Attack-prevention and damage-control investments in cybersecurity

Research output: Contribution to journalArticlepeer-review

5 Citations (Scopus)
37 Downloads (Pure)

Abstract

This paper examines investments in cybersecurity made by users and software providers with a focus on the latter's concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.
Original languageEnglish
Pages (from-to)42-51
Number of pages10
JournalInformation Economics and Policy
Volume37
Early online date19 Oct 2016
DOIs
Publication statusPublished - Dec 2016

Keywords

  • Cybersecurity
  • Investment
  • Standard
  • Liability
  • Bilateral care

Cite this