Attack-prevention and damage-control investments in cybersecurity

Wing Man Wynne Lam

Research output: Contribution to journalArticlepeer-review

10 Citations (Scopus)
43 Downloads (Pure)


This paper examines investments in cybersecurity made by users and software providers with a focus on the latter's concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.
Original languageEnglish
Pages (from-to)42-51
Number of pages10
JournalInformation Economics and Policy
Early online date19 Oct 2016
Publication statusPublished - Dec 2016


  • Cybersecurity
  • Investment
  • Standard
  • Liability
  • Bilateral care

Cite this