IDEAS home Printed from https://ideas.repec.org/a/eee/iepoli/v37y2016icp42-51.html
   My bibliography  Save this article

Attack-prevention and damage-control investments in cybersecurity

Author

Listed:
  • Lam, Wing Man Wynne

Abstract

This paper examines investments in cybersecurity made by users and software providers with a focus on the latter's concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.

Suggested Citation

  • Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    • Handle: RePEc:eee:iepoli:v:37:y:2016:i:c:p:42-51
    DOI: 10.1016/j.infoecopol.2016.10.003
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0167624516301263
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.infoecopol.2016.10.003?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Daughety, Andrew F & Reinganum, Jennifer F, 1995. "Product Safety: Liability, R&D, and Signaling," American Economic Review, American Economic Association, vol. 85(5), pages 1187-1206, December.
    2. Russell Cooper & Thomas W. Ross, 1985. "Product Warranties and Double Moral Hazard," RAND Journal of Economics, The RAND Corporation, vol. 16(1), pages 103-113, Spring.
    3. Andrew F. Daughety & Jennifer F. Reinganum, 2006. "Markets, torts, and social inefficiency," RAND Journal of Economics, RAND Corporation, vol. 37(2), pages 300-323, June.
    4. Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
    5. Marco A. Haan, 2003. "Vaporware as a Means of Entry Deterrence," Journal of Industrial Economics, Wiley Blackwell, vol. 51(3), pages 345-358, September.
    6. Andrew F. Daughety & Jennifer F. Reinganum, 2013. "Economic analysis of products liability: Theory," Chapters, in: Jennifer H. Arlen (ed.), Research Handbook on the Economics of Torts, chapter 3, pages 69-96, Edward Elgar Publishing.
    7. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    8. Andrew F. Daughety & Jennifer F. Reinganum, 2013. "Cumulative Harm, Products Liability, and Bilateral Care," American Law and Economics Review, American Law and Economics Association, vol. 15(2), pages 409-442.
    9. Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010. "Network Security: Vulnerabilities And Disclosure Policy," Journal of Industrial Economics, Wiley Blackwell, vol. 58(4), pages 868-894, December.
    10. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    11. Steven Shavell, 1984. "A Model of the Optimal Use of Liability and Safety Regulation," RAND Journal of Economics, The RAND Corporation, vol. 15(2), pages 271-280, Summer.
    12. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    13. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    14. Tyler Moore & Richard Clayton & Ross Anderson, 2009. "The Economics of Online Crime," Journal of Economic Perspectives, American Economic Association, vol. 23(3), pages 3-20, Summer.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," LIDAM Discussion Papers CORE 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    2. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    3. Arbatskaya, Maria & Aslam, Maria Vyshnya, 2018. "Liability or labeling? Regulating product risks with costly consumer attention," Journal of Economic Behavior & Organization, Elsevier, vol. 154(C), pages 238-252.
    4. Tim Friehe & Eric Langlais & Elisabeth Schulte, 2022. "Firm Liability When Third Parties and Consumers Incur Cumulative Harm," Environmental & Resource Economics, Springer;European Association of Environmental and Resource Economists, vol. 81(1), pages 53-71, January.
    5. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    6. Miceli Thomas J. & Segerson Kathleen, 2013. "Liability versus Regulation for Dangerous Products When Consumers Vary in Their Susceptibility to Harm and May Misperceive Risk," Review of Law & Economics, De Gruyter, vol. 9(3), pages 341-355, December.
    7. Gérard Mondello, 2022. "Strict liability, scarce generic input and duopoly competition," European Journal of Law and Economics, Springer, vol. 54(3), pages 369-404, December.
    8. Marcel Boyer & Donatella Porrini, 2010. "Optimal liability sharing and court errors: an exploratory analysis," Working Papers hal-00463913, HAL.
    9. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    10. Boyer, Marcel & Porrini, Donatella, 2011. "The impact of court errors on liability sharing and safety regulation for environmental/industrial accidents," International Review of Law and Economics, Elsevier, vol. 31(1), pages 21-29, March.
    11. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    12. Baumann, Florian & Friehe, Tim & Rasch, Alexander, 2016. "Why product liability may lower product safety," Economics Letters, Elsevier, vol. 147(C), pages 55-58.
    13. Yassine Lefouili & Leonardo Madio, 2022. "The economics of platform liability," European Journal of Law and Economics, Springer, vol. 53(3), pages 319-351, June.
    14. Florian Baumann & Tim Friehe & Alexander Rasch, 2015. "The Influence of Product Liability on Vertical Product Differentiation," CESifo Working Paper Series 5315, CESifo.
    15. Christoph Rössler & Tim Friehe, 2020. "Liability, morality, and image concerns in product accidents with third parties," European Journal of Law and Economics, Springer, vol. 50(2), pages 295-312, October.
    16. Eric Langlais & Tim Friehe & Elisabeth Schulte, 2019. "Product liability when cumulative harm is incurred by both consumers and third parties," EconomiX Working Papers 2019-23, University of Paris Nanterre, EconomiX.
    17. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    18. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    19. Ping Lin & Tianle Zhang, 2022. "Product liability, multidimensional R&D and innovation," Journal of Economics, Springer, vol. 136(1), pages 25-45, June.
    20. Cerdeiro, Diego A. & Dziubiński, Marcin & Goyal, Sanjeev, 2017. "Individual security, contagion, and network design," Journal of Economic Theory, Elsevier, vol. 170(C), pages 182-226.

    More about this item

    Keywords

    Cybersecurity; Investment; Standard; Liability; Bilateral care;
    All these keywords.

    JEL classification:

    • K13 - Law and Economics - - Basic Areas of Law - - - Tort Law and Product Liability; Forensic Economics
    • L1 - Industrial Organization - - Market Structure, Firm Strategy, and Market Performance
    • L8 - Industrial Organization - - Industry Studies: Services

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:iepoli:v:37:y:2016:i:c:p:42-51. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/inca/505549 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.