Are home internet users willing to pay ISPs for improvements in cyber security?

One strategy for improving cyber security would be for Internet service providers (ISPs) to take a more active role in curtailing criminal behavior over the Internet. However, few ISPs today are offering robust security to their customers, arguing that home Internet users are unwilling to pay for improvements in cyber security. This lack of ISP involvement in improving cyber security has led some industry experts to support government solutions that encourage ISPs to take a more active role in security. Yet no prior studies have attempted to evaluate empirically whether home Internet users are willing to pay the monetary and nonmonetary costs of ISP-based security solutions. This makes it difficult to determine whether government intervention is necessary, what form the intervention should take, and what the welfare impacts of intervention would be. Our research takes the first step in filling this gap in the literature. Specifically, we used choice-based conjoint analysis to examine the preferences of US Internet users. We found that home users are indeed willing to accept price increases, ISP-required security training, and security related interruptions of their Internet service in exchange for reductions in the risk of their computer slowing down or crashing, the risk of their identity being stolen, or the risk that others will be affected by their insecurity. This finding suggests that Internet users would be willing to pay for ISPs to take a more active role in security if the benefits of ISP-based security solutions were clearly communicated to them