DP16457 A model of information security and competition

Cyberattacks are a pervasive threat in the digital economy, with the potential to harm firms and their customers. Larger firms constitute more valuable targets to hackers, thereby creating negative network effects. These can be mitigated by investments in security, which play both a deterrent and a protective role. We study equilibrium investment in information security under imperfect competition in a model where consumers differ in terms of security savviness. We show that the competitive implications of security depend on firms' business models: when firms compete in prices, security intensifies competition, which implies that it is always underprovided in equilibrium (unlike in the monopoly case). When firms are advertising-funded, security plays a business-stealing role, and may be overprovided. In terms of policy, we show that both the structure of the optimal liability regime and the efficacy of certification schemes also depend on firms' business model.

£6.00

Citation

de Cornière, A and G Taylor (2021), ‘DP16457 A model of information security and competition‘, CEPR Discussion Paper No. 16457. CEPR Press, Paris & London. https://cepr.org/publications/dp16457

30 May

Conference

CEPR Annual Applied Industrial Organisation Conference

24th CEPR-JIE Conference on Applied Industrial Organization

30 May 2024 - 31 May 2024 in Toulouse, France

Industrial Organization

2nd Conference in Health Economics

Register now / Closing 9 Jun 2024

The CEPR Virtual Industrial Organisation Seminar Series (VIOS) - Spring 30

24th CEPR-JIE Conference on Applied Industrial Organization