Attack-prevention and damage-control investments in cybersecurity

- This paper studies investments in cybersecurity, where both the software provider and the software users can invest in security.
- Since software products are never free of bugs, I consider a provider that can undertake attack-prevention and damage-control investments.
- I show that when the provider is fully liable for all damages, it underinvests in attack prevention and overinvests in damage control.
- This is akin to a software provider releasing vulnerable alpha versions of their products before the more secure beta versions.
- The joint use of an optimal standard and partial liability can restore investment efficiency.

This paper examines investments in cybersecurity made by users and software providers with a focus on the latter's concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.