Discussion paper

DP17403 Cyber Risk and Security Investment

We develop a model in which firms invest in cybersecurity to protect themselves and their clients from cyber attacks. Since cyber security investment is unobservable, firms may signal their investment to attract clients. In equilibrium, firms under-invest in
cyber security. We derive testable implications for the modality of cyber attacks, the probability of a successful attack, and client fees. To raise efficiency, a regulator can impose a minimum level of security investment or legislate consumer protection that shifts the burden of cyber attacks from clients to firms. Both regulations induce firms to invest the constrained-efficient amount in cyber security.


Ahnert, T, M Brolley, D Cimon and R Riordan (2022), ‘DP17403 Cyber Risk and Security Investment‘, CEPR Discussion Paper No. 17403. CEPR Press, Paris & London. https://cepr.org/publications/dp17403