“Attack-Prevention and Damage Control Investments in Cybersecurity”

Wing Man Wynne Lam, University of Liege

This paper studies investments in cybersecurity, where both the software provider and the users can invest in security. In addition, the provider can undertake attack-prevention and damage-control investments. I show that full liability, under which the provider is liable for all damages, does not achieve efficiency and, in particular, the provider underinvests in attack prevention and overinvests in damage control. Instead, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.