IDEAS home Printed from https://ideas.repec.org/p/tse/wpaper/28400.html
   My bibliography  Save this paper

Ex Ante and Ex Post Investments in Cybersecurity

Author

Listed:
  • Lam, Wing Man Wynne

Abstract

This paper develops a theory of sequential investments in cybersecurity in which the software vendor can invest ex ante and ex post. The regulator can use safety standards and liability rules as means of increasing security. A standard is a minimum level of safety, and a liability rule states the amount of damage each party is liable for. I show that the joint use of an optimal standard and a full liability rule leads to underinvestment ex ante and overinvestment ex post because the software vendor does not suffer the full costs of the society in case of security failure. Instead, switching to a partial liability rule can correct the inefficiencies. This suggests that to improve security, the regulator should encourage not only the firms, but also the enterprises to invest in security. I also discuss the effect of network externality and explain why firms engage in "vaporware".

Suggested Citation

  • Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
  • Handle: RePEc:tse:wpaper:28400
    as

    Download full text from publisher

    File URL: http://www.tse-fr.eu/sites/default/files/medias/doc/wp/io/wp_tse_519.pdf
    File Function: Full text
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Daughety, Andrew F & Reinganum, Jennifer F, 1995. "Product Safety: Liability, R&D, and Signaling," American Economic Review, American Economic Association, vol. 85(5), pages 1187-1206, December.
    2. Andrew F. Daughety & Jennifer F. Reinganum, 2005. "Secrecy and Safety," American Economic Review, American Economic Association, vol. 95(4), pages 1074-1091, September.
    3. Marco A. Haan, 2003. "Vaporware as a Means of Entry Deterrence," Journal of Industrial Economics, Wiley Blackwell, vol. 51(3), pages 345-358, September.
    4. Acemoglu, Daron & Malekian, Azarakhsh & Ozdaglar, Asu, 2016. "Network security and contagion," Journal of Economic Theory, Elsevier, vol. 166(C), pages 536-585.
    5. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    6. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    7. Andrew F. Daughety & Jennifer F. Reinganum, 2006. "Markets, torts, and social inefficiency," RAND Journal of Economics, RAND Corporation, vol. 37(2), pages 300-323, June.
    8. Kolstad, Charles D & Ulen, Thomas S & Johnson, Gary V, 1990. "Ex Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes or Complements?," American Economic Review, American Economic Association, vol. 80(4), pages 888-901, September.
    9. Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010. "Network Security: Vulnerabilities And Disclosure Policy," Journal of Industrial Economics, Wiley Blackwell, vol. 58(4), pages 868-894, December.
    10. Steven Shavell, 1984. "A Model of the Optimal Use of Liability and Safety Regulation," RAND Journal of Economics, The RAND Corporation, vol. 15(2), pages 271-280, Summer.
    11. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    12. Tyler Moore & Richard Clayton & Ross Anderson, 2009. "The Economics of Online Crime," Journal of Economic Perspectives, American Economic Association, vol. 23(3), pages 3-20, Summer.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Lam, W., 2015. "Attack-Deterring and Damage-Control Investments in Cybersecurity," LIDAM Discussion Papers CORE 2015023, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    2. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    3. Gérard Mondello, 2022. "Strict liability, scarce generic input and duopoly competition," European Journal of Law and Economics, Springer, vol. 54(3), pages 369-404, December.
    4. Marcel Boyer & Donatella Porrini, 2010. "Optimal liability sharing and court errors: an exploratory analysis," Working Papers hal-00463913, HAL.
    5. Boyer, Marcel & Porrini, Donatella, 2011. "The impact of court errors on liability sharing and safety regulation for environmental/industrial accidents," International Review of Law and Economics, Elsevier, vol. 31(1), pages 21-29, March.
    6. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    7. Cerdeiro, Diego A. & Dziubiński, Marcin & Goyal, Sanjeev, 2017. "Individual security, contagion, and network design," Journal of Economic Theory, Elsevier, vol. 170(C), pages 182-226.
    8. Florian Baumann & Tim Friehe & Alexander Rasch, 2018. "Product Liability in Markets for Vertically Differentiated Products," American Law and Economics Review, American Law and Economics Association, vol. 20(1), pages 46-81.
    9. Arbatskaya, Maria & Aslam, Maria Vyshnya, 2018. "Liability or labeling? Regulating product risks with costly consumer attention," Journal of Economic Behavior & Organization, Elsevier, vol. 154(C), pages 238-252.
    10. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.
    11. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    12. Hui, Kai-Lung & Zhou, Jiali, 2020. "The Economics of Hacking," MPRA Paper 102706, University Library of Munich, Germany.
    13. Moore, Tyler, 2010. "The economics of cybersecurity: Principles and policy options," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(3), pages 103-117.
    14. Miceli Thomas J. & Segerson Kathleen, 2013. "Liability versus Regulation for Dangerous Products When Consumers Vary in Their Susceptibility to Harm and May Misperceive Risk," Review of Law & Economics, De Gruyter, vol. 9(3), pages 341-355, December.
    15. Suurmond, Guido, 2007. "The effects of the enforcement strategy," MPRA Paper 21142, University Library of Munich, Germany.
    16. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    17. Gérard Mondello, 2013. "Ambiguous Beliefs on Damages and Civil Liability Theories"," Post-Print halshs-00929948, HAL.
    18. Mirman, Leonard J. & Salgueiro, Egas M. & Santugini, Marc, 2014. "Noisy signaling in monopoly," International Review of Economics & Finance, Elsevier, vol. 29(C), pages 504-511.
    19. Herbert Dawid & Gerd Muehlheusser, 2019. "Smart products: liability, timing of market introduction, and investments in product safety," CESifo Working Paper Series 7673, CESifo.
    20. Andrzej Baniak & Peter Grajzl, 2014. "Controlling Product Risks when Consumers are Heterogeneously Overconfident: Producer Liability vs. Minimum Quality Standard Regulation," CESifo Working Paper Series 5003, CESifo.

    More about this item

    Keywords

    cybersecurity; sequential investment; standards; liability;
    All these keywords.

    JEL classification:

    • L1 - Industrial Organization - - Market Structure, Firm Strategy, and Market Performance
    • L8 - Industrial Organization - - Industry Studies: Services

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:tse:wpaper:28400. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: the person in charge (email available below). General contact details of provider: https://edirc.repec.org/data/tsetofr.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.