Strategic incentives and regulation in cyber security

Thesis

This thesis studies the optimal design of policy in the domains of data protection and cyber security. Each of the three main chapters consists of an independent paper. The first paper studies a digital platform’s incentives to invest in protecting the consumer data it collects. Data security investment is unobserved by consumers and incentives are reputational. In a two-period model, I show that a planner can raise total consumer welfare by imposing ex-ante limits on data collection based on a firm’s history of data breaches. The optimal policy depends on whether firms or consumers control data collection in each period. Additionally, I use the model to evaluate established policies: minimum security standards and limits to data retention. The second paper studies how markets for ransomware insurance affect the welfare of firms and hackers, and asks whether regulation can improve outcomes. In the model, hackers may or may not observe victims’ insurance contracts, and firms may be unable to pay ransom due to liquidity constraints. Insurance has commitment value for the firms in their bargaining with hackers and can reduce ransom demands. Regulatory caps on insurance for ransom payments guarantee that the presence of insurers makes firms better off, and hackers worse off. The third paper focuses on a fundamental trade-off that regulators face when designing data-breach notification laws: high penalties following disclosure encourage firms to invest in cybersecurity ex-ante but also to conceal breaches ex-post. In the model, a firm only discloses a breach after it has become pessimistic about the prospect of concealing it. I characterize the optimal policy for a regulator who can commit to penalties following disclosure of a breach. I examine design of the optimal policy when disclosure delay is ex-post verifiable and the regulator uses delay-dependent penalties to screen firms' private information.

Authors: Perdikakis, M

• DOI: 10.5287/ora-yrn4jao8d
• Type of award: DPhil
• Level of award: Doctoral
• Awarding institution: University of Oxford
• Language: English
• Keywords: ransomware; microeconomics; data security; information economics; regulation