Competition, Data Sharing and Secure Hardware Adoption
W. Lam & J. Seifert, 2024
Working Paper
Hardware security is fundamental to mitigating the growing risk of cyber-attacks. We study secure hardware adoption incentives in an imperfectly competitive market setting in which data controlling firms may also share consumer data with a third party. Data sharing and secure hardware adoption are shown to be weakly positively related in equilibrium and in the first-best. We also explore the conditions under which market-generated data sharing and secure hardware adoption incentives fall short of or exceed the social optimum. We show that data governance interventions to correct these market failures must be responsive the intensity of competition, among other factors.
Draft available soon
Regulating Data Privacy and Cybersecurity
W. Lam & J. Seifert, 2023
Journal of Industrial Economics
This paper studies firms’ data privacy and cybersecurity choices. We emphasize the strategic interdependence between these decisions and demonstrate that security in both the market equilibrium and the social optimum tends to be higher when data is shared. We also identify important market failures in the sense that firms tend to under-invest in security and over-share data. Our welfare analysis of a minimum security standard, disclosure and consumer education policies, liability rules and consumer mitigation strategies highlights the need for a coordinated approach to regulation.
Read Research Paper
Secure Hardware Adoption in the Open Data Context
W. Lam & J. Seifert, April 2023
Commissioned Project Report, ESRC Discribe Hub+
This project investigates the factors that drive firms’ decisions to adopt hardware that is digitally secure by design, with a particular focus on markets such as banking and energy that are subject to Open Data initiatives. Our research conducts original game-theoretic modelling work, studies the broader social and economic benefits that we derive from the adoption of secure technologies, and derives policy implications in relation to the existing UK data governance framework.
Read Project Report
Regulatory Interactions and the Design of Optimal Cybersecurity Policies
W. Lam & J. Seifert, July 2021
Commissioned Project Report, ESRC Discribe Hub+
This report investigates the design of optimal cybersecurity policies. Our analysis focuses on incentives and explores how regulations can bring the private decisions of profit-maximising firms into line with the objectives of society as a whole. In so doing, we pay explicit attention to important regulatory interactions between cybersecurity, data privacy and competition. This is a crucial part of evaluating the welfare-desirability of any cybersecurity policy: in order to maximise social welfare, regulation must not only correct market failures in the area of cybersecurity but, at the same time, avoid exacerbating market failures in the related areas of data privacy and competition.
Read Project Report
Does Data Protection Legislation Increase the Quality of Internet Services?
W. Lam & B. Lyons, 2020
Economics Letters
Digital firms attract consumers and collect their data by offering service enhancements and data security. These require separate types of investment. In light of the GDPR, data collection now requires explicit consumer consent, i.e. opt-in. This changes the consumer default option and the data provision decision when consumers are loss-averse. We examine the consequences for investment. We set out the conditions under which opt-in increases both types of investment and when security comes at the expense of service quality. We further find that most consumer types gain, even when service quality falls.
Read Research Paper
Attack-Prevention and Damage-Control Investments in Cybersecurity
W. Lam, 2016
Information Economics and Policy
This paper examines investments in cybersecurity made by users and software providers with a focus on the latter’s concerning attack prevention and damage control. I show that full liability, whereby the provider is liable for all damage, is inefficient, owing namely to underinvestment in attack prevention and overinvestment in damage control. On the other hand, the joint use of an optimal standard, which establishes a minimum compliance framework, and partial liability can restore efficiency. Implications for cybersecurity regulation and software versioning are discussed.
Read Research Paper