Cyber Risk and Security Investment
41 Pages Posted: 17 Mar 2022 Last revised: 22 Jan 2024
Date Written: January 21, 2024
We develop a model in which firms invest in cybersecurity to protect themselves and their clients from cyber attacks. Since cyber security investment is unobservable, firms may signal their investment to attract clients. In equilibrium, firms under-invest in cyber security. We derive testable implications for the modality of cyber attacks, the probability of a successful attack, and client fees. To raise efficiency, a regulator can impose a minimum level of security investment or legislate consumer protection that shifts the burden of cyber attacks from clients to firms. Both regulations induce firms to invest the constrained-efficient amount in cyber security.
Keywords: Cyber risk, cyber security, ransomware, security ratings, regulation
JEL Classification: G10, G28, K24
Suggested Citation: Suggested Citation