IDEAS home Printed from https://ideas.repec.org/p/cor/louvco/2015023.html
   My bibliography  Save this paper

Attack-Deterring and Damage-Control Investments in Cybersecurity

Author

Listed:
  • LAM, W.

    (University of Liege)

Abstract

This paper studies investment in cybersecurity, where both the software vendor and the consumers can invest in security. In addition, the vendor can undertake attack-deterring and damage-control investments. I show that full liability, under which the vendor is liable for all damages, does not achieve eciency and, in particular, the vendor underinvests in attack deterrence and overinvests in damage control. Instead, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore eciency. This suggests that policies that encourage not only firms, but also consumers to invest in security might be desirable.

Suggested Citation

  • Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," LIDAM Discussion Papers CORE 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    • Handle: RePEc:cor:louvco:2015023
    as

    Download full text from publisher

    File URL: https://sites.uclouvain.be/core/publications/coredp/coredp2015.html
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Daughety, Andrew F & Reinganum, Jennifer F, 1995. "Product Safety: Liability, R&D, and Signaling," American Economic Review, American Economic Association, vol. 85(5), pages 1187-1206, December.
    2. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    3. Russell Cooper & Thomas W. Ross, 1985. "Product Warranties and Double Moral Hazard," RAND Journal of Economics, The RAND Corporation, vol. 16(1), pages 103-113, Spring.
    4. Belleflamme,Paul & Peitz,Martin, 2010. "Industrial Organization," Cambridge Books, Cambridge University Press, number 9780521681599, November.
    5. Andrew F. Daughety & Jennifer F. Reinganum, 2006. "Markets, torts, and social inefficiency," RAND Journal of Economics, RAND Corporation, vol. 37(2), pages 300-323, June.
    6. Andrew F. Daughety & Jennifer F. Reinganum, 2005. "Secrecy and Safety," American Economic Review, American Economic Association, vol. 95(4), pages 1074-1091, September.
    7. Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
    8. Marco A. Haan, 2003. "Vaporware as a Means of Entry Deterrence," Journal of Industrial Economics, Wiley Blackwell, vol. 51(3), pages 345-358, September.
    9. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    10. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    11. Steven Shavell, 1984. "A Model of the Optimal Use of Liability and Safety Regulation," RAND Journal of Economics, The RAND Corporation, vol. 15(2), pages 271-280, Summer.
    12. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    13. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    14. Tyler Moore & Richard Clayton & Ross Anderson, 2009. "The Economics of Online Crime," Journal of Economic Perspectives, American Economic Association, vol. 23(3), pages 3-20, Summer.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    2. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    3. Gérard Mondello, 2022. "Strict liability, scarce generic input and duopoly competition," European Journal of Law and Economics, Springer, vol. 54(3), pages 369-404, December.
    4. Marcel Boyer & Donatella Porrini, 2010. "Optimal liability sharing and court errors: an exploratory analysis," Working Papers hal-00463913, HAL.
    5. Arbatskaya, Maria & Aslam, Maria Vyshnya, 2018. "Liability or labeling? Regulating product risks with costly consumer attention," Journal of Economic Behavior & Organization, Elsevier, vol. 154(C), pages 238-252.
    6. Boyer, Marcel & Porrini, Donatella, 2011. "The impact of court errors on liability sharing and safety regulation for environmental/industrial accidents," International Review of Law and Economics, Elsevier, vol. 31(1), pages 21-29, March.
    7. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    8. Ping Lin & Tianle Zhang, 2022. "Product liability, multidimensional R&D and innovation," Journal of Economics, Springer, vol. 136(1), pages 25-45, June.
    9. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    10. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    11. Cerdeiro, Diego A. & Dziubiński, Marcin & Goyal, Sanjeev, 2017. "Individual security, contagion, and network design," Journal of Economic Theory, Elsevier, vol. 170(C), pages 182-226.
    12. Florian Baumann & Tim Friehe & Alexander Rasch, 2018. "Product Liability in Markets for Vertically Differentiated Products," American Law and Economics Review, Oxford University Press, vol. 20(1), pages 46-81.
    13. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    14. Miceli Thomas J. & Segerson Kathleen, 2013. "Liability versus Regulation for Dangerous Products When Consumers Vary in Their Susceptibility to Harm and May Misperceive Risk," Review of Law & Economics, De Gruyter, vol. 9(3), pages 341-355, December.
    15. Marion Desquilbet & Sylvaine Poret, 2014. "How do GM/non GM coexistence regulations affect markets and welfare?," European Journal of Law and Economics, Springer, vol. 37(1), pages 51-82, February.
    16. Mingwen Yang & Varghese S. Jacob & Srinivasan Raghunathan, 2021. "Cloud Service Model’s Role in Provider and User Security Investment Incentives," Production and Operations Management, Production and Operations Management Society, vol. 30(2), pages 419-437, February.
    17. Hoy, Michael & Polborn, Mattias K., 2015. "The value of technology improvements in games with externalities: A fresh look at offsetting behavior," Journal of Public Economics, Elsevier, vol. 131(C), pages 12-20.
    18. Suurmond, Guido, 2007. "The effects of the enforcement strategy," MPRA Paper 21142, University Library of Munich, Germany.
    19. Friehe, Tim & Langlais, Eric, 2015. "On the political economy of public safety investments," International Review of Law and Economics, Elsevier, vol. 41(C), pages 7-16.
    20. Belleflamme, Paul & Peitz, Martin, 2014. "Asymmetric information and overinvestment in quality," European Economic Review, Elsevier, vol. 66(C), pages 127-143.

    More about this item

    Keywords

    cybersecurity; investment; standard; liability; bilateral care;
    All these keywords.

    JEL classification:

    • K13 - Law and Economics - - Basic Areas of Law - - - Tort Law and Product Liability; Forensic Economics
    • L1 - Industrial Organization - - Market Structure, Firm Strategy, and Market Performance
    • L8 - Industrial Organization - - Industry Studies: Services

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:cor:louvco:2015023. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Alain GILLIS (email available below). General contact details of provider: https://edirc.repec.org/data/coreebe.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.