Large public and private costs result from attacks on firms’ information technology networks. Successful attacks result in data breaches with private damages from business interruption, reputation, and investigation forensics. Social losses result from exposing individuals’ personal information, leading to state, national, and international policymakers enacting legislation to manage these costs. Inadequate economic modeling exists to analyze this phenomenon, despite the large economic impact of cyberspace, e-commerce, and social networking. This research advances information security economics by deviating from a firm-level model to focus on the social welfare implications of firm and regulator decisions. I comprehensively review the economic and policy environment and develop the first rigorous economic model of regulatory approaches to data breach.
I develop a one-period model of information security and analyze the efficacy of regulatory interventions in the face of asymmetric information. The model builds upon existing models of firm and firm-consumer information security investment and draws analogy between information security and managing asymmetric information in the biosecurity and livestock disease literature.
I analyze firm and social planner incentives in a non-regulatory environment and three regulatory environments. Without regulation, the firm underinvests in network and data protection relative to the social optimum. In the first regime, the regulator must expend a fixed cost to observe social losses and overcome the firm’s moral hazard. The interaction between network and data protection permits the regulator to induce optimal behavior in two investment decisions with a single regulatory instrument. With sufficiently low regulatory costs, this result is socially preferred. In the second regulatory regime, the regulator must expend the same fixed cost for imperfect observation of social losses and administer a program requiring that the firm report breaches. The regulator can induce reporting with a sufficiently large fine for non-reporting, even with imperfect breach monitoring. In this regime, a disclosure investigation cost distorts the firm’s investment incentives in a manner inconsistent with social objectives, resulting in increased network protection at the expense of data protection. With a sufficiently high disclosure investigation cost, the firm will invest less in data protection than it would in lieu of regulation. The final regime introduces a data protection technology that mitigates social loss and some private damages. The regulator expends the same fixed cost for imperfect observation of social losses and requires disclosure only if the firm does not invest in the safe harbor technology. Except when very costly, this safe harbor technology allows the regulator to induce optimal investment and lower the firm’s regulatory burden. The safe harbor technology results in welfare gains except when the technology is very costly, at which point the firm may exit, or the safe harbor regime defaults to the distorted incentives of the disclosure policy.
This research advances economic modeling in the relatively undeveloped field of information security economics. As policy aspects of information security become more developed, policymakers will require better tools to analyze policy impacts on both the firm’s wealth and on social welfare. This research provides a step toward those improved tools.