Research Resources

Cybersecurity and Data Sharing Incentives: Implications for Business and Regulators

Mar 2024 – Aug 2024

Link to Funder’s Website: ESRC Discribe Hub+

This project contributes to an improved understanding of market incentives and regulation in the area of cybersecurity by translating our research insights into actionable insights for businesses and regulators.

Secure Hardware Adoption in the Open Data Context

May 2022 – Apr 2023

Link to Funder’s Website: ESRC Discribe Hub+

This project investigates the factors that drive firms’ decisions to adopt hardware that is digitally secure by design, with a particular focus on markets such as banking and energy that are subject to Open Data initiatives. Our research conducts original game-theoretic modelling work, studies the broader social and economic benefits that we derive from the adoption of secure technologies, and derives policy implications in relation to the existing UK data governance framework.

Resources: Project Report

Regulatory Interactions and the Design of Optimal Cybersecurity Policies

Feb 2021 – Jul 2021

Link to Funder’s Website: ESRC Discribe Hub+

This project explores the design of policy measures incentivising cybersecurity investment and the economic interactions underlying the joint regulation of cybersecurity, data privacy and competition. We describe the current UK regulatory landscape affecting cybersecurity, analyse the economic interactions between data privacy and competition that affect the design of cybersecurity policies, and explore the need for regulatory co-ordination between data privacy and cybersecurity, and between competition and cybersecurity.

Resources: Project Report

Competition, Data Sharing and Secure Hardware Adoption

W. Lam & J. Seifert, 2024

Working Paper

Hardware security is fundamental to mitigating the growing risk of cyber-attacks. We study secure hardware adoption incentives in an imperfectly competitive market setting in which data controlling firms may also share consumer data with a third party. Data sharing and secure hardware adoption are shown to be weakly positively related in equilibrium and in the first-best. We also explore the conditions under which market-generated data sharing and secure hardware adoption incentives fall short of or exceed the social optimum. We show that data governance interventions to correct these market failures must be responsive the intensity of competition, among other factors.

Draft available soon

Regulating Data Privacy and Cybersecurity

W. Lam & J. Seifert, 2023

Journal of Industrial Economics

This paper studies firms’ data privacy and cybersecurity choices. We emphasize the strategic interdependence between these decisions and demonstrate that security in both the market equilibrium and the social optimum tends to be higher when data is shared. We also identify important market failures in the sense that firms tend to under-invest in security and over-share data. Our welfare analysis of a minimum security standard, disclosure and consumer education policies, liability rules and consumer mitigation strategies highlights the need for a coordinated approach to regulation.

Read Research Paper

Secure Hardware Adoption in the Open Data Context

W. Lam & J. Seifert, April 2023

Commissioned Project Report, ESRC Discribe Hub+ 

This project investigates the factors that drive firms’ decisions to adopt hardware that is digitally secure by design, with a particular focus on markets such as banking and energy that are subject to Open Data initiatives. Our research conducts original game-theoretic modelling work, studies the broader social and economic benefits that we derive from the adoption of secure technologies, and derives policy implications in relation to the existing UK data governance framework.

Read Project Report

Regulatory Interactions and the Design of Optimal Cybersecurity Policies

W. Lam & J. Seifert, July 2021

Commissioned Project Report, ESRC Discribe Hub+ 

This report investigates the design of optimal cybersecurity policies. Our analysis focuses on incentives and explores how regulations can bring the private decisions of profit-maximising firms into line with the objectives of society as a whole. In so doing, we pay explicit attention to important regulatory interactions between cybersecurity, data privacy and competition. This is a crucial part of evaluating the welfare-desirability of any cybersecurity policy: in order to maximise social welfare, regulation must not only correct market failures in the area of cybersecurity but, at the same time, avoid exacerbating market failures in the related areas of data privacy and competition.

Read Project Report

Does Data Protection Legislation Increase the Quality of Internet Services?

W. Lam & B. Lyons, 2020

Economics Letters

Digital firms attract consumers and collect their data by offering service enhancements and data security. These require separate types of investment. In light of the GDPR, data collection now requires explicit consumer consent, i.e. opt-in. This changes the consumer default option and the data provision decision when consumers are loss-averse. We examine the consequences for investment. We set out the conditions under which opt-in increases both types of investment and when security comes at the expense of service quality. We further find that most consumer types gain, even when service quality falls.

Read Research Paper

Attack-Prevention and Damage-Control Investments in Cybersecurity

W. Lam, 2016

Information Economics and Policy

This paper examines investments in cybersecurity made by users and software providers with a focus on the latter’s concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.

Read Research Paper