTT and overall WTW emissions analysis), we gained valuable
insights into the far-reaching environmental impacts of a specific market scenario.
Finally, the modeling exercise illustrates the suitability of the SD approach to
investigate the dynamic problems inherent in this area of research. With minor
adaptations, the same model structure could be used to represent systems from different
countries, from which a variety of behavior patterns can arise.
Limitations and Further Research
In our view, this study contains four main limitations. The first one is related to the
arbitrary definition of the system (model) boundary. Secondly, the critical issue of
modeling replacement sales by technology. The third one is the need to refine key
model assumptions and to collect the most recently available data, particularly for
China. Lastly, the hypothesis that EV deployment worldwide is expected to lead to
beneficial economies of scale and battery cost reductions is not explicitly covered in the
current version of the model.
Given the aforementioned limitations, we expect to devote additional research effort on
four main areas: (i) expansion of model boundaries to take into account potential
feedback processes (e.g. rebound effects); (ii) rethinking the causal structure for the
demand for car replacement, probably adding a Bass sub-model; (iii) update of the
model assumptions related to technology choices in view of new available knowledge
(e.g. data from revealed preference surveys and new discrete choice models); (iv) model
extension to include other relevant markets (in particular, France, India and Japan)
leading to the explicit consideration of technological leaps in the global automotive
market.
20
ACKNOWLEDGMENT
The authors gratefully acknowledge the support provided by the Helmholtz Association
and the Graduate School of Energy Scenarios Karlsruhe- Stuttgart.
REFERENCES
Achtnicht, M., 2011. German car buyers’ willingness to pay to reduce CO2 emissions.
Clim. Change 113, 679-697. doi:10.1007/s10584-011-0362-8
Al-Alawi, B.M., Bradley, T.H., 2013. Review of hybrid, plug-in hybrid, and electric
vehicle market modeling Studies. Renew. Sustain. Energy Rev. 21, 190-203.
doi:10.1016/j.rser.2012.12.048
Armenia, S., Baldoni, F., Falsini, D., Taibi, E., 2010. A System Dynamics energy model
for a sustainable transport system. Presented at the System Dynamics Society
Conference, Seoul.
Barlas, Y., 1996. Formal aspects of model validity and validation in system dynamics.
Syst. Dyn. Rev. 12, 183-210. doi:10.1002/(SICI)1099-
1727(199623)12:3<183::A ID-SDR103>3.0.C0;2-4
Ben-Akiva, M., Lerman, S., Ben-Akiva, 1985. Discrete Choice Analysis: Theory and
Application to Travel Demand. Mit Pr, Cambridge, Mass.
BenDor, T., Ford, A., 2006. Simulating a combination of feebates and scrappage
incentives to reduce automobile emissions. Energy 31, 1197-1214.
doi:10.1016/j.energy.2005.05.024
Bossel, H., 2007. Systems and models: complexity, dynamics, evolution, sustainability.
Books on Demand, Norderstedt.
Brownstone, D., Bunch, D.S., Train, K., 2000. Joint mixed logit models of stated and
revealed preferences for altemative-fuel vehicles. Transp. Res. Part B Methodol.
34, 315-338. doi:10.1016/S0191-2615(99)00031-4
Brownstone, D., Train, K., 1998. Forecasting new product penetration with flexible
substitution pattems. J. Econom. 89, 109-129. doi:10.1016/S0304-
4076(98)00057-8
Bunch, D.S., Bradley, M., Golob, T.F., Kitamura, R., Occhiuzzo, G.P., 1993. Demand
for clean-fuel vehicles in California: A discrete-choice stated preference pilot
project. Transp. Res. Part Policy Pract., Special Issue Energy and Global
Climate Change 27, 237-253. doi:10.1016/0965-8564(93)90062-P
Dahl, C.A., 2004. International Energy Markets: Understanding Pricing, Policies &
Profits. Pennwell Pub, Tulsa, Okla.
Dargay, J., Gately, D., Sommer, M., 2007. Vehicle Ownership and Income Growth,
Worldwide: 1960-2030. Energy J. 28, 143-170. doi:10.2307/41323125
Dieckhoff, C., Appelrath, H.-J., Fischedick, M., Grunwald, A., Hoffler, F., Mayer, C.,
Weimer-Jehle, W., 2014. Zur Interpretation von Energieszenarien. Deutsche
Akademie der Technikwissenschaften, Miinchen.
Dieckhoff, C., Fichtner, W., Grunwald, A., Meyer, S., Nast, M., Nierling, L., Renn, 0.,
VoB, A., Wietschel, M., 2011. Energieszenarien : Konstruktion, Bewertung und
Wirkung - “Anbieter” und “Nachfrager” im Dialog. KIT Scientific Publishing.
