Download eBook for Free

FormatFile SizeNotes
PDF file 1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback106 pages $24.50

Research Questions

  1. How can governments, businesses, and individuals balance cybersecurity priorities in terms of personal privacy, user convenience, technological innovation, financial incentives for entrepreneurs, and security? Who owns personal data; who decides how, when, and where they can be used; and who is responsible for protecting them?
  2. How can policies best balance information access, user privacy, and the good of society? Under what criteria and by whom should private data be accessed to investigate security breaches or crimes?
  3. How should the roles and responsibilities of government, industry, and individuals align to optimize benefits and accountability?
  4. Where do private-sector and government cybersecurity roles intersect, and what governance and information-sharing processes are in place to facilitate collaboration?
  5. How does the market reward security and penalize insecurity?

Today's cyber environment presents unlimited opportunities for innovation, interaction, commerce, and creativity, but these benefits also bring serious security challenges. Satisfactory solutions will require building partnerships among public and private organizations, establishing mechanisms and incentives to foster routine information sharing and collective defense, and educating users about their role in thwarting increasingly sophisticated attacks. With a grant from the William and Flora Hewlett Foundation's Cyber Initiative, RAND developed and conducted two cybersecurity-focused discovery games in Washington, D.C., and California's Silicon Valley that aimed to capture the widest possible range of stakeholder perspectives. Participants represented the tech sector, government agencies, think tanks and academic institutions, advocacy organizations promoting civil liberties and privacy, technology users, and more. The goals were to explore opportunities for improving cybersecurity, assess the implications of possible solutions, and develop an initial framework to support debate and inform decisions regarding cybersecurity policies and practices. The games were structured around two plausible cybersecurity scenarios set in the near future. In the first scenario, malicious actors have exploited vulnerabilities in the Internet of Things, causing both virtual and physical harm; in the second, massive data breaches have compromised the financial system, including authentication processes. Participants debated dimensions of each problem in multidisciplinary teams, then shared potential solutions and strategies in a large-group setting. The format and findings of the exercises offer insights that can help guide holistic approaches to addressing future cybersecurity challenges.

Key Findings

Cybersecurity Suffers from a Lack of Demand in the Market

  • Participants saw few incentives to encourage cybersecurity best practices among technology producers or to educate consumers on their role in protecting their personal data. Participants agreed that data breaches and other exploits unfairly burden consumers. Policies to remedy this imbalance would shift the consequences toward technology developers or producers, as well as penalize attackers.
  • Participants saw a need for market forces to reward security and penalize insecurity. They identified a role for government in classifying products by degree of cybersecurity (assessed through certifications or performance standards). They also agreed that cybersecurity should be prioritized according to the impact of failure, with health and safety devices being the most critical targets for regulation.

Effective Solutions to Cybersecurity Challenges Consider the Interests of a Range of Stakeholders

  • Participants saw a need for public-private partnerships in any successful solution to cybersecurity challenges. However, the focus of these partnerships differed with the games' locations. For example, Washington participants saw a greater role for government in implementing additional protections. Silicon Valley participants were more likely highlight the tech sector's role in changing its business practices to prioritize security.
  • Participants in both games saw the entire system for establishing identity and authenticating transactions as fundamentally broken. They agreed that overuse and overreliance on documents and credentials not created for these purposes (such as Social Security numbers) was a fundamental cybersecurity weakness. Proposed solutions highlighted a need for flexibility in authentication. Participants also suggested empowering consumers to selectively freeze and unfreeze certain types of financial transactions.


  • Develop cybersecurity standards and certifications, including identification standards that can improve the security of online transactions.
  • Implement a bill of user's rights to help users make informed cybersecurity decisions when purchasing devices.
  • Encourage information sharing between government and industry, and within these sectors, to facilitate action against cybersecurity vulnerabilities and exploits.
  • Provide financial incentives for improved cybersecurity, such as through programs that incentivize users to replace obsolete and potentially vulnerable devices.
  • Direct government funding toward developing effective cybersecurity standards and achieving compliance in an affordable manner.
  • Educate consumers, through public awareness campaigns or school curricula, on cyber risk and cybersecurity best practices.
  • Develop a system of security labeling, similar to food nutrition labels, to allow consumers to compare technology products side by side.

This research was funded by a grant from the William and Flora Hewlett Foundation as part of its Cyber Initiative and conducted within the Acquisition and Technology Policy Center of the RAND National Security Research Division (NSRD) and the Science, Technology and Policy Program of RAND Justice, Infrastructure, and Environment (JIE).

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.