Cybersecurity Carrots and Sticks

61 American Business Law Journal 5 (2024)

25 Pages Posted: 19 Jan 2023 Last revised: 24 May 2024

See all articles by Janine S. Hiller

Janine S. Hiller

Virginia Tech

Kathryn Kisska-Schulze

Clemson University College of Business

Scott Shackelford

Indiana University - Kelley School of Business - Department of Business Law; Harvard Kennedy School Belfer Center for Science & International Affairs; Center for Applied Cybersecurity Research; Stanford Center for Internet and Society; Stanford Law School

Date Written: January 28, 2024

Abstract

In an unsustainable trend, each year is touted as the worst on record for data and system breaches. 2020's dubious top distinction was exceeded across numerous metrics in 2021, and 2022's numbers set another unwanted record. The growing epidemic of ransomware, data breaches, and cyber-enabled attacks pushes policymakers and business leaders to consider what can be done to reverse the cyberinsecurity spiral. Amidst the current cybersecurity landscape fraught with regulatory gaps, dependence on self-regulation, and resource constraints of small- and medium-sized businesses, policymakers should seize opportunities to reward reasonable cybersecurity postures and disincentivize underinvestment in cybersecurity best practices. Bold and coordinated actions are needed to dislodge the unsustainable trend of increasingly damaging cyberattacks, and to create a more holistically secure digital future. To move the needle toward a more robust cybersecurity ecosystem, this article proposes an incentive-based strategy that breaks the mandateversus-self-regulation dichotomy, leveraging a carrots and sticks tax approach to spur stronger cybersecurity postures across the ecosystem. Such proposal outlines a framework for a Federal Cybersecurity Investment Tax Credit, tailored and mapped to select entity types, combined with a cyberinsecurity tax, thus promoting the principle that businesses have basic cybersecurity responsibilities and fundamental duties to operate securely in a digital society. In addition, this article introduces supplementary tools as part of an enhanced cybersecurity tax policy toolkit. Given pressing national and global cyber risks, this article continues a long-standing conversation about the operative use of tax policy as part of a holistic approach to reaching a secure and sustainable digital future.

Keywords: cybersecurity, tax, policy, risk management

Suggested Citation

Hiller, Janine S. and Kisska-Schulze, Kathryn and Shackelford, Scott J., Cybersecurity Carrots and Sticks (January 28, 2024). 61 American Business Law Journal 5 (2024), Available at SSRN: https://ssrn.com/abstract=4322819 or http://dx.doi.org/10.2139/ssrn.4322819

Janine S. Hiller

Virginia Tech ( email )

Pamplin College of Business
Virginia Tech
Blacksburg, VA 24061
United States

Kathryn Kisska-Schulze (Contact Author)

Clemson University College of Business ( email )

Clemson, SC 29631
United States

Scott J. Shackelford

Indiana University - Kelley School of Business - Department of Business Law ( email )

Bloomington, IN 47405
United States

Harvard Kennedy School Belfer Center for Science & International Affairs ( email )

79 JFK Street
Cambridge, MA 02138
United States

Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Stanford Center for Internet and Society ( email )

Palo Alto, CA
United States

Stanford Law School ( email )

Stanford, CA 94305
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
282
Abstract Views
1,132
Rank
216,524
PlumX Metrics