EVI, 2015. Global EV Outlook. 2015 Update. Electric Vehicles Initiative.
EVI, 2013. Global EV Outlook - Understanding the Electric Vehicle Landscape to
2020. Electric Vehicles Initiative.
21
Ford, A., 1995. Simulating the controllability of feebates. Syst. Dyn. Rev. 11, 3-29.
doi:10.1002/sdr.4260110103
Forrester, J.W., 1968. Principles of Systems. Pegasus Communications, Waltham, MA.
Forrester, J.W., 1961. Industrial Dynamics. MIT Press, Cambridge, Mass.
Forrester, J.W., 1958. Industrial Dynamics. Harv. Bus. Rev. 36, 37-66.
Gomez, J., Jochem, P., Fichtner, W., 2014. Car Technology Scenarios using System
Dynamics: Exploring Market Penetration and Energy Consumption in China,
Germany and US. In 2014 Proceedings of the Student Chapter, System
Dynamics Society.
Gomez, J., Jochem, P., Fichtner, W., 2013. The impact of electric vehicles on the global
oil demand and CO2 emissions. Presented at the W orld Conference on Transport
Research Society (WCTRS) Rio de Janeiro.
Hackbarth, A., Madlener, R., 2013. Consumer preferences for alternative fuel vehicles:
A discrete choice analysis. Transp. Res. Part Transp. Environ. 25, 5-17.
doi:10.1016/j.trd.2013.07.002
ICCT, 2012. Global Transportation Energy and Climate ROADMAP: The impact of
transportation policies and their potential to reduce oil consumption and
greenhouse gas emissions.
IEA, 2009. Transport, Energy and CO2: Moving Toward Sustainability.
IPCC, 2015. Climate Change 2014: Mitigation of Climate Change: Working Group III
Contribution to the IPCC Fifth Assessment Report. Cambridge University Press.
IPCC, 2006. IPCC Guidelines for National Greenhouse Gas Inventories.
Keith, D.R., 2012. Essays on the dynamics of alternative fuel vehicle adoption : insights
from the market for hybrid-electric vehicles in the United States (Thesis).
Massachusetts Institute of Technology.
Keles, D., Wietschel, M., Most, D., Rentz, O., 2008. Market penetration of fuel cell
vehicles — Analysis based on agent behaviour. Int. J. Hydrog. Energy 33, 4444
4455. doi:10.1016/.ijhydene.2008.04.061
Kieckhafer, K., 2013. Marktsimulation zur strategischen Planung von
Produktportfolios: Dargestellt am Beispiel innovativer Antriebe in der
Automobilindustrie, Auflage: 2013. ed. Springer Gabler, Wiesbaden.
Krail, M., 2009. System-Based Analysis of Income Distribution Impacts on Mobility
Behaviour. Nomos, Baden-Baden.
Kihn, A., Gléser, S., 2012. System-based feedback analysis of e-mobility diffusion in
China. Presented at the System Dynamics Society Conference, St. Gallen.
Martinez-Moyano, IJ., 2012. Documentation for model transparency. Syst. Dyn. Rev.
28, 199-208. doi:10.1002/sdr.1471
McFadden, D., Train, K., 2000. Mixed MNL models for discrete response. J. Appl.
Econom. 15, 447-470. doi:10.1002/1099-1255(200009/10)15:5<447::A ID-
JAE570>3.0.C0;2-1
Meadows, D.H., Wright, D., 2008. Thinking in systems: a primer. Chelsea Green Pub.,
White River Junction, Vt.
Meyer, G., 2009. Analyse und technisch-dkonomische Bewertung von Gesetzesfolgen
im Individualverkehr: dargestellt am Beispiel der Automobilindustrie Japans
und Deutschlands.
Most, D., Fichtner, W., Grunwald, A., 2009. Energiesystemanalyse : Tagungsband des
Workshops “Energiesystemanalyse” vom 27. November 2008 am KIT Zentrum
Energie, Karlsruhe. Universitat Karlsruhe Universitatsbibliothek, Karlsruhe.
22
Oil-price.net, 2015. Crude oil price [WWW Document]. URL http://www.oil-price.net
Park, S.Y., Kim, J.W., Lee, D.H., 2011. Development of a market penetration
forecasting model for Hydrogen Fuel Cell Vehicles considering infrastructure
and cost reduction effects. Energy Policy 39, 3307-3315.
doi:10.1016/j.enpol.2011.03.021
Rahmandad, H., Sterman, J.D., 2012. Reporting guidelines for simulation-based
research in social sciences. Syst. Dyn. Rev. 28, 396-411. doi:10.1002/sdr.1481
Randers, J., 1980. Elements of the System Dynamics Method. Pegasus
Communications.
