کد مقاله | کد نشریه | سال انتشار | مقاله انگلیسی | نسخه تمام متن |
---|---|---|---|---|
5075669 | 1477173 | 2016 | 10 صفحه PDF | دانلود رایگان |
- This paper studies investments in cybersecurity, where both the software provider and the software users can invest in security.
- Since software products are never free of bugs, I consider a provider that can undertake attack-prevention and damage-control investments.
- I show that when the provider is fully liable for all damages, it underinvests in attack prevention and overinvests in damage control.
- This is akin to a software provider releasing vulnerable alpha versions of their products before the more secure beta versions.
- The joint use of an optimal standard and partial liability can restore investment efficiency.
This paper examines investments in cybersecurity made by users and software providers with a focus on the latter's concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.
Journal: Information Economics and Policy - Volume 37, December 2016, Pages 42-51