Do small and medium sized businesses (SMB’s) erode their common resource, the Internet, by not making an investment in managing information risk and security in their own operations?

Garrett Hardin (1915-2003) introduced the idea of individual actors depleting a common resource in his 1968 paper published in Science entitled The Tragedy of the Commons.  The idea is that individuals, making use of a common resource, will make decisions in their own interest to the detriment of the the group as a whole — even knowing that they are a part of that same group that will suffer.

Overfishing

A classic example is overfishing an area.  In theory, all of the individuals fishing know that if they catch more than X fish in a certain period of time that they are contributing to the permanent depletion of that resource — which ultimately affects them.  However, when thinking for themselves, they think, ‘if I don’t get that extra fish, someone else will. So it might as well be me.’

Another example is multiple farmers with cows grazing on the same common pasture.  Some number of total cows is sustainable and the grass will regrow in time to continue feeding all of the cows.  Beyond that point, the pasture will degrade until it is eventually totally consumed.  While overgrazing is detrimental to all, each individual farmer thinks, ‘if I don’t maximize this and put more cows on the field, I’ll suffer in the short term — I’m not even thinking about the long term.  I’m just trying to keep up with or beat the farmer next to me this week.’ As a result, the resource becomes completely depleted.

Hope on the horizon?

Elinor Ostrom (1933-2012) received the Nobel Prize for her work showing that in many systems with a common resource, individuals communicate with each other and develop working relationships such that the resource is not depleted.  More on her work in a subsequent post.

Internet as Common Pool Resource (CPR)

It’s not hard to draw the analogy of Internet as common resource for SMB’s (as well as large enterprises and consumers).  When a company connects to the Internet, it is participating in that resource.  It gets value from the resource.  It also has the potential to harm the resource, and in effect, deplete the resource.

Large enterprises have more resources available for risk management and security activities and can be more motivated to protect their own investments.  I would hazard a guess that, on average, SMB’s have more risk tolerance than most large established enterprises.

When an SMB is attacked or ‘compromised’, a couple of things can happen: 1) the SMB suffers financial or reputation loss or both, and/or 2) the SMB’s resources (computers) are used as assets to attack the computers of other businesses.  This weakens, or depletes, the community resource.

SMB’s typically have less resources when compared to their large enterprise counterparts.  It’s a hard decision to divert limited cash from marketing, production, and R&D to spend it on information risk management and security.  However, not making an investment in security and risk management, significantly exposes themselves as well as the common pool resource of the Internet to harm.

So whose responsibility is it?  SMB’s represent a large portion of the workforce, with each workforce member potentially with one or many computing devices.  If SMB’s aren’t motivated to invest in risk management and security, this means that a substantial part of the economy is operating while poorly protected.

Should SMB’s be held accountable if their computers are hacked and then used to attack other computers? Should SMB’s have a minimum standard for computing devices, to include smartphones? Would this stifle innovation? Should trade organizations establish standards?  The government?

Or, do SMB’s simply represent a tragedy of the commons?