Essays on the Economics of Cybersecurity Information

Mark W. Hodgins

Advisor: Peter T. Leeson, PhD, Department of Economics

Committee Members: Peter J. Boettke, Christopher J. Coyne

Online Location, Online
May 26, 2023, 12:00 PM to 02:00 PM

Abstract:

The digital economy is a ubiquitous part of U.S. society that relies on an ever increasing supply of data to connect people and organizations. The wealth of underlying data imposes cybersecurity requirements, which are far from guaranteed. Sensational headlines of costly cyberattacks are published on a recurring basis. Multiple causal factors exist for why failure may occur, yet the prevailing belief is that the market is full of poor security products because suppliers shift risk to consumers without their knowledge or recourse. Is the leading theory that the cybersecurity market fails due to information problems accurate? This dissertation critically evaluates the conventional wisdom.

 In order to determine whether the current beliefs are misguided, a thorough understanding of the specific arguments and supporting evidence is necessary. The first essay reviews the theoretical and empirical claims of information asymmetry. My analysis decomposes the consumer’s alleged information challenges into several categories, which are high search costs from a lack of technical expertise, low incentives to expend effort to improve their acumen, and the lack of quality indicators. Persistent information challenges ostensibly incentivize suppliers to engage in moral hazard by reallocating resources away from cybersecurity and towards observable product attributes. The multitude of software vulnerabilities and data breaches is widely cited as evidence of adverse selection.

Evaluating the prospects of market failure necessitates an understanding of who the predominant cybersecurity consumers are and what information seeking incentives and abilities they possess. The second essay focuses on the identity of a consumer class that the market failure narrative broadly neglects, the business consumer. I find that firms, universities, and other organizations are the predominant consumer and that individuals procure the majority of their cybersecurity indirectly through them. I argue that business consumers possess strong incentives to invest in cybersecurity information due to operational and financial losses from a cyberattack. Moreover, my research finds that business consumers possess unique abilities, through the labor market and contracting, to acquire cyber information. In contrast to conventional wisdom, today’s software vendors invest significantly in cybersecurity activities, which would only occur if consumers could acquire relevant information and credibly punish bad security.

Given the results of the second essay, corporate shareholders should possess strong incentives to control agency costs associated with cybersecurity production. The third essay applies institutional economics to analyze the extent to which firms invest in corporate mechanisms that ameliorate cybersecurity information problems. Empirically, I evaluate the proxy statements of vendors and businesses consumers over time, finding that the vast majority modified their board of directors’ governance to improve cybersecurity monitoring. I also show how a competitive market for management leads to employment outcomes that are reflective of cybersecurity performance. Together, the markets for corporate governance and management help align the incentives of board directors and firm management with the shareholders.