Richardson, G.P., 2011. Reflections on the foundations of system dynamics. Syst. Dyn.
Rev. 27, 219-243. doi:10.1002/sdr.462
Richardson, G.P., 1991. Feedback Thought in Social Science and Systems Theory.
University of Pennsylvania Press, Philadelphia.
Schade, W., 2005. Strategic Sustainability Analysis: Concept and application for the
assessment of European Transport Policy, Auflage: 1. ed. Nomos, Baden-Baden.
Schipper, L., Marie-Lilliu, C., Gorham, R., 2000. Flexing the Link Between Transport
and Greenhouse Gas Emissions: A Path for the World Bank. Intemational
Energy Agency.
Schiihle, F., 2014. Die Marktdurchdringung der Elektromobilitat in Deutschland: Eine
Akzeptanz-und A bsatzprognose, Auflage: 1. ed. Hampp, R, Miinchen; Mering.
SDS, 2014. System Dynamis Society. Introduction to System Dynamics [WWW
Document]. URL http://www.systemdynamics.org/what-is-s/
Senge, P.M., 2006. The Fifth Discipline. Crown Business, New Y ork.
Shepherd, S., Bonsall, P., Harrison, G., 2012. Factors affecting future demand for
electric vehicles: A model based study. Transp. Policy, URBAN TRANSPORT
INITIATIVES 20, 62-74. doi:10.1016/j-tranpol.2011.12.006
Shepherd, S., Emberger, G., 2010. Introduction to the special issue: system dynamics
and transportation. Syst. Dyn. Rev. 26, 193-194. doi:10.1002/sdr.454
Shepherd, S.P., 2014. A review of system dynamics models applied in transportation.
Transp. B Transp. Dyn. 2, 83-105. doi:10.1080/21680566.2014.916236
Sterman, J.D., 2002. All models are wrong: reflections on becoming a systems scientist.
Syst. Dyn. Rev. 18, 501-531. doi:10.1002/sdr.261
Sterman, J.D., 2000. Business Dynamics: Systems Thinking and Modeling for a
Complex World. McGraw- Hill/Irwin.
Struben, J., Sterman, J.D., 2008. Transition challenges for alternative fuel vehicle and
transportation systems. Environ. Plan. B Plan. Des.
Toyota, 2015. Toyota Mirai - The Tuming Point [WWW Document]. URL
http://www.toyota.com/fuelcell/ (accessed 3.18.15).
UN, 2012. World Population Prospects: The 2012 Revision. United Nations,
Department of Economic and Social Affairs. Population Division, Population
Estimates and Projections Section [WWW Document]. URL
http://esa.un.org/wpp/ (accessed 3.18.15).
UNECE, 2015. UNDA Project on CO2 emissions and ForFITS. United Nations
Economic Commission for Europe [WWW _ Document]. URL
http://www.unece.org/trans/theme_forfits.htm]
Walther, G., Wansart, J., Kieckhafer, K., Schnieder, E., Spengler, T.S., 2010. Impact
assessment in the automotive industry: mandatory market introduction of
23
altemative powertrain technologies. Syst. Dyn. Rev. 26, 239-261.
doi:10.1002/sdr.453
Wansart, J., 2012. Analyse von Strategien der Automobilindustrie zur Reduktion von
CO2-Flottenemissionen und zur Markteinfiihrung A lternativer A ntriebe: Ein. . .,
Auflage: 2012. ed. Springer Gabler, Wiesbaden.
WB, 2014. The World Bank Data. World Bank [WWW Document]. URL
http://data. worldbank.org/ (accessed 3.18.15).
Weikl, R., 2010. Simulation zur Abschatzung der Marktanteilsentwicklung
unterschiedlicher Antriebsvarianten am deutschen Fahrzeugmarkt: ein
systemdynamisches Modell zur Entscheidungsunterstiitzung in der strategischen
Marktanalyse / Robert Weikl. GUC, Verl. der Ges. fiir Unternehmensrechnung
und Controlling, Chemnitz.
Wolff, P. de, 1938. The Demand for Passenger Cars in the United States. Econometrica
6, 113-129. doi:10.2307/1907143
Ziegler, A., 2012. Individual characteristics and stated preferences for alternative energy
sources and propulsion technologies in vehicles: A discrete choice analysis for
Gemany. Transp. Res. Part Policy Pract. 46, 1372-1385.
doi:10.1016/j.tra.2012.05.016
24
APPENDIX
In line with suggestions by (Rahmandad and Sterman, 2012) (Martinez-Moyano, 2012)
on model transparency and reproducibility, this appendix contains the model
documentation using SDM-Doc. The version of the model used in this paper is available
(Vensim® Reader format) from the main author upon request.
