Working Paper: CEPR ID: DP17403
Authors: Toni Ahnert; Michael Brolley; David Cimon; Ryan Riordan
Abstract: We develop a model in which firms invest in cybersecurity to protect themselves and their clients from cyber attacks. Since cyber security investment is unobservable, firms may signal their investment to attract clients. In equilibrium, firms under-invest incyber security. We derive testable implications for the modality of cyber attacks, the probability of a successful attack, and client fees. To raise efficiency, a regulator can impose a minimum level of security investment or legislate consumer protection that shifts the burden of cyber attacks from clients to firms. Both regulations induce firms to invest the constrained-efficient amount in cyber security.
Keywords: No keywords provided
JEL Codes: No JEL codes provided
Edges that are evidenced by causal inference methods are in orange, and the rest are in light blue.
| Cause | Effect |
|---|---|
| principal-agent problem (D82) | underinvestment in security (H56) |
| unobservable security investments (G10) | increased vulnerability to attacks (K24) |
| commitment not to pay ransoms (D74) | reduced incidence of successful cyber attacks (K24) |
| observable security levels (Y50) | efficient competition among platforms (D41) |
| increased transparency around security investments (G38) | improved welfare (I30) |