Model Summary
Model Assessment Results
‘Model information Number
‘312
Toil Number of Varables
(Level+Smooth+Delay Variables) 176.4%)
Feel eae ee mes
Teer :
Vanables with Source Information 73(23.4%)
Yona bisects am
i fine i 277 (88.8%)
ae —_—
pase aanae a
Time Unit Year
a oF
tart
Fepoted ins eal mee
naee ‘
Tea Fully Formulated ‘Yes
eae ae
Vis Westie SNe
[Undocumentec Equations: 912927)
Eun ebeaDa and : ae
Unavailable
ee A
Ce a
ee z
a a ag 7
ee
Eeuescoa Ba Ste a
Ceca een at i
Pee eae Coe
TET
Model Code
Note that, due to space constraints, only selected equations are shown below. The list
contains the code for the following subscripts: Germany and Gasoline (G). The full
model documentation (including the complete list of equations) can be obtained by
running the model using the SDM-Doc tool.
25
birth rate[G ermany] = FRACTIONAL BIRTH RATE[]*Population[]
death rate[G ermany] = Population[]/LIFETIME EX PECTANCY []
FRACTIONAL BIRTH RATE[Gemmany] = 0.0131196
FRACTIONAL GDP GROWTH RATE[Germany] = 0.0105939
GDP[Germany] = [GDP growth rate[] dt + [INITIAL GDP[]]
GDP growth rate[Germany] = FRACTIONAL GDP GROWTH RATE[]}*GDP[]
GDP per capita[Germany] = GDP[]/Population[]
INITIAL GDP[Germany] = 2.94843e+012
INITIAL POPULATION[Germany] = 8.35125e+007
LIFETIME EXPECTANCY [Germany] = 70
Population[Germany] = Jbirth rate[]-death rate[] dt + [INITIAL POPULATION[]]
annual VKT by car{Germany] = daily VKT by car{}*365
AVERAGE TRIP DISTANCE[Germany] = 18.06
car occupancy rate[Germany] = 1.2
daily VKT by car[Germany] = TRIPS PER DAY BY CAR[]*AVERAGE TRIP DISTANCE[]
PKM by car{Germany] = car occupancy rate[]*annual V KT by car{]
TRIPS PER DAY BY CAR[Germany] = 1.82
ADJUSTMENT TIME (Year) =1
ageing[Germany,G] = New Car Stock[]/AVERAGE AGEING TIME[]
AVERAGE AGEING TIME[Germany,G] = 1
AVERAGE LIFETIME[Germany,G] = 14
BETA COEF[Germany] =-25
car ownership ratio[Germany] = CAR SATURATION LEVEL[]*EXP(BETA COEF[]*EXP(GAMMA
COEF[]*coef GDP per cap[]))
CAR SATURATION LEVEL[Germany] = 557
coef GDP per cap[Germany] = GDP per capita[]/in thousand[]
divergence between projected and simulated car stock[Germany] = (projected car stock[]-total car
stock[])/ADJUSTMENT TIME
FIRST SALES RATE[Germany] =0
GAMMA COEF[Germany] = -0.169167
26
INITIAL CAR[Germany,G] = 3.3e+007
INITIAL NEW CAR[Germany,G] = 1e+006
market share first sales[G ermany,G] = exp U[]/denominator{Germany]
New Car Stock[Germany,G] = Jsales rate[]-ageing[] dt + [INITIAL NEW CART]
Older Car Stock[Germany,G] = Jageing[]-scrappage rate[] dt + [INITIAL CAR[]]
Population[Germany] = Jbirth rate[]-death rate[] dt + [INITIAL POPULATION[]]
projected car stock[Germany] = car ownership ratio[]/1000*Population[]
replacement sales[Germany,G] = scrappage rate[]*SHARE OF TECHNOLOGY
SWITCHING[Germany]
sales rate[Germany,G] = (market share first sales[]*FIRST SALES RATE[Germany])+(market share first
sales[]*divergence between projected and simulated car stock[Germany])+replacement sales[]
scrappage rate[Germany,G] = Older Car Stock[]/AV ERAGE LIFETIME[]
SHARE OF TECHNOLOGY SWITCHING[Germany] = 0.5
total car stock[Germany] = total new car stock[]+total older car stock[]
total car stock by tech[Germany,G] = New Car Stock[]+Older Car Stock[]
total new car stock[Germany] = }(New Car Stock[])
total older car stock[Germany] = )\(Older Car Stock[])
total sales[Germany] = }(sales rate[])
total scrappage[Germany] = }(scrappage rate[])
27
